Edit tour

Windows Analysis Report
wextract.exe

Overview

General Information

Sample Name:	wextract.exe
Analysis ID:	832898
MD5:	b9cc7e24db7de2e75678761b1d8bac3e
SHA1:	863dd28f1702054c0f831c127a1e5ea6d9459a04
SHA256:	085de9df12eb199667f49ba42bdc20ee7ad86ba5b856016af17fdcbad17f0043
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Uses 32bit PE files

Yara signature match

Tries to load missing DLLs

Contains functionality to shutdown / reboot the system

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found evaded block containing many API calls

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64native

wextract.exe (PID: 7456 cmdline: C:\Users\user\Desktop\wextract.exe MD5: B9CC7E24DB7DE2E75678761B1D8BAC3E)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wextract.exe	MAL_Malware_Imphash_Mar23_1	Detects malware by known bad imphash or rich_pe_header_hash	Arnim Rupp

Joe Sandbox Signatures

• Compliance
• Spreading
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: wextract.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wextract.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: wextract.exe
Source:	Binary string: wextract.pdbGCTL source: wextract.exe

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00752395 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

1_2_00752395

Source: wextract.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wextract.exe, type: SAMPLE

Matched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37

Source: C:\Users\user\Desktop\wextract.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Users\user\Desktop\wextract.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00751F9B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

1_2_00751F9B

Source: C:\Users\user\Desktop\wextract.exe	Code function: 1_2_00755C50		1_2_00755C50
Source: C:\Users\user\Desktop\wextract.exe	Code function: 1_2_00753B8E		1_2_00753B8E

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00755933 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

1_2_00755933

Source: wextract.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wextract.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00751F9B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

1_2_00751F9B

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00752CA1 memset,memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,

1_2_00752CA1

Source: C:\Users\user\Desktop\wextract.exe	Command line argument: Kernel32.dll		1_2_00752BF2
Source: C:\Users\user\Desktop\wextract.exe	Command line argument: ppu		1_2_00756FC0

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\wextract.exe

1_2_00755933

Source: wextract.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wextract.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wextract.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wextract.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wextract.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wextract.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wextract.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: wextract.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: wextract.exe
Source:	Binary string: wextract.pdbGCTL source: wextract.exe

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_007571FD push ecx; ret

1_2_00757210

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00752033 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

1_2_00752033

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00751B04 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

1_2_00751B04

Source: C:\Users\user\Desktop\wextract.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-2447

Source: C:\Users\user\Desktop\wextract.exe

Evaded block: after key decision

graph_1-2254

Source: C:\Users\user\Desktop\wextract.exe

API coverage: 4.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00755423 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

1_2_00755423

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00752395 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

1_2_00752395

Source: C:\Users\user\Desktop\wextract.exe

1_2_00752033

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\wextract.exe	Code function: 1_2_00756EE0 SetUnhandledExceptionFilter,		1_2_00756EE0
Source: C:\Users\user\Desktop\wextract.exe	Code function: 1_2_00756C90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_00756C90

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_0075180E LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

1_2_0075180E

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00752BF2 GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

1_2_00752BF2

Source: C:\Users\user\Desktop\wextract.exe

Code function: 1_2_00757105 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00757105

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	5 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wextract.exe	0%	Virustotal		Browse
wextract.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	832898
Start date and time:	2023-03-23 01:13:40 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	wextract.exe
Detection:	CLEAN
Classification:	clean5.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 95%) Quality average: 84.5% Quality standard deviation: 24%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.069567692658765
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wextract.exe
File size:	136192
MD5:	b9cc7e24db7de2e75678761b1d8bac3e
SHA1:	863dd28f1702054c0f831c127a1e5ea6d9459a04
SHA256:	085de9df12eb199667f49ba42bdc20ee7ad86ba5b856016af17fdcbad17f0043
SHA512:	d3b555f63547cfeeb0eabdf5cc4f7abab3a40d90395b4cfc27c7a6fea7b84ffcea816bdde6979fb278e0a966ac3ad4c1a1386ef1dc02dcab1f891ed92eb206c8
SSDEEP:	3072:QOhX0N7+f1O8Wp1icKAArDZz4N9GhbkUNEk956y:VhEN7+Y9p0yN90vEq
TLSH:	2CD3AF57AAC89473CCA407B058FB07C31B36BDE1598803633B9A6D6A0DB32D5753626F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Of.{...(...(...(.l.)...(.l.)...(.l.)...(.l.)...(...(...(.l.)...(.l\(...(.l.)...(Rich...(........PE..L...!V.:.................d.

File Icon


Icon Hash:	f8e0e4e8ecccc870

Static PE Info

General

Entrypoint:	0x406a00
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x3A1E5621 [Fri Nov 24 11:50:57 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	646167cce332c1c252cdcb1839e0cf48

Entrypoint Preview

Instruction
call 00007F7C1032BCA5h
jmp 00007F7C1032B5A5h
push 00000058h
push 00407268h
call 00007F7C1032BD47h
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
lea eax, dword ptr [ebp-68h]
push eax
call dword ptr [0040A184h]
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov esi, dword ptr [eax+04h]
mov edi, ebx
mov edx, 004088ACh
mov ecx, esi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
je 00007F7C1032B5BAh
cmp eax, esi
jne 00007F7C1032B5A9h
xor esi, esi
inc esi
mov edi, esi
jmp 00007F7C1032B5B2h
push 000003E8h
call dword ptr [0040A188h]
jmp 00007F7C1032B579h
xor esi, esi
inc esi
cmp dword ptr [004088B0h], esi
jne 00007F7C1032B5ACh
push 0000001Fh
call 00007F7C1032BAD5h
pop ecx
jmp 00007F7C1032B5DCh
cmp dword ptr [004088B0h], ebx
jne 00007F7C1032B5CEh
mov dword ptr [004088B0h], esi
push 004010CCh
push 004010C0h
call 00007F7C1032B700h
pop ecx
pop ecx
test eax, eax
je 00007F7C1032B5B9h
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, 000000FFh
jmp 00007F7C1032B6D9h
mov dword ptr [004081E4h], esi
cmp dword ptr [004088B0h], esi
jne 00007F7C1032B5BDh
push 004010BCh
push 004010B4h
call 00007F7C1032BC93h
pop ecx
pop ecx
mov dword ptr [000088B0h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa28c	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x18db0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25000	0x888	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1008	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x288	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x62c4	0x6400	False	0.5751171875	data	6.301659763150869	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1a48	0x200	False	0.609375	data	4.970639543960129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa000	0x1052	0x1200	False	0.4142795138888889	data	5.0224249304912405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x18db0	0x18e00	False	0.7669892430904522	data	7.154997010065655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x25000	0x888	0xa00	False	0.7515625	data	6.273787441603385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0x21ab0	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
MUI	0x24cd0	0xe0	data	English	United States
RT_ICON	0xcbf8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0xd260	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0xd548	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States
RT_ICON	0xd730	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_ICON	0xd858	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0xe700	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0xefa8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States
RT_ICON	0xf670	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0xfbd8	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x1d5b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x1fb58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x20c00	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x21588	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_GROUP_ICON	0x219f0	0xbc	data	English	United States
RT_VERSION	0x248d0	0x400	data	English	United States
RT_MANIFEST	0xc410	0x7e2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
GDI32.dll	GetDeviceCaps
USER32.dll	SetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
msvcrt.dll	_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

Statistics

CPU Usage

• wextract.exe

Click to jump to process

Memory Usage

• wextract.exe

Click to jump to process

System Behavior

Analysis Process: wextract.exePID: 7456, Parent PID: 4812

Function Logs

General

Target ID:	1
Start time:	01:15:32
Start date:	23/03/2023
Path:	C:\Users\user\Desktop\wextract.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wextract.exe
Imagebase:	0x750000
File size:	136192 bytes
MD5 hash:	B9CC7E24DB7DE2E75678761B1D8BAC3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: wextract.exePID: 7456, Parent PID: 4812COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.2%
Total number of Nodes:	946
Total number of Limit Nodes:	7

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00752CA1 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 182
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00752CA1(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x758004; // 0xb49f60cf
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x759a3c = __ecx;
				memset(0x759140, 0, 0x8fc);
				memset(0x758a20, 0, 0x32c);
				memset(0x7588c0, 0, 0x104);
				 *0x7593ec = 1;
				_t20 = E00754669("TITLE", 0x759154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x75858c = _t27;
					SetEvent(_t27);
					_t64 = 0x759a34;
					if(E00754669("EXTRACTOPT", 0x759a34, 4) != 0) {
						if(( *0x759a34 & 0x000000c0) == 0) {
							L12:
							 *0x759120 =  *0x759120 & _t65;
							if(E00755C50(_t48, _t48, _t65, _t66) != 0) {
								if( *0x758a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x758184 != 0) {
										__imp__#17();
									}
									if( *0x758a24 == 0) {
										_t57 = _t65;
										if(E007536DC(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x759a40;
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x759a34 & 0x00000100) == 0 || ( *0x758a38 & 0x00000001) != 0 || E007518C1(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E007564C3(_t57, 0x7d6, _t34, E00751A00, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00752395(0x758a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E00754495(0, _t64, 0, 0, 0x10, 0); // executed
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E00754669("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x758588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x759a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E00754495(0, 0x524, 0x759154, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E00754495(0, 0x54b, 0x759154, 0, 0x10, 0);
										L11:
										CloseHandle( *0x758588);
										 *0x759124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E00754495(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x759124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00756C80(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00752cac
0x00752cb3
0x00752cbe
0x00752cc0
0x00752cc8
0x00752cca
0x00752cd0
0x00752ce0
0x00752cf0
0x00752d05
0x00752d0c
0x00752d13
0x00752eea
0x00000000
0x00752d24
0x00752d2b
0x00752d32
0x00752d37
0x00752d3f
0x00752d50
0x00752d7b
0x00752e16
0x00752e16
0x00752e25
0x00752e38
0x00752e51
0x00752e59
0x00752e63
0x00752e63
0x00752e6c
0x00752e6e
0x00752e6e
0x00752e7b
0x00752e82
0x00752e8b
0x00000000
0x00752e8d
0x00752e8d
0x00752e95
0x00752e99
0x00752eb1
0x00000000
0x00752ec5
0x00752ed5
0x00752ee4
0x00000000
0x00000000
0x00000000
0x00000000
0x00752ee4
0x00752ee6
0x00752ee6
0x00752ee6
0x00752ee6
0x00752e99
0x00752e7d
0x00752e7f
0x00752e7f
0x00752e3a
0x00752e3f
0x00000000
0x00752e3f
0x00752e27
0x00752e27
0x00752eef
0x00752ef8
0x00000000
0x00752ef8
0x00752d81
0x00752d86
0x00752d98
0x00000000
0x00752d9a
0x00752da5
0x00752dab
0x00752db2
0x00000000
0x00752dc1
0x00752dca
0x00752dec
0x00752df9
0x00000000
0x00000000
0x00000000
0x00000000
0x00752dcc
0x00752dd5
0x00752dda
0x00752dfb
0x00752e01
0x00752e07
0x00000000
0x00752e07
0x00752dca
0x00752db2
0x00752d98
0x00752d52
0x00752d52
0x00752d54
0x00752d60
0x00752d65
0x00752efd
0x00752efd
0x00752efd
0x00752d50
0x00752f0d

APIs

memset.MSVCRT ref: 00752CD0
memset.MSVCRT ref: 00752CE0
memset.MSVCRT ref: 00752CF0

Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075467A
Part of subcall function 00754669: SizeofResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00754683
Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075469D
Part of subcall function 00754669: LoadResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A6
Part of subcall function 00754669: LockResource.KERNEL32(00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546AD
Part of subcall function 00754669: memcpy_s.MSVCRT ref: 007546BF
Part of subcall function 00754669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546C9

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00752D2B
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00752D37
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00752DA5
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00752DB4
CloseHandle.KERNEL32(00759154,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00752E01

Part of subcall function 00754495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 007544F4
Part of subcall function 00754495: MessageBoxA.USER32(?,?,00759154,00010010), ref: 00754530

Strings

TITLE, xrefs: 00752D00
EXTRACTOPT, xrefs: 00752D44
VERCHECK, xrefs: 00752E4B
INSTANCECHECK, xrefs: 00752D8C

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
API String ID: 1002816675-2113404272
Opcode ID: 2f905472a54dfb0d8a2cc3756b281fd309190d4c3231cf496454001a90597c86
Instruction ID: deb9bd173d3d676fa0838a94a12747ebfd87bb78cb6b0b9d3789903f34f12ba9
Opcode Fuzzy Hash: 2f905472a54dfb0d8a2cc3756b281fd309190d4c3231cf496454001a90597c86
Instruction Fuzzy Hash: DD51C570740345EBE760A7349C4FBFA2699DB46707F508039BE41D51D2DEEC884ED626

Uniqueness

Uniqueness Score: -1.00%

Function 00752BF2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00752BF2(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t5;
				void* _t6;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x75a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x759124 = 0; // executed
				_t5 = E00752CA1(_a4, _a12, _t29, _t17); // executed
				if(_t5 != 0) {
					_t22 = E00752F10(_t18, _t20);
					E00755276(0, _t18, _t21, _t22);
					if(_t22 != 0) {
						_t32 =  *0x758a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x759a2c;
							if(( *0x759a2c & 0x00000001) != 0) {
								E00751F9B(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x758588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				return  *0x759124;
			}

0x00752bfa
0x00752c04
0x00752c0f
0x00752c17
0x00752c25
0x00752c29
0x00752c2d
0x00752c34
0x00752c3a
0x00752c3c
0x00752c3e
0x00752c40
0x00752c45
0x00752c45
0x00752c3e
0x00752c29
0x00752c17
0x00752c47
0x00752c4b
0x00752c4e
0x00752c54
0x00752c5b
0x00752c62
0x00752c64
0x00752c6b
0x00752c6d
0x00752c73
0x00752c75
0x00752c7e
0x00752c80
0x00752c80
0x00752c7e
0x00752c73
0x00752c6b
0x00752c85
0x00752c8c
0x00752c8f
0x00752c8f
0x00752c9e

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00756B50,00750000,00000000,00000002,0000000A), ref: 00752BFA
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00756B50,00750000,00000000,00000002,0000000A), ref: 00752C0F
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00752C1F
CloseHandle.KERNEL32(00000000,?,?,00756B50,00750000,00000000,00000002,0000000A), ref: 00752C8F

Strings

HeapSetInformation, xrefs: 00752C19
Kernel32.dll, xrefs: 00752C0A

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 80b540439a952788bf624c75a87677b3c314bd55feeebf120f3e3f596ea3d427
Instruction ID: 058e36db0082639efeec76e3d1b959ef241f5c82417f4cb7998a3ebdb36c70f4
Opcode Fuzzy Hash: 80b540439a952788bf624c75a87677b3c314bd55feeebf120f3e3f596ea3d427
Instruction Fuzzy Hash: A8110A71700305ABE7146B65AC99AEF3759AB45393F058125FD0183293DEFCCC0E86B5

Uniqueness

Uniqueness Score: -1.00%

Function 00754495 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00754495(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x758004; // 0xb49f60cf
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x758a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x759a3c, _t75,  &_v576, 0x200); // executed
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E007516A0(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E0075173E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E0075173E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E007567CB(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E00756777(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, 0x759154, _t49 | _a12 | _a16);
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E007567CB(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E00756777(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, 0x759154, _t64); // executed
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00756C80(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x00754495
0x007544a0
0x007544a7
0x007544b4
0x007544c0
0x007544c7
0x007544ca
0x007544cb
0x007544cb
0x007544cd
0x007544d3
0x007544d4
0x00754657
0x007544da
0x007544e5
0x007544f4
0x00754501
0x0075453e
0x00754544
0x00754544
0x00754547
0x00754547
0x00754549
0x0075454a
0x0075454e
0x00754554
0x00754558
0x007545a7
0x007545e3
0x007545e3
0x007545e9
0x007545ef
0x007545f3
0x00000000
0x007545f9
0x007545ff
0x00754602
0x00754604
0x00000000
0x00754604
0x007545a9
0x007545a9
0x007545ab
0x007545ab
0x007545ae
0x007545ae
0x007545b0
0x007545b1
0x007545b7
0x007545ba
0x007545bf
0x007545c5
0x007545c9
0x00000000
0x007545cf
0x007545d9
0x00000000
0x007545de
0x007545c9
0x0075455a
0x0075455a
0x0075455c
0x0075455c
0x0075455f
0x0075455f
0x00754561
0x00754562
0x00754566
0x00754568
0x0075456b
0x0075456b
0x0075456d
0x0075456e
0x00754577
0x0075457a
0x0075457f
0x00754585
0x00754589
0x00000000
0x0075458b
0x0075458b
0x0075459b
0x00754609
0x0075460c
0x00754619
0x0075462a
0x0075462a
0x0075461b
0x0075461c
0x00754623
0x00754628
0x00000000
0x00000000
0x00754628
0x00754642
0x00754649
0x0075464b
0x00754651
0x00754651
0x00754589
0x00754503
0x0075450a
0x0075451b
0x0075451b
0x0075450c
0x0075450d
0x00754514
0x00754519
0x00000000
0x00000000
0x00754519
0x00754530
0x00754536
0x00754536
0x00754536
0x00754501
0x00754666

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 007544F4
MessageBoxA.USER32(?,?,00759154,00010010), ref: 00754530
LocalAlloc.KERNEL32(00000040,00000065), ref: 0075457F
LocalAlloc.KERNEL32(00000040,00000065), ref: 007545BF
LocalAlloc.KERNEL32(00000040,00000002), ref: 007545E9
MessageBeep.USER32(00000000), ref: 0075460C
MessageBoxA.USER32(?,00000000,00759154,00000000), ref: 00754642
LocalFree.KERNEL32(00000000), ref: 0075464B

Part of subcall function 007567CB: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0075681A
Part of subcall function 007567CB: GetSystemMetrics.USER32(0000004A), ref: 00756853
Part of subcall function 007567CB: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00756878
Part of subcall function 007567CB: RegQueryValueExA.ADVAPI32(?,00751140,00000000,?,?,0000000C), ref: 007568A0
Part of subcall function 007567CB: RegCloseKey.ADVAPI32(?), ref: 007568AE

Strings

LoadString() Error. Could not load string resource., xrefs: 007544C0

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.
API String ID: 3244514340-1556763079
Opcode ID: c5f51fb5a2d36ebed38251f8878fe73c0907eae648bb2370a8cbdd1aeadf9ae1
Instruction ID: eb7870b6269534f9015cd9b9ebb8d4a2c85af71a199ac7fd13b2c540976722eb
Opcode Fuzzy Hash: c5f51fb5a2d36ebed38251f8878fe73c0907eae648bb2370a8cbdd1aeadf9ae1
Instruction Fuzzy Hash: AF510671900219AFDB219F28CC08BEA7B79EF45306F1045A4FD09A3241DBB9DE8DCB60

Uniqueness

Uniqueness Score: -1.00%

Function 00756A00 Relevance: 12.1, APIs: 8, Instructions: 144
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t26;
				signed int _t27;
				signed int _t30;
				int _t31;
				signed char _t42;
				signed int _t56;
				signed int _t57;
				intOrPtr _t60;
				signed int _t62;
				signed int _t63;
				intOrPtr* _t65;
				void* _t67;
				void* _t74;
				void* _t75;

				E00757105();
				_push(0x58);
				_push(0x757268);
				E007571B8(__ebx, __edi, __esi);
				 *(_t67 - 0x20) = 0;
				GetStartupInfoW(_t67 - 0x68);
				 *((intOrPtr*)(_t67 - 4)) = 0;
				_t60 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t56 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t60) {
						Sleep(0x3e8);
						continue;
					} else {
						_t62 = 1;
						_t56 = 1;
					}
					L7:
					_t74 =  *0x7588b0 - _t62; // 0x2
					if(_t74 != 0) {
						__eflags =  *0x7588b0; // 0x2
						if(__eflags != 0) {
							 *0x7581e4 = _t62;
							goto L13;
						} else {
							 *0x7588b0 = _t62;
							__eflags = E00756BE9(0x7510c0, 0x7510cc);
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t67 - 4)) = 0xfffffffe;
								_t31 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00756F9E();
						L13:
						_t75 =  *0x7588b0 - _t62; // 0x2
						if(_t75 == 0) {
							_push(0x7510bc);
							_push(0x7510b4);
							L007571B0();
							 *0x7588b0 = 2;
						}
						if(_t56 == 0) {
							 *0x7588ac = 0;
						}
						_t78 =  *0x7588b4;
						if( *0x7588b4 != 0 && E00757010(_t78, 0x7588b4) != 0) {
							_t65 =  *0x7588b4; // 0x0
							 *0x75a288(0, 2, 0);
							 *_t65();
						}
						_t26 = __imp___acmdln; // 0x75155ba0
						_t63 =  *_t26;
						 *(_t67 - 0x1c) = _t63;
						_t57 =  *(_t67 - 0x20);
						while(1) {
							_t42 =  *_t63;
							if(_t42 > 0x20) {
								goto L32;
							}
							if(_t42 != 0) {
								if(_t57 != 0) {
									goto L32;
								} else {
									while(_t42 != 0 && _t42 <= 0x20) {
										_t63 = _t63 + 1;
										 *(_t67 - 0x1c) = _t63;
										_t42 =  *_t63;
									}
								}
							}
							__eflags =  *(_t67 - 0x3c) & 0x00000001;
							if(( *(_t67 - 0x3c) & 0x00000001) == 0) {
								_t30 = 0xa;
							} else {
								_t30 =  *(_t67 - 0x38) & 0x0000ffff;
							}
							_push(_t30);
							_t31 = E00752BF2(0x750000, 0, _t63); // executed
							 *0x7581e0 = _t31;
							__eflags =  *0x7581f8;
							if( *0x7581f8 == 0) {
								exit(_t31); // executed
								goto L32;
							}
							__eflags =  *0x7581e4;
							if( *0x7581e4 == 0) {
								__imp___cexit();
								_t31 =  *0x7581e0; // 0x0
							}
							 *((intOrPtr*)(_t67 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t42 - 0x22;
							if(_t42 == 0x22) {
								__eflags = _t57;
								_t15 = _t57 == 0;
								__eflags = _t15;
								_t57 = 0 | _t15;
								 *(_t67 - 0x20) = _t57;
							}
							_t27 = _t42 & 0x000000ff;
							__imp___ismbblead(_t27);
							__eflags = _t27;
							if(_t27 != 0) {
								_t63 = _t63 + 1;
								__eflags = _t63;
								 *(_t67 - 0x1c) = _t63;
							}
							_t63 = _t63 + 1;
							 *(_t67 - 0x1c) = _t63;
						}
					}
					L40:
					 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0x10));
					return _t31;
				}
				_t62 = 1;
				__eflags = 1;
				goto L7;
			}

0x00756a00
0x00756a0a
0x00756a0c
0x00756a11
0x00756a18
0x00756a1f
0x00756a25
0x00756a2e
0x00756a31
0x00756a33
0x00756a3c
0x00756a42
0x00000000
0x00000000
0x00756a46
0x00756a54
0x00000000
0x00756a48
0x00756a4a
0x00756a4b
0x00756a4b
0x00756a5f
0x00756a5f
0x00756a65
0x00756a71
0x00756a77
0x00756aa5
0x00000000
0x00756a79
0x00756a79
0x00756a90
0x00756a92
0x00000000
0x00756a94
0x00756a94
0x00756a9b
0x00756a9b
0x00756a92
0x00756a67
0x00756a67
0x00756a69
0x00756aab
0x00756aab
0x00756ab1
0x00756ab3
0x00756ab8
0x00756abd
0x00756ac4
0x00756ac4
0x00756ad0
0x00756ad9
0x00756ad9
0x00756adb
0x00756ae2
0x00756af7
0x00756aff
0x00756b05
0x00756b05
0x00756b07
0x00756b0c
0x00756b0e
0x00756b11
0x00756b14
0x00756b14
0x00756b19
0x00000000
0x00000000
0x00756b1d
0x00756b21
0x00000000
0x00000000
0x00756b23
0x00756b2c
0x00756b2d
0x00756b30
0x00756b30
0x00756b23
0x00756b21
0x00756b34
0x00756b38
0x00756b42
0x00756b3a
0x00756b3a
0x00756b3a
0x00756b43
0x00756b4b
0x00756b50
0x00756b55
0x00756b5c
0x00756b5f
0x00000000
0x00756b5f
0x00756bbe
0x00756bc5
0x00756bc7
0x00756bcd
0x00756bcd
0x00756bd2
0x00000000
0x00756b65
0x00756b65
0x00756b68
0x00756b6c
0x00756b6e
0x00756b6e
0x00756b71
0x00756b73
0x00756b73
0x00756b76
0x00756b7a
0x00756b81
0x00756b83
0x00756b85
0x00756b85
0x00756b86
0x00756b86
0x00756b89
0x00756b8a
0x00756b8a
0x00756b14
0x00756bd9
0x00756bdc
0x00756be8
0x00756be8
0x00756a5e
0x00756a5e
0x00000000

APIs

Part of subcall function 00757105: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00757132
Part of subcall function 00757105: GetCurrentProcessId.KERNEL32 ref: 00757141
Part of subcall function 00757105: GetCurrentThreadId.KERNEL32 ref: 0075714A
Part of subcall function 00757105: GetTickCount.KERNEL32 ref: 00757153
Part of subcall function 00757105: QueryPerformanceCounter.KERNEL32(?), ref: 00757168

GetStartupInfoW.KERNEL32(?,00757268,00000058), ref: 00756A1F
Sleep.KERNEL32(000003E8), ref: 00756A54
_amsg_exit.MSVCRT ref: 00756A69
_initterm.MSVCRT ref: 00756ABD
exit.KERNELBASE ref: 00756B5F
_ismbblead.MSVCRT ref: 00756B7A

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: CurrentTime$CountCounterFileInfoPerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 626344529-0
Opcode ID: 1b532599c584197e7338e67d5b4ca863631811b187715a1536941562decc43f4
Instruction ID: 1512f9ece0702d3cc77d3f3efbd446f7ba456bcbfc7f5ea4a27ca77672aebc0a
Opcode Fuzzy Hash: 1b532599c584197e7338e67d5b4ca863631811b187715a1536941562decc43f4
Instruction Fuzzy Hash: C341D4B1A047559BDB619B54D8057E97BB0FB44723FA0812AEC01E7290CFFC4C49CB86

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00752033 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 184
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00752033(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				char _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t89;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x758004; // 0xb49f60cf
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				if(RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536) != 0) {
					L24:
					return E00756C80(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E0075173E(0x758530, 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					if(RegQueryValueExA(_v532, 0x758530, 0, 0, 0,  &_v540) != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E00756534( &_v528, _t84, "advpack.dll");
					_t84 = LoadLibraryA( &_v528);
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x759a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x7591e4;
						_t19 = _t81 + 1; // 0x7591e5
						_t89 = _t19;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - _t89;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - _t89);
						if(_t90 != 0) {
							 *0x758580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push(0x7591e4);
							E0075173E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, 0x758530, 0, 1, _t90, _t24);
							RegCloseKey(_v532);
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E00754495(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84);
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E00756534( &_v268, 0x104, 0x751140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x758530 = _t66;
				goto L23;
			}

0x00752033
0x0075203e
0x00752045
0x0075204a
0x00752059
0x00752068
0x0075206d
0x00752078
0x0075209d
0x00752260
0x0075226d
0x0075226d
0x007520a3
0x007520a4
0x007520a6
0x007520b3
0x007520b8
0x007520da
0x00000000
0x00000000
0x007520dc
0x007520e3
0x00000000
0x00000000
0x00000000
0x007520e3
0x007520eb
0x0075210c
0x00752117
0x0075211f
0x00752131
0x00752135
0x00752182
0x0075219d
0x007521e7
0x007521ed
0x0075225f
0x0075225f
0x00000000
0x0075225f
0x0075219f
0x0075219f
0x007521a5
0x007521a8
0x007521a8
0x007521aa
0x007521ab
0x007521af
0x007521b1
0x007521b6
0x007521b6
0x007521b9
0x007521b9
0x007521bb
0x007521bc
0x007521c5
0x007521d0
0x007521d4
0x007521fa
0x007521ff
0x00752206
0x00752208
0x00752208
0x0075220d
0x0075221c
0x00752221
0x00752226
0x00752226
0x00752229
0x00752229
0x0075222b
0x0075222c
0x00752232
0x00752246
0x00752252
0x00752259
0x00000000
0x00752259
0x007521db
0x007521e2
0x00000000
0x007521e2
0x00752143
0x0075214a
0x0075214d
0x00752155
0x00000000
0x00000000
0x0075216c
0x0075217b
0x0075217b
0x00000000
0x0075216c
0x007520f3
0x007520f9
0x00000000

APIs

memset.MSVCRT ref: 00752059
memset.MSVCRT ref: 00752068
RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00752095

Part of subcall function 0075173E: _vsnprintf.MSVCRT ref: 00751770

RegQueryValueExA.ADVAPI32(?,00758530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007520D2
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007520F3
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0075210C
LoadLibraryA.KERNEL32(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0075212B
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 0075213D
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0075214D
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00752164
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00752195
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007521CA
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007521ED
RegSetValueExA.ADVAPI32(?,00758530,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 00752246
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00752252
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00752259

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0075208B
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 007521FF
advpack.dll, xrefs: 00752112
DelNodeRunDLL32, xrefs: 00752137
wextract_cleanup%d, xrefs: 007520A7
%s /D:%s, xrefs: 00752208, 00752219

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d
API String ID: 178549006-242633136
Opcode ID: ea34f286a20a13e0726f0a24287db6e645b0dfff214cf90775e9f996421b8216
Instruction ID: 78a28c5bc83bce4ebe0c353181176e919772f1d0bc06a5c13d6b06968920f25e
Opcode Fuzzy Hash: ea34f286a20a13e0726f0a24287db6e645b0dfff214cf90775e9f996421b8216
Instruction Fuzzy Hash: 5851EA75A00218BBDB209B24DC4DFEB7729EB55702F0042A4BE09E6191EEF99D4D8A61

Uniqueness

Uniqueness Score: -1.00%

Function 00753B8E Relevance: 37.1, APIs: 11, Strings: 10, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00753B8E() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				signed int _t97;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x758004; // 0xb49f60cf
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x759124 =  *0x759124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x758a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x758c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E00754669("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E00754495(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x759124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00751B04( &_v280,  &_v408,  &_v404);
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00756C80(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151;
												_t79 = E00753FDB(_t130,  &_v352);
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x758580;
													if( *0x758580 != 0) {
														E0075226E();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x758180;
											if( *0x758180 == 0) {
												_t146 = 0x4c7;
												E00754495(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x759124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x759a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00756443(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E00754495(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x759124 = E00756233();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E00754495(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x758a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_v364 =  *0x759a40;
											_t97 =  *0x758a38 & 0x0000ffff;
											_v380 = 0x759154;
											_v376 = _t151;
											_v372 = 0x7591e4;
											_v360 = _t97;
											if( *0x758a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x759a34;
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x758d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_v356 =  *0x759a38;
											_t130 = _t146;
											 *0x75a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x759124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x759a40 - 1;
										if( *0x759a40 == 1) {
											goto L37;
										}
										__eflags =  *0x758a20;
										if( *0x758a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E00752033(_t146);
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E00754669("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x758c42;
									if( *0x758c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x758a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E00754669("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E00754669(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E007517A1( &_v276, 0x104, _t130, 0x758c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E00754669(_t130, 0x759a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00753b96
0x00753b9c
0x00753ba3
0x00753bac
0x00753bae
0x00753bb5
0x00753bb7
0x00753bbb
0x00753bbf
0x00753bc5
0x00753be9
0x00753be9
0x00753beb
0x00753bef
0x00753bef
0x00753bfd
0x00753c02
0x00753c05
0x00753c14
0x00000000
0x00000000
0x00753c1c
0x00753c25
0x00753c2c
0x00753cff
0x00753d01
0x00753d0d
0x00753d12
0x00000000
0x00753c3b
0x00753c42
0x00753c4c
0x00753c51
0x00753c63
0x00753c64
0x00753c68
0x00753c6a
0x00753c6e
0x00753c6e
0x00000000
0x00753c68
0x00753c53
0x00753c55
0x00753c59
0x00000000
0x00753c44
0x00753c44
0x00753c5a
0x00753c5a
0x00753c73
0x00753c75
0x00753d39
0x00753d3b
0x00753d3c
0x00753d3e
0x00753d8a
0x00753d94
0x00753d9b
0x00753da0
0x00753da2
0x00753f39
0x00753f39
0x00753f3b
0x00753f42
0x00753f43
0x00753f44
0x00753f4f
0x00753f4f
0x00753da8
0x00753dac
0x00753dae
0x00753dd2
0x00753dd2
0x00753dd4
0x00753ef7
0x00753ef7
0x00753efb
0x00753eff
0x00753f01
0x00753f06
0x00753f08
0x00753f32
0x00753f33
0x00000000
0x00753f33
0x00753f0a
0x00753f0b
0x00753f11
0x00753f12
0x00753f16
0x00753f19
0x00753fc5
0x00753fc5
0x00753fc6
0x00753fc6
0x00753fcd
0x00753fcf
0x00753fcf
0x00753fd4
0x00000000
0x00753fd4
0x00753f1f
0x00753f23
0x00000000
0x00753f23
0x00753dda
0x00753dda
0x00753de1
0x00753f99
0x00753fa5
0x00753fae
0x00753fb4
0x00000000
0x00753fb4
0x00753de7
0x00753de9
0x00000000
0x00000000
0x00753def
0x00753df6
0x00000000
0x00000000
0x00753e01
0x00753e03
0x00753e05
0x00753f80
0x00753f90
0x00753f68
0x00753f6c
0x00753f77
0x00000000
0x00753f77
0x00753e18
0x00753e1c
0x00753e20
0x00753e22
0x00753f55
0x00753f5a
0x00753f5c
0x00753f62
0x00000000
0x00753f62
0x00753e28
0x00753e2f
0x00753e33
0x00753e3e
0x00753e48
0x00753e4d
0x00753e54
0x00753e5c
0x00753e60
0x00753e68
0x00753e6c
0x00753e6e
0x00753e6e
0x00753e73
0x00753e73
0x00753e77
0x00753e7d
0x00753e80
0x00753e82
0x00753e82
0x00753e87
0x00753e87
0x00753e8b
0x00753e8e
0x00753e90
0x00753e90
0x00753e95
0x00753e95
0x00753e99
0x00753e9f
0x00753ea2
0x00753ea4
0x00753ea4
0x00753ea9
0x00753ea9
0x00753ead
0x00753eaf
0x00753eb1
0x00753eb1
0x00753eb6
0x00753eb6
0x00753ec1
0x00753ec5
0x00753ecc
0x00753ed2
0x00753ed6
0x00753ed8
0x00753eda
0x00753edf
0x00753edf
0x00753ee1
0x00753ee6
0x00753ee7
0x00753ee9
0x00753f2c
0x00000000
0x00753eeb
0x00753eeb
0x00753ef1
0x00000000
0x00753ef1
0x00753ee9
0x00753db3
0x00753dba
0x00000000
0x00000000
0x00753dbc
0x00753dc3
0x00000000
0x00000000
0x00753dc5
0x00753dc7
0x00000000
0x00000000
0x00753dc9
0x00753dcd
0x00000000
0x00753dcd
0x00753d45
0x00753d51
0x00753d56
0x00753d58
0x00000000
0x00000000
0x00753d5a
0x00753d61
0x00000000
0x00000000
0x00753d7b
0x00753d82
0x00753d84
0x00000000
0x00000000
0x00000000
0x00753d84
0x00753c7b
0x00753c84
0x00753cdd
0x00753cdf
0x00000000
0x00000000
0x00753cea
0x00753cfd
0x00000000
0x00000000
0x00000000
0x00753cfd
0x00753c88
0x00753c91
0x00753c93
0x00000000
0x00000000
0x00753c99
0x00753c9e
0x00753ca3
0x00753cb1
0x00000000
0x00000000
0x00753cd4
0x00753cd8
0x00753cd9
0x00753cd9
0x00000000
0x00753cd4
0x00753c8a
0x00000000
0x00753c8a
0x00753c42
0x00753d21
0x00753d21
0x00753d28
0x00753d34
0x00000000
0x00753d34
0x00753bef
0x00753bce
0x00753bd3
0x00753bda
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00753BFD
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00753CC8

Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075467A
Part of subcall function 00754669: SizeofResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00754683
Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075469D
Part of subcall function 00754669: LoadResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A6
Part of subcall function 00754669: LockResource.KERNEL32(00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546AD
Part of subcall function 00754669: memcpy_s.MSVCRT ref: 007546BF
Part of subcall function 00754669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546C9

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00758C42), ref: 00753D7B
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00753E12
FreeLibrary.KERNEL32(00000000,?,00758C42), ref: 00753EEB
LocalFree.KERNEL32(?,?,?,?,00758C42), ref: 00753F0B
FreeLibrary.KERNEL32(00000000,?,00758C42), ref: 00753F2C
LocalFree.KERNEL32(?,?,?,?,00758C42), ref: 00753F33
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00758C42), ref: 00753F62
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00758C42), ref: 00753F6C
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00758C42), ref: 00753FAE

Strings

SHOWWINDOW, xrefs: 00753C20
<None>, xrefs: 00753CB5, 00753D69
D, xrefs: 00753C05
DoInfInstall, xrefs: 00753E0B, 00753E10, 00753F54
REBOOT, xrefs: 00753BCE
advpack.dll, xrefs: 00753F89
USRQCMD, xrefs: 00753C99
RUNPROGRAM, xrefs: 00753CF1
POSTRUNPROGRAM, xrefs: 00753D4C
ADMQCMD, xrefs: 00753C8A

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll
API String ID: 1032054927-3892089904
Opcode ID: 588e813cf09beb92fe91a3a853fd13d6cf127b869c59dbc5c44b004e7a87afdf
Instruction ID: 349982c3c97ab6392f2421ab83c8ee83ced4fc1fee62de65243b8277ac97e343
Opcode Fuzzy Hash: 588e813cf09beb92fe91a3a853fd13d6cf127b869c59dbc5c44b004e7a87afdf
Instruction Fuzzy Hash: BFB1B270A083419BD7609F248845BEA76E4EB84793F10892DFE85D61E0DBFC894DCB66

Uniqueness

Uniqueness Score: -1.00%

Function 00751B04 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00751B04(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x758004; // 0xb49f60cf
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E007516A0( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00751AA2(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E007517A1( &_v268, 0x104, _t111, 0x7591e4);
					E00756534( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E007516A0( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E00756670(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E00756670(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268);
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E007516A0( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E007517A1( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E007516D3( &_v1552, 0x400, " ");
										E007516D3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00752AA5( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E0075173E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00751AA2( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00751AA2( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E00754495(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x759120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x751140, _t156, 8,  &_v268) == 0) {
										 *0x759a34 =  *0x759a34 & 0xfffffffb;
										if( *0x759a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E0075173E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x759a34 =  *0x759a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E007516A0(_t108, 0x104, _t155);
										_t140 = 0x200;
										E007516A0(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00756C80(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00751b0f
0x00751b16
0x00751b23
0x00751b25
0x00751b36
0x00751b3c
0x00751b48
0x00751b57
0x00751b5c
0x00751b4a
0x00751b4a
0x00751b4f
0x00751b4f
0x00751b62
0x00751b68
0x00751b6e
0x00751b73
0x00751b79
0x00751b7d
0x00751bbb
0x00751bbb
0x00751bcd
0x00751bde
0x00000000
0x00751b7f
0x00751b7f
0x00751b81
0x00751b84
0x00751b84
0x00751b86
0x00751b87
0x00751b8b
0x00751b90
0x00000000
0x00000000
0x00751b92
0x00751b97
0x00751ba2
0x00000000
0x00000000
0x00000000
0x00000000
0x00751ba8
0x00751ba8
0x00751bb4
0x00751be3
0x00751be5
0x00751be8
0x00751bef
0x00751d91
0x00751d92
0x00751d94
0x00751d9b
0x00751e21
0x00751e25
0x00000000
0x00000000
0x00751e2e
0x00751e37
0x00751e8f
0x00751e3d
0x00751e3d
0x00751e44
0x00751e53
0x00751e5a
0x00751e6e
0x00751e7c
0x00751e7c
0x00751e5a
0x00751e95
0x00751e97
0x00751ea0
0x00000000
0x00751db7
0x00751db7
0x00751dbc
0x00751dbe
0x00751dc1
0x00751dc1
0x00751dc3
0x00751dc4
0x00751dc8
0x00751dca
0x00751dd0
0x00751dd3
0x00751dd3
0x00751dd5
0x00751dd6
0x00751dda
0x00751ddf
0x00751dea
0x00751dee
0x00751e07
0x00000000
0x00751e0c
0x00000000
0x00751dee
0x00751c13
0x00751c1a
0x00751c23
0x00751d71
0x00751d76
0x00751d77
0x00751d79
0x00751d7a
0x00000000
0x00751c37
0x00751c37
0x00751c3c
0x00751c48
0x00751c4f
0x00751c54
0x00751c56
0x00751c56
0x00751c5c
0x00751c67
0x00751c67
0x00751c79
0x00751c7d
0x00751df0
0x00751df0
0x00751df2
0x00751df7
0x00751df8
0x00751dfa
0x00751d80
0x00751d80
0x00751d83
0x00751d88
0x00000000
0x00751c83
0x00751c83
0x00751c89
0x00751c8e
0x00751c90
0x00751c90
0x00751caa
0x00751cb5
0x00751cdc
0x00751d14
0x00751d23
0x00751d3f
0x00751d25
0x00751d30
0x00751d37
0x00751d37
0x00751d47
0x00751d49
0x00751d49
0x00751d54
0x00751d55
0x00751d62
0x00751cde
0x00751cde
0x00751ce8
0x00751cea
0x00751cea
0x00751cf7
0x00751d02
0x00751d0a
0x00751d0a
0x00751ea5
0x00751ead
0x00751eae
0x00751eb0
0x00751eb3
0x00751ebe
0x00751ebe
0x00751c7d
0x00751c23
0x00751bef
0x00751b97

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,007591E4,?,?,00000000,00000001,00000000), ref: 00751C03
GetFileAttributesA.KERNEL32(?,?,007591E4,?,?,00000000,00000001,00000000), ref: 00751C1A
LocalAlloc.KERNEL32(00000040,00000200,?,007591E4,?,?,00000000,00000001,00000000), ref: 00751C73
GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 00751CA4
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00751140,00000000,00000008,?), ref: 00751CD4
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00751D37

Part of subcall function 00754495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 007544F4
Part of subcall function 00754495: MessageBoxA.USER32(?,?,00759154,00010010), ref: 00754530

Strings

.INF, xrefs: 00751BF7
", xrefs: 00751B41
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00751D57
.BAT, xrefs: 00751D9F
AdvancedINF, xrefs: 00751CCA
DefaultInstall, xrefs: 00751C90, 00751CA3, 00751CEA, 00751CEF, 00751D49, 00751D55
setupx.dll, xrefs: 00751D30
Command.com /c %s, xrefs: 00751DB7, 00751E04
setupapi.dll, xrefs: 00751D3F, 00751D56
Version, xrefs: 00751CCF
Reboot, xrefs: 00751C9E

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3174370420
Opcode ID: 29137dfa6a437501a78f73d615c799cb0e637b085de3dafc3f44e45129790d64
Instruction ID: b71e5112f038dfb7dfcdbef76eae58c52862718dac12ebecfcb352c38bdbdf20
Opcode Fuzzy Hash: 29137dfa6a437501a78f73d615c799cb0e637b085de3dafc3f44e45129790d64
Instruction Fuzzy Hash: A8A129B0A00318ABEB209B24CC45BEA77799B45313F9442A5ED55A32C1EFFC9D8DCB54

Uniqueness

Uniqueness Score: -1.00%

Function 00755C50 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 421
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00755C50(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x758004; // 0xb49f60cf
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00756C80(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00756DC8(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x758004; // 0xb49f60cf
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E00755933( &_v272, 0x4f0, _t209, 0x4f0);
								} else {
									E00754495(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x759124 = E00756233();
									_t75 = 0;
								}
								return E00756C80(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E00754495(0, 0x521, 0x751140, 0, 0x40, 0);
												_t85 =  *0x758588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E00756627(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E00756627(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00755BCB(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E007516A0(0x758c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E00756627(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E00756627(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x758a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00755BCB(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x758b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x758a3a;
																}
																E007516A0(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E00756534(_t218, 0x104, 0x751140);
																if(E007531D0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x758a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x758a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x758a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x758a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x758a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x759a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x759a2c =  *0x759a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x758d48 =  *0x758d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x759a2c =  *0x759a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x759a2c =  *0x759a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x758d48 =  *0x758d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x759a2c =  *0x759a2c | 0x00000004;
																										L70:
																										 *0x758a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x759a2c = 3;
																	 *0x758a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x758a2c != 0 &&  *0x758b3e == 0) {
						if(GetModuleFileNameA( *0x759a3c, 0x758b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E00756670(0x758b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00755c50
0x00755c5b
0x00755c62
0x00755c65
0x00755c68
0x00755c69
0x00755c6a
0x00755c6f
0x007561b6
0x00755c7d
0x00000000
0x00755c7d
0x00755c85
0x00755c89
0x00755ca6
0x00000000
0x00755ca6
0x00755caa
0x00755cb2
0x00000000
0x00755cb8
0x00755cb8
0x00755cc0
0x00755cc2
0x00755cc4
0x00755cc6
0x00755cc7
0x00755cc9
0x00755cfb
0x00000000
0x00000000
0x00000000
0x00000000
0x00755ccb
0x00755ccb
0x00755ccf
0x00000000
0x00755cf1
0x00755cf1
0x00755cfd
0x00755cfd
0x00755d01
0x00755d3f
0x00000000
0x00755d45
0x00755d45
0x00755d4c
0x00755d4f
0x00755d50
0x00000000
0x00755d50
0x00755d03
0x00755d0d
0x00755d24
0x007560ad
0x007560ad
0x007561b9
0x007561bc
0x007561bd
0x007561c0
0x007561c7
0x00755d2a
0x00755d2a
0x00755d32
0x00755d35
0x00755d36
0x00000000
0x00755d36
0x00755d0f
0x00755d11
0x00755d14
0x00755d1a
0x00755d16
0x00755d16
0x00755d16
0x00000000
0x00755d14
0x00755d0d
0x00755d01
0x00755ccf
0x00000000
0x00755d51
0x00755d51
0x00755d57
0x00755d5d
0x00755d6c
0x007561c8
0x007561cd
0x007561d0
0x007561d1
0x007561d9
0x007561e0
0x007561f7
0x0075621a
0x00756222
0x007561f9
0x00756205
0x0075620f
0x00756214
0x00756214
0x00756232
0x00755d72
0x00755d72
0x00755d7c
0x00755dd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00755d7e
0x00755d80
0x00755dd6
0x00755dd6
0x00755dde
0x00755df9
0x00755dfc
0x00756184
0x00756194
0x00756199
0x007561a0
0x007561a3
0x007561a3
0x007561aa
0x007561aa
0x00755e02
0x00755e05
0x007560bb
0x007560d1
0x00000000
0x007560d7
0x007560e9
0x007560ec
0x007560ee
0x007560f0
0x007560f0
0x007560f3
0x007560f3
0x007560f5
0x007560f6
0x007560fc
0x00000000
0x00756102
0x00756104
0x0075610e
0x00756122
0x00756124
0x0075612e
0x00756142
0x00756142
0x00756148
0x00756157
0x00000000
0x0075615d
0x0075616b
0x00756178
0x00756178
0x00756130
0x00756132
0x0075613c
0x00000000
0x00000000
0x00000000
0x00000000
0x0075613c
0x00756110
0x00756112
0x0075611c
0x00000000
0x00000000
0x00000000
0x00000000
0x0075611c
0x0075610e
0x007560fc
0x007560bd
0x007560c0
0x007560c0
0x00000000
0x00755e0b
0x00755e0b
0x00755e0e
0x00756001
0x00756008
0x00000000
0x0075600e
0x00756020
0x00756023
0x00756025
0x00756027
0x00756027
0x0075602a
0x0075602a
0x0075602c
0x0075602d
0x00756033
0x00000000
0x00756039
0x00756039
0x0075603f
0x0075604e
0x00000000
0x00756054
0x0075605c
0x00756064
0x00756069
0x0075606f
0x00756071
0x00756071
0x00756088
0x00756092
0x00756099
0x007560a7
0x00000000
0x00000000
0x00000000
0x00000000
0x007560a7
0x0075604e
0x00756033
0x00755e14
0x00755e14
0x00755e17
0x00755f85
0x00755f9b
0x00000000
0x00755fa1
0x00755fa1
0x00755fa9
0x00755faf
0x00755fb5
0x00755fb8
0x00755fc3
0x00755fc6
0x00755fef
0x00755fc8
0x00755fca
0x00755fcb
0x00755fcd
0x00755fe5
0x00755fcf
0x00755fd2
0x00755fdb
0x00755fd4
0x00755fd4
0x00755fd4
0x00755fd2
0x00755fcd
0x00755ff4
0x00755ff6
0x00755ff8
0x00755ffc
0x00755fa9
0x00755f87
0x00755f8a
0x00755f8a
0x00000000
0x00755e1d
0x00755e1d
0x00755e20
0x00755f3d
0x00755f4b
0x00000000
0x00755f51
0x00755f59
0x00755f61
0x00000000
0x00755f63
0x00755f65
0x00000000
0x00755f67
0x00755f69
0x00000000
0x00755f6b
0x00000000
0x00755f6b
0x00755f69
0x00755f65
0x00755f61
0x00755f3f
0x00755f3f
0x00755f3f
0x00755f41
0x00755f73
0x00755f73
0x00755f73
0x00000000
0x00755e26
0x00755e26
0x00755e29
0x00755e52
0x00755e6f
0x00755f2b
0x00000000
0x00755f31
0x00755e75
0x00755e75
0x00755e7e
0x00755e86
0x00755e88
0x00755e8e
0x00755e91
0x00755e9c
0x00755e9f
0x00755ef1
0x00755ef2
0x00000000
0x00755ea1
0x00755ea1
0x00755ea4
0x00755ee6
0x00755ea6
0x00755ea6
0x00755ea9
0x00755edd
0x00000000
0x00755eab
0x00755eab
0x00755eae
0x00755ed4
0x00000000
0x00755eb0
0x00755eb1
0x00755eb4
0x00755ec8
0x00755eb6
0x00755eb9
0x00755ebf
0x00755ef8
0x00755ef8
0x00755ebb
0x00755ebb
0x00755ebb
0x00755eb9
0x00755eb4
0x00755eae
0x00755ea9
0x00755ea4
0x00755efe
0x00755f00
0x00755f02
0x00755f06
0x00755e86
0x00755e54
0x00755e56
0x00755e61
0x00755e61
0x00000000
0x00755e2b
0x00755e2f
0x00000000
0x00755e35
0x00755e35
0x00755e35
0x00755e37
0x00755e37
0x00755e40
0x00000000
0x00755e46
0x00000000
0x00755e46
0x00755e40
0x00755e2f
0x00755e29
0x00755e20
0x00755e17
0x00755e0e
0x00000000
0x00000000
0x00000000
0x00755d82
0x00755d82
0x00755d82
0x00000000
0x00755d82
0x00755d80
0x00755d7c
0x00755d6c
0x00000000
0x00755cb2
0x00755d8b
0x00755db6
0x007561b0
0x00755dbc
0x00755dbe
0x00755dc9
0x00755dc9
0x00755db6
0x007561b2
0x007561b2
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00755CA0
GetModuleFileNameA.KERNEL32(00758B3E,00000104,00000000,?,?), ref: 00755DAE
CharUpperA.USER32(?), ref: 00755DF0
CharUpperA.USER32(-00000052), ref: 00755E93
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00755F21
CharUpperA.USER32(?), ref: 00755F59
CharUpperA.USER32(-0000004E), ref: 00755FBA
CharUpperA.USER32(?), ref: 0075605C
CloseHandle.KERNEL32(00000000,00751140,00000000,00000040,00000000), ref: 007561A3
ExitProcess.KERNEL32 ref: 007561AA

Strings

", xrefs: 00755D2A
RegServer, xrefs: 00755F18
:, xrefs: 007560CA
", xrefs: 007560DF

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: b68282202f8e4efff3345ee449562a385d3d02b8b84f7619783c89deddaeba3d
Instruction ID: 1362697bd6424f9f5349f88ec300a5be8d5436fddbeb9425f1d92681f7c52c8a
Opcode Fuzzy Hash: b68282202f8e4efff3345ee449562a385d3d02b8b84f7619783c89deddaeba3d
Instruction Fuzzy Hash: FDD14971A04F499ADF358B388C697F93B719B12303F5441A9CC869B191DAFC8E8F8B15

Uniqueness

Uniqueness Score: -1.00%

Function 00755933 Relevance: 19.7, APIs: 13, Instructions: 211
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00755933(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x758004; // 0xb49f60cf
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				if(SetCurrentDirectoryA(_t118) != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808);
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x759124 = E00756233();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E00754495(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0);
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276);
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x759a34 & 0x00000008;
							if(( *0x759a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x759a38;
								_t110 =  *((intOrPtr*)(0x7589e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x759124 = 0;
									_t66 = 1;
								} else {
									_t66 = E0075268A(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t110 =  *((intOrPtr*)(0x7589e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x7589e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = ( *0x759a38 >> 2) +  *0x759a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E00754495(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x759124 = E00756233();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E00754495(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x759124 = E00756233();
					_t66 = 0;
					L33:
					return E00756C80(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x00755933
0x0075593e
0x00755945
0x00755950
0x0075595c
0x0075595e
0x0075596f
0x00755993
0x0075599a
0x007559a7
0x007559b4
0x007559c1
0x007559c9
0x007559cf
0x007559d1
0x00755b57
0x00755b65
0x00755b73
0x00755b8e
0x00755b94
0x00755b99
0x00755ba2
0x00755ba6
0x00755bb2
0x00755bb8
0x00755bb8
0x00755bb8
0x00755bba
0x00755bba
0x00000000
0x00755bba
0x007559dd
0x007559f0
0x007559fc
0x007559fe
0x00755a00
0x00000000
0x00000000
0x00755a1a
0x00755a20
0x00755a22
0x00755a72
0x00755a78
0x00755a7f
0x00755a80
0x00755a80
0x00755a82
0x00755a82
0x00755a85
0x00755a87
0x00000000
0x00000000
0x00755a89
0x00755a8c
0x00755a8e
0x00000000
0x00000000
0x00755a90
0x00755a92
0x00755a93
0x00755a93
0x00755a96
0x00000000
0x00000000
0x00000000
0x00755a96
0x00755a98
0x00755a9a
0x00755a9c
0x00755a9c
0x00755a9c
0x00755a9f
0x00755aa1
0x00755aa6
0x00755aac
0x00755aae
0x00755aaf
0x00755aaf
0x00755ab1
0x00000000
0x00000000
0x00755ab3
0x00755ab5
0x00755ab6
0x00755ab9
0x00000000
0x00000000
0x00000000
0x00755ab9
0x00755abb
0x00755abe
0x00755ad6
0x00755add
0x00755b08
0x00755b08
0x00755b11
0x00755b18
0x00755b21
0x00755b23
0x00755b2c
0x00755b33
0x00755b39
0x00755b35
0x00755b35
0x00755b35
0x00755b25
0x00755b28
0x00755b28
0x00755b3b
0x00755b4e
0x00755b54
0x00755b3d
0x00755b45
0x00755b45
0x00000000
0x00755b3b
0x00755adf
0x00755ae9
0x00000000
0x00000000
0x00755afe
0x00755b00
0x00000000
0x00755b00
0x00755ac5
0x00755acc
0x00000000
0x00755acc
0x00755a32
0x00755a40
0x00755a5b
0x00755a61
0x00000000
0x00755971
0x00755976
0x0075597d
0x00755987
0x0075598c
0x00755bbb
0x00755bc8
0x00755bc8

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 0075595E
SetCurrentDirectoryA.KERNEL32(?), ref: 00755965
GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?,00000001), ref: 007559C9
MulDiv.KERNEL32(?,?,00000400), ref: 007559F6
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00755A1A
memset.MSVCRT ref: 00755A32
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00755A4E
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00755A5B
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00755BB2

Part of subcall function 00754495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 007544F4
Part of subcall function 00754495: MessageBoxA.USER32(?,?,00759154,00010010), ref: 00754530

Part of subcall function 00756233: GetLastError.KERNEL32(00755B72), ref: 00756233

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 1fb6484be29b5a4c16d914350605755eef8ba8233b17833874a8f05e52721e39
Instruction ID: 7ddb2a2284dd24ae48c2ceacf3e4b88a3fabb9cd4be2b0fe47ee13bbc5746bf1
Opcode Fuzzy Hash: 1fb6484be29b5a4c16d914350605755eef8ba8233b17833874a8f05e52721e39
Instruction Fuzzy Hash: 5871B6B190061CAFDB159B24CC99FFA77BCEB48346F4481A9F905D6140DAB89E898B24

Uniqueness

Uniqueness Score: -1.00%

Function 00751F9B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00751F9B(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x759a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x758004; // 0xb49f60cf
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E00754495(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00756C80(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E00754495(0, 0x522, 0x751140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00751EC1();
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00751f9b
0x00751f9b
0x00751f9e
0x00751fa3
0x00751faf
0x00751fb2
0x00751fd0
0x00751fd8
0x00751fe6
0x00751ef2
0x00751ef7
0x00751efe
0x00751f01
0x00751f19
0x00751f3b
0x00751f47
0x00751f53
0x00751f5a
0x00751f65
0x00751f6d
0x00751f6e
0x00751f6f
0x00751f82
0x00751f8d
0x00751f84
0x00751f84
0x00000000
0x00751f84
0x00751f71
0x00751f71
0x00000000
0x00751f71
0x00751f1b
0x00751f1b
0x00751f20
0x00751f20
0x00751f21
0x00751f21
0x00751f23
0x00751f24
0x00751f27
0x00751f2c
0x00751f2c
0x00751f93
0x00751f9a
0x00751fda
0x00751fde
0x00000000
0x00751fde
0x00751fb4
0x00751fbf
0x00751fc6
0x00751fce
0x00000000
0x00000000
0x00000000
0x00000000
0x00751fce
0x00751fa5
0x00751fa5
0x00751fad
0x00751fe4
0x00751fe5
0x00000000
0x00000000
0x00000000
0x00751fad

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00751F08
OpenProcessToken.ADVAPI32(00000000), ref: 00751F0F
ExitWindowsEx.USER32(00000002,00000000), ref: 00751FDE

Strings

SeShutdownPrivilege, xrefs: 00751F35

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: f3174cab5b3a3af0cf7251172f25fd49ae7be1e9843e2d9459012bbced0b691d
Instruction ID: fc6ad76d133296f0984cdb9c2268f9fcdfc22dfaf29a9c012f21f34a1f4fd6c6
Opcode Fuzzy Hash: f3174cab5b3a3af0cf7251172f25fd49ae7be1e9843e2d9459012bbced0b691d
Instruction Fuzzy Hash: A921D671A41204BBEB605BA18C4AFFF3AB9DB85B57F504129FE06E60C0D7FC88499225

Uniqueness

Uniqueness Score: -1.00%

Function 00755423 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00755423(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t14;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x758004; // 0xb49f60cf
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x7591e4;
					_t42 = 0x104;
					E007516A0(0x7591e4, 0x104);
					L14:
					if(E00755880(_t48) != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0 || E00755933(_t48, _t42, 1, 0) != 0) {
							 *0x759124 = 0;
							_t14 = 1;
							goto L24;
						} else {
							_t61 =  *0x758a20; // 0x0
							if(_t61 != 0) {
								 *0x758a20 = 0;
								RemoveDirectoryA(_t48);
							}
							L22:
							_t14 = 0;
							L24:
							return E00756C80(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x759124 = E00756233();
						goto L22;
					}
					 *0x758a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				if(E0075535F(__ecx,  &_v268) == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x7591e4;
				E007517A1(0x7591e4, 0x104, __ecx,  &_v268);
				if(( *0x759a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E00756534(_t48, 0x104, 0x751140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E00756534(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x0075542e
0x00755435
0x0075543d
0x00755440
0x007554d8
0x007554dd
0x007554e4
0x007554e9
0x007554f5
0x00755509
0x00755509
0x0075550e
0x00755541
0x00755547
0x00000000
0x0075551c
0x0075551c
0x00755522
0x00755525
0x0075552b
0x0075552b
0x0075553d
0x0075553d
0x00755549
0x00755557
0x00755557
0x0075550e
0x00755501
0x00755538
0x00000000
0x00755538
0x00755503
0x00000000
0x00755503
0x00755446
0x00755453
0x00000000
0x00000000
0x00755459
0x00755467
0x00755470
0x0075547c
0x007554c8
0x007554cd
0x007554d1
0x00000000
0x007554d1
0x00755485
0x00755492
0x00755494
0x007554ba
0x007554bf
0x007554c3
0x00000000
0x007554c3
0x00755496
0x00755499
0x007554b3
0x00000000
0x007554b3
0x0075549b
0x0075549e
0x007554ac
0x00000000
0x007554ac
0x007554a3
0x00000000
0x00000000
0x007554a5
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,007591E4,00000001,007591E4,00000000), ref: 00755485
CreateDirectoryA.KERNEL32(007591E4,00000000,007591E4,00000001,007591E4,00000000), ref: 007554F9
RemoveDirectoryA.KERNEL32(007591E4,00000000,007591E4,00000001,007591E4,00000000), ref: 0075552B

Part of subcall function 0075535F: RemoveDirectoryA.KERNEL32(?,?,007591E4,?,00000001,007591E4,00000000), ref: 007553B9
Part of subcall function 0075535F: GetFileAttributesA.KERNEL32(?,?,00000001,007591E4,00000000), ref: 007553C0
Part of subcall function 0075535F: GetTempFileNameA.KERNEL32(007591E4,IXP,00000000,?,?,00000001,007591E4,00000000), ref: 007553DD
Part of subcall function 0075535F: DeleteFileA.KERNEL32(?,?,00000001,007591E4,00000000), ref: 007553E9
Part of subcall function 0075535F: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,007591E4,00000000), ref: 007553F2

Strings

mips, xrefs: 007554B3
i386, xrefs: 007554BA
ppc, xrefs: 007554A5
alpha, xrefs: 007554AC

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: alpha$i386$mips$ppc
API String ID: 1979080616-1048730182
Opcode ID: e92ac75e06c3bb2e073a8c98f259f3d2cc8936f4e227079089e550434f42fff9
Instruction ID: 5ce74c808c375c4f3b2ae617f04804b5f1beda9b7b31bcb48472c837f4ca3a31
Opcode Fuzzy Hash: e92ac75e06c3bb2e073a8c98f259f3d2cc8936f4e227079089e550434f42fff9
Instruction Fuzzy Hash: 9E313B70B00F18D7CB109F399C69AFE76ABAB80753B54806AAD0693180EFFCCD4D8255

Uniqueness

Uniqueness Score: -1.00%

Function 0075180E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0075180E(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x758004; // 0xb49f60cf
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x75a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00756C80(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x00751816
0x0075181d
0x00751825
0x0075182b
0x0075182d
0x00751835
0x00751838
0x00751840
0x00751844
0x0075184c
0x00751852
0x00751857
0x00751871
0x00751874
0x0075187d
0x00751882
0x0075188c
0x00751892
0x00751897
0x0075189e
0x0075189e
0x007518a3
0x007518a3
0x0075187d
0x007518aa
0x007518aa
0x007518c0

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,007518FB), ref: 0075183A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0075184C
AllocateAndInitializeSid.ADVAPI32(007518FB,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,007518FB), ref: 00751875
FreeSid.ADVAPI32(?,?,?,?,007518FB), ref: 007518A3
FreeLibrary.KERNEL32(00000000,?,?,?,007518FB), ref: 007518AA

Strings

advapi32.dll, xrefs: 00751830
CheckTokenMembership, xrefs: 00751846

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: f8b3808a99dd91657ce449909238b3646ad413c0c435ebc606ae5f1d4a0d9f72
Instruction ID: 0b8383b2c4e32fae665a61b22bc1ce1ba33a8e583a902d67834f4cc1a2c72fb5
Opcode Fuzzy Hash: f8b3808a99dd91657ce449909238b3646ad413c0c435ebc606ae5f1d4a0d9f72
Instruction Fuzzy Hash: E1115471E10309ABDB109FA4DC49AFEBB78EF44712F504169E915E2290EAB89D048B55

Uniqueness

Uniqueness Score: -1.00%

Function 00752395 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00752395(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x758004; // 0xb49f60cf
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00756C80(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E007516A0( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E007516D3( &_v280, 0x104, "*");
					_t63 = FindFirstFileA( &_v284,  &_v604);
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E007516A0( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E007516D3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E007516D3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E00756534( &_v280, 0x104, 0x751140);
								E00752395( &_v284);
							}
						}
					} while (FindNextFileA(_t63,  &_v596) != 0);
					FindClose(_t63);
					_t22 = RemoveDirectoryA(_t65);
					goto L10;
				}
			}

0x0075239d
0x007523a3
0x007523a8
0x007523aa
0x007523b3
0x007523b8
0x007524d0
0x007524d7
0x007524d8
0x007524d9
0x007524e4
0x007523c7
0x007523d6
0x007523e0
0x007523e9
0x00752401
0x00752406
0x00000000
0x00000000
0x00000000
0x00000000
0x0075240c
0x0075240c
0x0075240d
0x00752416
0x00752424
0x0075247f
0x00752488
0x0075249a
0x007524a8
0x00752426
0x00752434
0x00752458
0x00752462
0x0075246b
0x00752477
0x00752477
0x00752434
0x007524ba
0x007524c3
0x007524ca
0x00000000
0x007524ca

APIs

FindFirstFileA.KERNEL32(?,00758A3A,007511F4,00758A3A,00000000,?,?), ref: 007523FB
lstrcmpA.KERNEL32(?,007511F8), ref: 0075242C
lstrcmpA.KERNEL32(?,007511FC), ref: 00752440
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 0075249A
DeleteFileA.KERNEL32(?), ref: 007524A8
FindNextFileA.KERNEL32(00000000,00000010), ref: 007524B4
FindClose.KERNEL32(00000000), ref: 007524C3
RemoveDirectoryA.KERNEL32(00758A3A), ref: 007524CA

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: a4fa6c3995aaeb5cc86c312ca2664b695c7c03ee696f21250dd342cd6fe60090
Instruction ID: d0b9fd4e21f6e977e4cffffd2c79ad62873e4bb6bd7af8bf0556c398155bd288
Opcode Fuzzy Hash: a4fa6c3995aaeb5cc86c312ca2664b695c7c03ee696f21250dd342cd6fe60090
Instruction Fuzzy Hash: 8A31C031604784EBC360EB60CC49EEB73A8AB85307F44893DA95586291EFFC980E8752

Uniqueness

Uniqueness Score: -1.00%

Function 00757105 Relevance: 7.6, APIs: 5, Instructions: 50
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00757105() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x758004; // 0xb49f60cf
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x758004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x758004 = _t39;
				}
				_t37 =  !_t36;
				 *0x758008 = _t37;
				return _t37;
			}

0x0075710d
0x00757111
0x00757115
0x00757128
0x00757132
0x0075713e
0x00757147
0x00757150
0x00757161
0x00757168
0x00757174
0x00757177
0x0075717b
0x00757185
0x0075718a
0x0075718a
0x0075718c
0x0075718c
0x00757192
0x00757195
0x0075719c

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00757132
GetCurrentProcessId.KERNEL32 ref: 00757141
GetCurrentThreadId.KERNEL32 ref: 0075714A
GetTickCount.KERNEL32 ref: 00757153
QueryPerformanceCounter.KERNEL32(?), ref: 00757168

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 4bc418b85bf3b8650bf5b66543e9e1c40cc07e9677086fe23d1796132630c6db
Instruction ID: e987bb5811f4d1bf18c7dfb24f0369371c2fad8d6553002921c0f4ad8871ab88
Opcode Fuzzy Hash: 4bc418b85bf3b8650bf5b66543e9e1c40cc07e9677086fe23d1796132630c6db
Instruction Fuzzy Hash: B5114F71D00708EBCF50DFB8DA486DEB7F4EF48316F918565D401E7250DA789A04CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00756C90 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00756C90(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00756c97
0x00756ca0
0x00756cb9

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00756DC6,00751000), ref: 00756C97
UnhandledExceptionFilter.KERNEL32(00756DC6,?,00756DC6,00751000), ref: 00756CA0
GetCurrentProcess.KERNEL32(C0000409,?,00756DC6,00751000), ref: 00756CAB
TerminateProcess.KERNEL32(00000000,?,00756DC6,00751000), ref: 00756CB2

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: cd21c4c8e39cb30ef0487b97ec50778fcecadb54d63f076f8dbb0b7790bfaa47
Instruction ID: 342bc6f042a5ce3f911cba4f1ed5efbb4aa54d5e500efe9eda00f35453836ad7
Opcode Fuzzy Hash: cd21c4c8e39cb30ef0487b97ec50778fcecadb54d63f076f8dbb0b7790bfaa47
Instruction Fuzzy Hash: 75D0C932000B0CBBEB002BF1EC0CA993F39EB48213F448120F31982020CABA58518B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00756EE0 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00756EE0() {

				SetUnhandledExceptionFilter(E00756E90);
				return 0;
			}

0x00756ee5
0x00756eed

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006E90), ref: 00756EE5

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9eae741d1d3b77fb888b3d805132a3e6faeb6d029deeb89fd1e5ffa887000f96
Instruction ID: 004d4ca174d1f199eda963496e93b090e98f823428daa2cf05fca628daf6d1bd
Opcode Fuzzy Hash: 9eae741d1d3b77fb888b3d805132a3e6faeb6d029deeb89fd1e5ffa887000f96
Instruction Fuzzy Hash: 209002A82526045696111B709D0A48965A16F4D603BC19564B411C5054EBE854445516

Uniqueness

Uniqueness Score: -1.00%

Function 00756FC0 Relevance: 1.3, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00756FC0(intOrPtr _a4, char _a8) {
				void* _t11;
				signed int _t13;
				void* _t15;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t20;

				_t8 = _a4;
				_t18 = 0;
				_t2 = _t8 + 0x3c; // 0xe0
				_t15 =  *_t2 + _a4;
				_t13 =  *(_t15 + 6) & 0x0000ffff;
				_t11 = ( *(_t15 + 0x14) & 0x0000ffff) + 0x18 + _t15;
				if(_t13 == 0) {
					L5:
					return 0;
				}
				_t5 =  &_a8; // 0x757070
				_t19 =  *_t5;
				while(1) {
					_t20 =  *((intOrPtr*)(_t11 + 0xc));
					if(_t19 >= _t20 && _t19 <  *((intOrPtr*)(_t11 + 8)) + _t20) {
						break;
					}
					_t18 = _t18 + 1;
					_t11 = _t11 + 0x28;
					if(_t18 < _t13) {
						continue;
					} else {
						goto L5;
					}
					L7:
				}
				return _t11;
				goto L7;
			}

0x00756fc5
0x00756fc8
0x00756fcd
0x00756fd0
0x00756fd6
0x00756fdd
0x00756fe1
0x00756ffe
0x00000000
0x00756ffe
0x00756fe3
0x00756fe3
0x00756fe6
0x00756fe6
0x00756feb
0x00000000
0x00000000
0x00756ff6
0x00756ff7
0x00756ffc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00756ffc
0x00757004
0x00000000

Strings

ppu, xrefs: 00756FE3

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID:
String ID: ppu
API String ID: 0-2766163207
Opcode ID: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
Instruction ID: c3dc082adab6dde83cb49a275fea33648cd972431490f4894cf61edee06474c6
Opcode Fuzzy Hash: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
Instruction Fuzzy Hash: 7DF0A7337001155B8B548B4EEC809BAB3DADBC47353598079E80887242EA78EC46C294

Uniqueness

Uniqueness Score: -1.00%

Function 0075555A Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 247
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0075555A(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x758004; // 0xb49f60cf
				_v8 = _t28 ^ _t110;
				_t2 = E00754669("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E00754669(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x759a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x758b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x758a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E007564C3(_t82, 0x7d2, 0, E00753200, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x759a30;
								if( *0x759a30 != 0) {
									goto L46;
								} else {
									_t109 = 0x7591e4;
									_t40 = GetTempPathA(0x104, 0x7591e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E007517A1( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E007568FC( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E00755933( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00752631(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E00756534(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x7591e4;
																					E007517A1(0x7591e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00755423(0x7591e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00752631(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E00755933( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00755423(0x7591e4, 1, 3);
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x7591e4;
											_t70 = E00752631(0, 0x7591e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x7591e4;
												_t71 = E00755423(0x7591e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E00755933(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x758b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00755423(0x758b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E00754495(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E00754495(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x759124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E00754495(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x759124 = E00756233();
					L2:
					_t38 = 0;
				}
				L47:
				return E00756C80(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x00755565
0x0075556c
0x00755583
0x0075558f
0x00755593
0x007555ba
0x007555bf
0x007555c4
0x007555c6
0x007555f2
0x007555fb
0x007555fd
0x007555ff
0x007555ff
0x00755606
0x0075560c
0x00755611
0x00755613
0x00755650
0x00755656
0x00755859
0x00755861
0x00755866
0x0075586d
0x0075586f
0x0075565c
0x0075565c
0x00755662
0x00000000
0x00755668
0x00755668
0x00755673
0x00755679
0x0075567b
0x007556ad
0x007556ad
0x007556bf
0x007556c4
0x007556cb
0x007556d1
0x007556de
0x007556e0
0x007556e3
0x007556ea
0x007556f1
0x007556f7
0x007556fa
0x00000000
0x00000000
0x00000000
0x00000000
0x007556e5
0x007556e5
0x007556e8
0x007556fc
0x007556fc
0x007556ff
0x00755725
0x00755725
0x00000000
0x00755701
0x00755701
0x00755707
0x00755709
0x0075572b
0x0075572b
0x0075572d
0x00000000
0x0075570b
0x0075570b
0x0075570d
0x00000000
0x0075570f
0x00755715
0x0075571a
0x0075571c
0x00000000
0x0075571e
0x0075571e
0x00755723
0x00755738
0x00755738
0x0075573b
0x00755742
0x00755747
0x00755749
0x0075576c
0x00755772
0x00755777
0x00755779
0x00755787
0x00755787
0x00755797
0x0075579d
0x007557a9
0x007557af
0x007557b2
0x007557c4
0x007557c4
0x007557b4
0x007557bc
0x007557bc
0x007557c7
0x007557c9
0x007557ea
0x007557f0
0x007557f7
0x00755805
0x0075580b
0x0075580f
0x00755814
0x00755816
0x00000000
0x00755818
0x00755818
0x00000000
0x00755818
0x007557cb
0x007557d1
0x007557d3
0x007557d9
0x00000000
0x007557d9
0x0075574b
0x00755751
0x00755756
0x00755758
0x00000000
0x0075575a
0x00755763
0x00755768
0x0075576a
0x00000000
0x00000000
0x00000000
0x00000000
0x0075576a
0x00755758
0x00000000
0x00000000
0x00000000
0x00755723
0x0075571c
0x0075570d
0x00755709
0x00000000
0x00000000
0x00000000
0x007556e8
0x00000000
0x0075581e
0x0075581e
0x0075581e
0x007556d1
0x00000000
0x0075567d
0x0075567f
0x00755683
0x00755688
0x0075568a
0x00000000
0x00755690
0x00755690
0x00755692
0x00755697
0x00755699
0x00000000
0x0075569b
0x0075569c
0x0075569e
0x007556a0
0x007556a5
0x007556a7
0x00000000
0x007556ad
0x007556ad
0x00000000
0x00755826
0x00755832
0x00755838
0x0075583c
0x0075583d
0x00755843
0x00755848
0x00755848
0x00000000
0x00755850
0x007556a7
0x00755699
0x0075568a
0x0075567b
0x00755662
0x00755615
0x00755615
0x00755617
0x00755623
0x00755623
0x00755619
0x00755619
0x0075561f
0x00755621
0x00000000
0x00000000
0x00755621
0x00755626
0x0075562d
0x00755632
0x00755634
0x00755855
0x00755855
0x0075563a
0x0075563f
0x00755646
0x00000000
0x00755646
0x00755634
0x007555c8
0x007555cd
0x007555d4
0x007555da
0x007555e0
0x00000000
0x007555e0
0x00755595
0x0075559a
0x007555a1
0x007555ab
0x007555b0
0x007555b0
0x007555b0
0x00755871
0x0075587f

APIs

Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075467A
Part of subcall function 00754669: SizeofResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00754683
Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075469D
Part of subcall function 00754669: LoadResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A6
Part of subcall function 00754669: LockResource.KERNEL32(00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546AD
Part of subcall function 00754669: memcpy_s.MSVCRT ref: 007546BF
Part of subcall function 00754669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546C9

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 00755589
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 007555F2
LocalFree.KERNEL32(00000000), ref: 00755606
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 007555DA

Part of subcall function 00754495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 007544F4
Part of subcall function 00754495: MessageBoxA.USER32(?,?,00759154,00010010), ref: 00754530

Part of subcall function 00756233: GetLastError.KERNEL32(00755B72), ref: 00756233

GetTempPathA.KERNEL32(00000104,007591E4), ref: 00755673
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 007556D8
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 007556F1
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00755787
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 007557A9
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 007557BC

Part of subcall function 00752631: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00752655

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 007557EA

Part of subcall function 007564C3: FindResourceA.KERNEL32(?,000007D6,00000005), ref: 007564D6
Part of subcall function 007564C3: LoadResource.KERNEL32(?,00000000,?,?,00752EDF,00000000,00751A00,00000547,0000083E,?,?,?,?,?,?,?), ref: 007564E4
Part of subcall function 007564C3: DialogBoxIndirectParamA.USER32(?,00000000,00000547,00751A00,00000000), ref: 00756503
Part of subcall function 007564C3: FreeResource.KERNEL32(00000000,?,?,00752EDF,00000000,00751A00,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 0075650C

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00755832

Part of subcall function 00755933: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 0075595E
Part of subcall function 00755933: SetCurrentDirectoryA.KERNEL32(?), ref: 00755965

Strings

A:\, xrefs: 007556AE
<None>, xrefs: 007555EC
Z, xrefs: 007556C4
msdownld.tmp, xrefs: 0075578D
RUNPROGRAM, xrefs: 00755577, 007555BA

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-4006054585
Opcode ID: b4b8f05d476eab9640bb2c6f41cab90bdb14f5ea38691c6ec967a1aa111c3d4d
Instruction ID: 69ba79aa942ca43ebd5c468963a408890aa258c14e1169d29395f686576e57c6
Opcode Fuzzy Hash: b4b8f05d476eab9640bb2c6f41cab90bdb14f5ea38691c6ec967a1aa111c3d4d
Instruction Fuzzy Hash: 81812970A04A58EBDB209B348C69BEE766D9B54303F404179ED86D2181EFFC9DCD8A15

Uniqueness

Uniqueness Score: -1.00%

Function 00754204 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 131
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00754204(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E00754495(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x7588c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x7587a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x758598;
					_v36 = 1;
					_v32 = E007541E0;
					_v28 = 0x7588c0;
					 *0x75a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x75a288(_t32, 0x7588c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x7588c0 != 0) {
							E007516A0(0x7587a0, 0x104, 0x7588c0);
						}
						 *0x75a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x7587a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x7588c0);
					_t61 = 0x7588c0;
					_t4 =  &(_t61[1]); // 0x7588c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x7588c0; // 0xeb1181
					_t44 = CharPrevA(0x7588c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x7588c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00754214
0x0075421c
0x00754220
0x00754392
0x00754397
0x007543a0
0x00000000
0x007543a5
0x0075422c
0x00754232
0x00754237
0x00754384
0x00754385
0x0075438b
0x00000000
0x0075438b
0x00754243
0x00754249
0x0075424e
0x00000000
0x00000000
0x0075425a
0x00754260
0x00754265
0x00000000
0x00000000
0x0075426d
0x00754273
0x007542c6
0x007542c9
0x007542cf
0x007542d4
0x007542d7
0x007542e0
0x007542e7
0x007542ee
0x007542f5
0x007542fc
0x00754302
0x00754306
0x0075430d
0x0075430d
0x0075430f
0x00754314
0x00754323
0x00754329
0x0075432d
0x00754334
0x00754334
0x0075433d
0x0075434e
0x0075434e
0x0075435d
0x00754363
0x00754367
0x0075436e
0x0075436e
0x00754367
0x00754371
0x00754379
0x00000000
0x00754275
0x0075427f
0x00754285
0x0075428a
0x0075428a
0x0075428d
0x0075428d
0x0075428f
0x00754290
0x00754296
0x007542a2
0x007542a8
0x007542ae
0x007542c4
0x007542c4
0x00000000
0x007542ae

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00754216
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0075422C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00754243
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0075425A
GetTempPathA.KERNEL32(00000104,007588C0,?,00000001), ref: 0075427F
CharPrevA.USER32(007588C0,00EB1181,?,00000001), ref: 007542A2
CharPrevA.USER32(007588C0,00000000,?,00000001), ref: 007542B6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00754371
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00754385

Strings

SHELL32.DLL, xrefs: 0075420F
SHBrowseForFolder, xrefs: 00754226
SHGetPathFromIDList, xrefs: 00754254

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 23b76fb001a4881db6e1f155321633ea4011a63459e39f6d10c3162bedf6cbdc
Instruction ID: fb5249d59c67e4f41242a0c6ac5dc4ae77d8fc6de18fd1cb84a69eb3f0ce5d65
Opcode Fuzzy Hash: 23b76fb001a4881db6e1f155321633ea4011a63459e39f6d10c3162bedf6cbdc
Instruction Fuzzy Hash: 7641E4B0A00304AFE7115B609C859EE7F74EB4534AF044269ED01B7291DFFC8D498B66

Uniqueness

Uniqueness Score: -1.00%

Function 00753200 Relevance: 19.7, APIs: 13, Instructions: 188
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00753200(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				void* _t20;
				char _t23;
				char _t24;
				void* _t34;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				char* _t59;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E007543AE(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, 0x759154);
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					if( *0x759a40 == _t42) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					if(_t20 == 0) {
						if(GetDlgItemTextA(_t64, 0x835, 0x7591e4, 0x104) == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E00754495(_t64, _t58);
							goto L39;
						}
						_t49 = 0x7591e4;
						_t4 =  &(_t49[1]); // 0x7591e5
						_t59 = _t4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
						} while (_t23 != 0);
						if(_t49 - _t59 < 3) {
							goto L32;
						}
						_t24 =  *0x7591e5;
						if(_t24 == 0x3a ||  *0x7591e4 == 0x5c && _t24 == 0x5c) {
							if(GetFileAttributesA(0x7591e4) != 0xffffffff) {
								L26:
								E00756534(0x7591e4, 0x104, 0x751140);
								if(E00755880(0x7591e4) != 0) {
									if( *0x7591e4 != 0x5c ||  *0x7591e5 != 0x5c) {
										if(E00755933(0x7591e4, 1, _t64, 1) == 0) {
											L35:
											_t42 = 1;
											goto L36;
										}
										goto L31;
									} else {
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							if(E00754495(_t64, 0x54a, 0x7591e4, 0, 0x20, 4) != 6) {
								goto L35;
							}
							if(CreateDirectoryA(0x7591e4, 0) != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x7591e4);
							_t58 = 0x4cb;
							goto L25;
						} else {
							goto L32;
						}
					}
					_t34 = _t20 - 1;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x759124 = 0x800704c7;
						goto L39;
					}
					if(_t34 != 0x834) {
						goto L36;
					}
					if(LoadStringA( *0x759a3c, 0x3e8, 0x758598, 0x200) != 0) {
						if(E00754204(_t64, _t46, _t46) == 0 || SetDlgItemTextA(_t64, 0x835, 0x7587a0) != 0) {
							goto L36;
						} else {
							_t63 = 0x4c0;
							L9:
							E00754495(_t64, _t63, 0, 0, 0x10, 0);
							_push(0);
							goto L38;
						}
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x0075320b
0x0075320e
0x00753211
0x0075342c
0x0075342e
0x0075342f
0x00753435
0x00000000
0x00753437
0x00753219
0x0075321a
0x0075321f
0x007533dc
0x007533e7
0x00753400
0x0075340d
0x0075341d
0x0075341d
0x00753428
0x00000000
0x00753428
0x00753227
0x00753233
0x00753236
0x007532e6
0x007533c4
0x007533c6
0x007533cb
0x007533cc
0x007533ce
0x007533cf
0x00753360
0x00753362
0x00000000
0x00753362
0x007532ec
0x007532ee
0x007532ee
0x007532f1
0x007532f1
0x007532f3
0x007532f4
0x007532fd
0x00000000
0x00000000
0x00753303
0x0075330a
0x0075332d
0x0075336c
0x00753378
0x00753386
0x0075339b
0x007533b5
0x00753425
0x00753427
0x00000000
0x00753427
0x00000000
0x007533b7
0x007533b7
0x007533b9
0x007533bc
0x00000000
0x007533bc
0x0075339b
0x00753388
0x00753389
0x0075338b
0x0075338c
0x0075338d
0x00000000
0x0075338d
0x00753344
0x00000000
0x00000000
0x00753354
0x00000000
0x00000000
0x00753356
0x00753357
0x00753359
0x0075335a
0x0075335b
0x00000000
0x00000000
0x00000000
0x00000000
0x0075330a
0x0075323c
0x0075323f
0x007532b8
0x007532be
0x00000000
0x007532be
0x00753246
0x00000000
0x00000000
0x00753269
0x0075328f
0x00000000
0x007532ae
0x007532ae
0x00753270
0x00753279
0x0075327e
0x00000000
0x0075327e
0x0075328f
0x0075326b
0x00000000
0x0075326b
0x00000000

APIs

LoadStringA.USER32(000003E8,00758598,00000200), ref: 00753261
GetDesktopWindow.USER32 ref: 007533D2
SetWindowTextA.USER32(?,00759154), ref: 007533E7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00753400
GetDlgItem.USER32(?,00000836), ref: 00753416
EnableWindow.USER32(00000000), ref: 0075341D
EndDialog.USER32(?,00000000), ref: 0075342F

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID:
API String ID: 2418873061-0
Opcode ID: eba445650d38d471ccc1612865003e7ba08b848ebca8d7ce8013182e1a602b1c
Instruction ID: 89e3372070f00b65decca82d4dc5018c2cdeac8eaed9ec2b753bbdf27b3b0c45
Opcode Fuzzy Hash: eba445650d38d471ccc1612865003e7ba08b848ebca8d7ce8013182e1a602b1c
Instruction Fuzzy Hash: CC51F530380798BBEB225B355C4DFFB2D59EB857C7F108128FE05A51E0DAFC8A499265

Uniqueness

Uniqueness Score: -1.00%

Function 007534E0 Relevance: 19.6, APIs: 13, Instructions: 119
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E007534E0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x7591d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x758584 = _t35;
					E007543AE(_t35, GetDesktopWindow());
					__eflags =  *0x758184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, 0x759154);
					_t17 = CreateThread(0, 0, E00754FA0, 0, 0, 0x758798);
					 *0x75879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E00754495(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x75858c);
					_t38 =  *0x758584; // 0x0
					_t25 = E00754495(_t38, 0x4b2, 0x751140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x7591d8 = 1;
						SetEvent( *0x75858c);
						_t39 =  *0x75879c; // 0x0
						E00753670(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x75858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x75879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x007534eb
0x007534ee
0x00753655
0x00753656
0x00753656
0x00753658
0x0075365e
0x0075365e
0x00753661
0x00753661
0x00753667
0x00000000
0x00753667
0x007534f4
0x007534f6
0x007534f7
0x007534fc
0x0075364b
0x0075364f
0x00000000
0x00000000
0x00000000
0x00753651
0x00753502
0x00753505
0x007535ae
0x007535b1
0x007535c1
0x007535c8
0x007535ce
0x007535e8
0x00753607
0x00753607
0x00753613
0x00753627
0x0075362d
0x00753632
0x00753634
0x00000000
0x00753636
0x00753642
0x00753647
0x00753648
0x00000000
0x00753648
0x00753634
0x0075350b
0x0075350d
0x0075353f
0x00753543
0x00000000
0x00000000
0x0075354f
0x00753555
0x0075356c
0x00753571
0x00753574
0x0075358b
0x00753591
0x00753597
0x0075359d
0x007535a3
0x007535a8
0x00000000
0x007535a8
0x00753576
0x00753578
0x00000000
0x00000000
0x00753580
0x00000000
0x00753580
0x00753514
0x00753525
0x00753531
0x00000000
0x00753539
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00753525
EndDialog.USER32(?,?), ref: 00753531
ResetEvent.KERNEL32 ref: 0075354F
SetEvent.KERNEL32(00751140,00000000,00000020,00000004), ref: 00753580
GetDesktopWindow.USER32 ref: 007535B7
GetDlgItem.USER32(?,0000083B), ref: 007535E1
SendMessageA.USER32(00000000), ref: 007535E8
GetDlgItem.USER32(?,0000083B), ref: 00753600
SendMessageA.USER32(00000000), ref: 00753607
SetWindowTextA.USER32(?,00759154), ref: 00753613
CreateThread.KERNEL32(00000000,00000000,Function_00004FA0,00000000,00000000,00758798), ref: 00753627
EndDialog.USER32(?,00000000), ref: 00753661

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID:
API String ID: 2406144884-0
Opcode ID: c4777c76780d2033ac335e64a67df6b0a162cc92aa0cf7593a2fc7284e46e7ff
Instruction ID: 5f75a6bf4f2ff6a77c76dd04cf77ae22a83c178f308508454632a37c09c334ec
Opcode Fuzzy Hash: c4777c76780d2033ac335e64a67df6b0a162cc92aa0cf7593a2fc7284e46e7ff
Instruction Fuzzy Hash: DE319671140344BBD7601F75EC4DED63A74F785B83F208539FA01952B0DAFD8914DA5A

Uniqueness

Uniqueness Score: -1.00%

Function 00754FA0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00754FA0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x759144 = E00754669(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x759140 = _t8;
				if(_t8 != 0) {
					_t9 =  *0x758584; // 0x0
					if(_t9 != 0) {
						ShowWindow(GetDlgItem(_t9, 0x842), 0);
						ShowWindow(GetDlgItem( *0x758584, 0x841), 5);
					}
					_t10 = E00754ECB(0, 0);
					if(_t10 != 0) {
						__imp__#20(E00754C70, E00754C90, E00754950, E00754A20, E00754AA0, E00754B30, E00754B90, 1, 0x759148, _t33);
						_t34 = _t10;
						if(_t34 == 0) {
							L8:
							_t24 =  *0x758584; // 0x0
							E00754495(_t24,  *0x759148 + 0x514, 0, 0, 0x10, 0);
							_t37 = 0;
							L9:
							goto L10;
						}
						__imp__#22(_t34, "*MEMCAB", 0x751140, 0, E00754CA0, 0, 0x759140);
						_t37 = _t10;
						if(_t37 == 0) {
							goto L9;
						}
						__imp__#23(_t34);
						if(_t10 != 0) {
							goto L9;
						}
						goto L8;
					} else {
						_t27 =  *0x758584; // 0x0
						E00754495(_t27, 0x4ba, 0, 0, 0x10, 0);
						_t37 = 0;
						L10:
						_t12 =  *0x759140;
						if(_t12 != 0) {
							FreeResource(_t12);
							 *0x759140 = 0;
						}
						if(_t37 == 0 &&  *0x7591d8 == 0) {
							E00754495(0, 0x4f8, 0, 0, 0x10, 0);
						}
						if(( *0x758a38 & 0x00000001) == 0 && ( *0x759a34 & 0x00000001) == 0) {
							SendMessageA( *0x758584, 0xfa1, _t37, 0);
						}
						return _t37;
					}
				}
				return _t8;
			}

0x00754fa0
0x00754fa6
0x00754fb9
0x00754fcd
0x00754fd3
0x00754fda
0x00754fe0
0x00754fe7
0x00754ff7
0x00755011
0x00755011
0x00755017
0x0075501e
0x00755067
0x0075506d
0x00755074
0x007550a8
0x007550ae
0x007550bf
0x007550c4
0x007550c6
0x00000000
0x007550c6
0x0075508d
0x00755093
0x0075509a
0x00000000
0x00000000
0x0075509d
0x007550a6
0x00000000
0x00000000
0x00000000
0x00755020
0x00755020
0x00755030
0x00755035
0x007550c7
0x007550c7
0x007550ce
0x007550d1
0x007550d7
0x007550d7
0x007550df
0x007550f5
0x007550f5
0x00755101
0x00755119
0x00755119
0x00000000
0x0075511f
0x0075501e
0x00755123

APIs

Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075467A
Part of subcall function 00754669: SizeofResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00754683
Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075469D
Part of subcall function 00754669: LoadResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A6
Part of subcall function 00754669: LockResource.KERNEL32(00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546AD
Part of subcall function 00754669: memcpy_s.MSVCRT ref: 007546BF
Part of subcall function 00754669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546C9

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00754FBE
LoadResource.KERNEL32(00000000,00000000), ref: 00754FC6
LockResource.KERNEL32(00000000), ref: 00754FCD
GetDlgItem.USER32(00000000,00000842), ref: 00754FF0
ShowWindow.USER32(00000000), ref: 00754FF7
GetDlgItem.USER32(00000841,00000005), ref: 0075500A
ShowWindow.USER32(00000000), ref: 00755011
FreeResource.KERNEL32(?,00000000,00000010,00000000), ref: 007550D1
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00755119

Strings

*MEMCAB, xrefs: 00755087
CABINET, xrefs: 00754FA6, 00754FB7

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: a7cc25514a9043b263807b23b0ac027f87a7b5d782bb0498ae1d36cca5842645
Instruction ID: cafddd06734f746f214d3b9e8c3d36f7faa3d226758f60b4db40d722e6bb4271
Opcode Fuzzy Hash: a7cc25514a9043b263807b23b0ac027f87a7b5d782bb0498ae1d36cca5842645
Instruction Fuzzy Hash: D731D9B1A40B19BBE7205B319C8EFE7365CBB44747F048134BE09A21D0EEFD8C448669

Uniqueness

Uniqueness Score: -1.00%

Function 00752770 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00752770(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x758004; // 0xb49f60cf
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E007517A1( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E00756534( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E00756534(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x751140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E007516A0(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00756C80(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00752770
0x0075277b
0x00752782
0x00752787
0x0075278a
0x0075278d
0x0075278f
0x00752795
0x0075279a
0x007528af
0x00000000
0x007527a0
0x007527a0
0x007527ac
0x007527bf
0x007527c5
0x007527ca
0x007527d2
0x007528b4
0x007528b6
0x00000000
0x007527d8
0x007527da
0x007528a7
0x00000000
0x007527e0
0x007527e0
0x007527e9
0x007527f5
0x00752800
0x00752808
0x0075282e
0x007528c0
0x007528c6
0x007528ca
0x00752834
0x00752857
0x00752859
0x00752862
0x0075288f
0x00752892
0x00000000
0x00000000
0x00752864
0x00752875
0x00752889
0x00000000
0x00752877
0x0075287d
0x00752882
0x00752894
0x00752896
0x00752896
0x00752875
0x00752862
0x0075289d
0x007528bc
0x007528be
0x00000000
0x00000000
0x007528be
0x0075282e
0x007527da
0x007527d2
0x007528e0

APIs

CharUpperA.USER32(B49F60CF,00000000,00000000,00000000), ref: 007527A5
CharNextA.USER32(0000054D), ref: 007527B2
CharNextA.USER32(00000000), ref: 007527B9
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00752826
RegQueryValueExA.ADVAPI32(?,00751140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0075284F
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0075286D
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0075289D
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 007528A7
GetSystemDirectoryA.KERNEL32(-00000005,00000104), ref: 007528B6

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 007527E1

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: fecca71f88f845b5de8c1c93c1728957f6f6150a7a9ac558d2fdbe4cf0c3b5d1
Instruction ID: 416b1bdfb2c2a3043400b4acc4ea3d537306e3c2b57c8d341e0c4f6642a7cc74
Opcode Fuzzy Hash: fecca71f88f845b5de8c1c93c1728957f6f6150a7a9ac558d2fdbe4cf0c3b5d1
Instruction Fuzzy Hash: 7241D870E0021CAFDB249B64DC85AEE7B7DEF16702F4040A9F949D2151DBF85E8A8F61

Uniqueness

Uniqueness Score: -1.00%

Function 007518C1 Relevance: 16.6, APIs: 11, Instructions: 111
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E007518C1(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x758004; // 0xb49f60cf
				_v8 = _t23 ^ _t53;
				_t25 =  *0x758128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00756C80(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E0075180E( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x758128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x758128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x007518c1
0x007518c1
0x007518c9
0x007518d0
0x007518d3
0x007518dc
0x007518de
0x007518e4
0x007518e5
0x007518e8
0x007518ed
0x007519e7
0x007519f4
0x007519f4
0x007518fd
0x007519d6
0x007519db
0x007519dd
0x007519dd
0x00000000
0x007519db
0x00751918
0x00000000
0x00000000
0x00751930
0x007519c8
0x007519cb
0x007519d1
0x00000000
0x00751945
0x00751945
0x00751950
0x00751954
0x007519c7
0x007519c7
0x00000000
0x007519c7
0x0075196a
0x007519c0
0x007519c1
0x00000000
0x0075198c
0x0075198e
0x007519b7
0x007519ba
0x00000000
0x007519ba
0x00751990
0x00751990
0x00751993
0x007519a2
0x007519a3
0x007519a8
0x00000000
0x00000000
0x00000000
0x007519aa
0x007519af
0x007519b4
0x00000000
0x007519b4
0x0075196a

APIs

Part of subcall function 0075180E: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,007518FB), ref: 0075183A
Part of subcall function 0075180E: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0075184C
Part of subcall function 0075180E: AllocateAndInitializeSid.ADVAPI32(007518FB,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,007518FB), ref: 00751875
Part of subcall function 0075180E: FreeSid.ADVAPI32(?,?,?,?,007518FB), ref: 007518A3
Part of subcall function 0075180E: FreeLibrary.KERNEL32(00000000,?,?,?,007518FB), ref: 007518AA

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00751909
OpenProcessToken.ADVAPI32(00000000), ref: 00751910
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00751928
GetLastError.KERNEL32 ref: 00751936
LocalAlloc.KERNEL32(00000000,?,?), ref: 0075194A
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00751962
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00751982
EqualSid.ADVAPI32(00000004,?), ref: 00751998
FreeSid.ADVAPI32(?), ref: 007519BA
LocalFree.KERNEL32(00000000), ref: 007519C1
CloseHandle.KERNEL32(?), ref: 007519CB

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 236733239c5825641fbaa8a4494c03903eaac84b20268eba5791367e54db73fc
Instruction ID: cb0b96c7a76318630e28cea843d04b946a9a5fe61ed75db2888e632a37a13dc8
Opcode Fuzzy Hash: 236733239c5825641fbaa8a4494c03903eaac84b20268eba5791367e54db73fc
Instruction Fuzzy Hash: 5C316135A00349EFDB109FA5DC49AEF7BB8FF04707F504128E945E2190EBB9A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0075226E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0075226E() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x758004; // 0xb49f60cf
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x758530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, 0x758530, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E00756534( &_v268, 0x104, 0x751140);
							}
							E0075173E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_t47 = 0x7591e4;
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, 0x758530, 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00756C80(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00752279
0x0075227e
0x00752280
0x0075228a
0x00752290
0x007522b2
0x007522b8
0x007522cb
0x007522e7
0x007522ed
0x007522fc
0x00752314
0x00752323
0x00752323
0x00752341
0x00752349
0x0075234f
0x00752352
0x00752353
0x00752353
0x00752355
0x00752356
0x00752375
0x00752375
0x00752381
0x00752387
0x00752387
0x00752388
0x00752388
0x00752394

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 007522AA
RegQueryValueExA.ADVAPI32(?,00758530,00000000,00000000,?,?,00000001), ref: 007522DF
memset.MSVCRT ref: 007522FC
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0075230C
RegSetValueExA.ADVAPI32(?,00758530,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 00752375
RegCloseKey.ADVAPI32(?), ref: 00752381

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 007522A0
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00752334

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
API String ID: 3027380567-2368451976
Opcode ID: c401c94123bfd4f19d39faec88d02412a8d08221a4919922043f0a8e78d251e2
Instruction ID: 59143f30da915b8dde56024fae8837eaad75e03a16904aaef6e344f5b07c1665
Opcode Fuzzy Hash: c401c94123bfd4f19d39faec88d02412a8d08221a4919922043f0a8e78d251e2
Instruction Fuzzy Hash: C1319871A00218ABDB619B10DC49FDB7B7CEF55742F4401A5B90DE6051EAF86B8DCA50

Uniqueness

Uniqueness Score: -1.00%

Function 00752570 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00752570(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E007524E5(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12) == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8);
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12);
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00752575
0x00752576
0x00752578
0x0075257b
0x00752580
0x0075262a
0x00752586
0x00752589
0x0075258c
0x007525ee
0x0075260a
0x00000000
0x0075260c
0x0075261d
0x00000000
0x0075261d
0x00000000
0x0075258e
0x0075258e
0x007525a1
0x007525bd
0x007525ce
0x007525d4
0x007525d9
0x007525dd
0x007525e0
0x007525e0
0x007525e6
0x007525e6
0x007525e6
0x0075258e
0x0075258c
0x00752630
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,?,?,?,?,00751EE3,00000001,00000000,00754121,?,00754082), ref: 007525B5
RegQueryValueExA.ADVAPI32(?,PendingFileRenameOperations,00000000,00000000,00000000,00754082,?,00751EE3,00000001,00000000,00754121,?,00754082), ref: 007525CE
RegCloseKey.ADVAPI32(?,?,00751EE3,00000001,00000000,00754121,?,00754082), ref: 007525E0
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,?,?,?,?,00751EE3,00000001,00000000,00754121,?,00754082), ref: 00752602
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00754082,00000000,00000000,00000000,00000000,?,00751EE3,00000001,00000000), ref: 0075261D

Strings

System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 007525F8
PendingFileRenameOperations, xrefs: 007525C6
System\CurrentControlSet\Control\Session Manager, xrefs: 007525AB

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: bd1c2c27f02c1c2665a7a0ff6dfd9c1393db655496c6b8dcec9237c85e9300f0
Instruction ID: dbcc21c1a336c08606ff0ae2e10d96b0b0fa0a72cef47425beb98fe78e1cf2c6
Opcode Fuzzy Hash: bd1c2c27f02c1c2665a7a0ff6dfd9c1393db655496c6b8dcec9237c85e9300f0
Instruction Fuzzy Hash: 2D119475911228FBDB209BA19C09DEB7E7CEF067A3F4040A5BC09E2041E6F84E4DD6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0075535F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0075535F(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x758004; // 0xb49f60cf
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E0075173E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E007516A0(_t32, 0x104, _t20);
					E00756534(_t32, 0x104,  &_v268);
					RemoveDirectoryA(_t32);
					if(GetFileAttributesA(_t32) == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00756C80(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				if(CreateDirectoryA(_t32, 0) == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x758a20 = 1;
				goto L5;
			}

0x0075536a
0x00755371
0x00755377
0x00755379
0x0075537b
0x0075537d
0x0075538f
0x00755394
0x0075539e
0x007553a0
0x007553b3
0x007553b9
0x007553c9
0x00000000
0x00000000
0x007553d1
0x00000000
0x00000000
0x007553d3
0x007553d4
0x007553e5
0x007553e8
0x007553e9
0x007553f2
0x007553f2
0x007553f8
0x00755408
0x00755408
0x00755416
0x00000000
0x00000000
0x0075541a
0x0075541b
0x00000000

APIs

Part of subcall function 0075173E: _vsnprintf.MSVCRT ref: 00751770

RemoveDirectoryA.KERNEL32(?,?,007591E4,?,00000001,007591E4,00000000), ref: 007553B9
GetFileAttributesA.KERNEL32(?,?,00000001,007591E4,00000000), ref: 007553C0
GetTempFileNameA.KERNEL32(007591E4,IXP,00000000,?,?,00000001,007591E4,00000000), ref: 007553DD
DeleteFileA.KERNEL32(?,?,00000001,007591E4,00000000), ref: 007553E9
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,007591E4,00000000), ref: 007553F2
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,007591E4,00000000), ref: 0075540E

Strings

IXP%03d.TMP, xrefs: 0075537E
IXP, xrefs: 007553D7

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: IXP$IXP%03d.TMP
API String ID: 1082909758-3932986939
Opcode ID: 4e198a0a15794d1ea32c8974340204f32e17adc3d584fc309c3453f7db381cca
Instruction ID: 7c8475c1b3063512f06f65d367807d9d76be4ebd66290ddb3a44a0c1d0b31932
Opcode Fuzzy Hash: 4e198a0a15794d1ea32c8974340204f32e17adc3d584fc309c3453f7db381cca
Instruction Fuzzy Hash: 58110D70700604B7D7209B269C08FEF366CDBC2713F404124BA4AD21C0DEFC8D8A826A

Uniqueness

Uniqueness Score: -1.00%

Function 00754669 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00754669(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00754673
0x00754675
0x00754683
0x00754689
0x0075468e
0x00754696
0x007546d3
0x00000000
0x007546d3
0x007546b3
0x007546b7
0x00000000
0x00000000
0x007546bf
0x007546c9
0x00000000
0x007546cf
0x007546d9

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075467A
SizeofResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00754683
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075469D
LoadResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A6
LockResource.KERNEL32(00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546AD
memcpy_s.MSVCRT ref: 007546BF
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546C9

Strings

TITLE, xrefs: 00754677, 0075469A

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE
API String ID: 3370778649-3697457883
Opcode ID: f75627ae7657b9579acf78e02ce3abc19920901358f5296654596afb83bd6d91
Instruction ID: 96d81a09f21cd76fb101943f5c387647859e305ac1fec14e61c417c4bb396708
Opcode Fuzzy Hash: f75627ae7657b9579acf78e02ce3abc19920901358f5296654596afb83bd6d91
Instruction Fuzzy Hash: CE01F9322443047BE75017A5AC4DFEB7E2DDBC6B67F048134FE0986180D9F988A082BA

Uniqueness

Uniqueness Score: -1.00%

Function 007530F0 Relevance: 13.6, APIs: 9, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E007530F0(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x758590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x758590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E007543AE(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x758d4c);
					SetWindowTextA(_t33, 0x759154);
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x7588b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E007530B0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x007530f8
0x007530fb
0x007531a7
0x007531ba
0x007531c0
0x007531c0
0x007531ca
0x00000000
0x007531ca
0x00753101
0x00753104
0x00753126
0x00753126
0x00753128
0x0075312b
0x00753131
0x00000000
0x00753133
0x00753106
0x0075310b
0x0075313b
0x00753141
0x00753148
0x0075315a
0x00753166
0x0075316d
0x0075317b
0x0075318e
0x00753193
0x00000000
0x0075319d
0x00753110
0x00000000
0x00000000
0x0075311a
0x00753124
0x00000000
0x00000000
0x00000000
0x00753124
0x0075311c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 0075312B
GetDesktopWindow.USER32 ref: 0075313B
SetDlgItemTextA.USER32(?,00000834), ref: 0075315A
SetWindowTextA.USER32(?,00759154), ref: 00753166
SetForegroundWindow.USER32(?), ref: 0075316D
GetDlgItem.USER32(?,00000834), ref: 00753175
GetWindowLongA.USER32(00000000,000000FC), ref: 00753180
SetWindowLongA.USER32(00000000,000000FC,007530B0), ref: 00753193
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 007531BA

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID:
API String ID: 3785188418-0
Opcode ID: b0e7c7c9d198ce72799723a640a9fe89a6fd1390b33dc26a10ff34d4fb236e3e
Instruction ID: b67e98baca7e9fd95924dadb4dc0967071b3ca98a0b008ae4804696f7469caaa
Opcode Fuzzy Hash: b0e7c7c9d198ce72799723a640a9fe89a6fd1390b33dc26a10ff34d4fb236e3e
Instruction Fuzzy Hash: 3711CD31144B1DBBDB115B349C0DBDA3A64FB4A363F008220FD15A11F0DBFD8A49C68A

Uniqueness

Uniqueness Score: -1.00%

Function 00752F10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00752F10(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				signed int _t22;
				signed int _t25;
				signed int _t27;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;

				_t43 = __edx;
				_t9 =  *0x758004; // 0xb49f60cf
				_v8 = _t9 ^ _t46;
				if( *0x758a38 != 0) {
					L5:
					_t11 = E00755124(_t52);
					_t53 = _t11;
					if(_t11 == 0 || E0075555A(_t53) == 0) {
						L16:
						_t12 = 0;
						goto L17;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E00756534( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x75a288(0x7591e4, 0);
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x758a24 - _t44; // 0x0
						if(_t58 != 0 ||  *0x759a30 != _t44 || E007561CE() != 0) {
							if(SetCurrentDirectoryA(0x7591e4) != 0) {
								__eflags =  *0x758a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x758d48 & 0x000000c0;
									if(( *0x758d48 & 0x000000c0) == 0) {
										_t44 = E00752570( *0x759a40);
									}
									_t22 =  *0x758a24; // 0x0
									 *0x759a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x758a38;
										if( *0x758a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00754153(__eflags);
											}
										}
										_t12 = 1;
										L17:
										return E00756C80(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
									} else {
										__eflags =  *0x759a30 - _t22;
										if( *0x759a30 != _t22) {
											goto L26;
										}
										_t25 = E00753B8E();
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x758a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00753B12(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E00754495(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x759124 = E00756233();
						}
						goto L16;
					}
				}
				_t49 =  *0x758a24;
				if( *0x758a24 != 0) {
					L4:
					_t34 = E00753A2B(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E007551A5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x758a38;
				if( *0x758a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00752f10
0x00752f1b
0x00752f22
0x00752f30
0x00752f5f
0x00752f5f
0x00752f64
0x00752f66
0x00753034
0x00753034
0x00000000
0x00752f79
0x00752f79
0x00752f86
0x00752f91
0x00752f93
0x00752f99
0x00752fab
0x00752fad
0x00752fb1
0x00752fb9
0x00752fbf
0x00752fc7
0x00752fc9
0x00752fcb
0x00752fd3
0x00752fd9
0x00752fe1
0x00752fe3
0x00752fe8
0x00752fe8
0x00752fe1
0x00752fc7
0x00752feb
0x00752ff1
0x00752ff7
0x00753017
0x00753045
0x0075304b
0x00753056
0x00753056
0x0075305d
0x0075306b
0x0075306b
0x0075306d
0x00753072
0x00753078
0x0075307a
0x00753092
0x00753092
0x0075309a
0x0075309c
0x0075309e
0x007530a0
0x007530a0
0x0075309e
0x007530a7
0x00753036
0x00753044
0x0075307c
0x0075307c
0x00753082
0x00000000
0x00000000
0x00753084
0x00753089
0x0075308b
0x00000000
0x00000000
0x0075308d
0x00000000
0x0075308d
0x0075307a
0x0075304d
0x00753052
0x00753054
0x00000000
0x00000000
0x00000000
0x00753054
0x0075301e
0x00753025
0x0075302f
0x0075302f
0x00000000
0x00752ff7
0x00752f66
0x00752f32
0x00752f39
0x00752f52
0x00752f52
0x00752f57
0x00752f59
0x00000000
0x00000000
0x00000000
0x00752f59
0x00752f42
0x00000000
0x00000000
0x00752f48
0x00752f50
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00752F86
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00752FA5
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00752FB9
FreeLibrary.KERNEL32(00000000), ref: 00752FEB
SetCurrentDirectoryA.KERNEL32(007591E4), ref: 0075300F

Part of subcall function 007551A5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00752F40,?,00000002,00000000), ref: 007551C1

Strings

DecryptFileA, xrefs: 00752FB3
advapi32.dll, xrefs: 00752F8C

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentFreeLoadLocalProcSystem
String ID: DecryptFileA$advapi32.dll
API String ID: 3303808097-2381948369
Opcode ID: 4e03d363905cfeefae64e7d621371c1460a543425c47994733559fac3c63c4f8
Instruction ID: d4ee9cec074e65140348cb3e5fbfbdc5cddca48c63c39b9595b5a9d5614ca21b
Opcode Fuzzy Hash: 4e03d363905cfeefae64e7d621371c1460a543425c47994733559fac3c63c4f8
Instruction Fuzzy Hash: 3341DB30A00349DBDB70AB31AD496D977A99B543D3F008165AD09D20E1EFFCCD4DC665

Uniqueness

Uniqueness Score: -1.00%

Function 00752AA5 Relevance: 12.1, APIs: 8, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00752AA5(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x758004; // 0xb49f60cf
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x759a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E007516A0(_t65, E007517E8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E00756592( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E007516A0(_t65, E007517E8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00756C80(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00752aa5
0x00752ab0
0x00752ab5
0x00752ab7
0x00752abc
0x00752abf
0x00752ac2
0x00752ac7
0x00752adf
0x00752bd5
0x00752bd5
0x00752bd9
0x00000000
0x00000000
0x00752aeb
0x00752af5
0x00752af9
0x00752afe
0x00752afe
0x00752b04
0x00752bc3
0x00752bca
0x00752b0a
0x00752b11
0x00752b1f
0x00752b92
0x00752bc1
0x00000000
0x00000000
0x00752b94
0x00752ba7
0x00752bac
0x00752bae
0x00752bae
0x00752bb1
0x00752bb1
0x00752bb3
0x00752bb4
0x00000000
0x00752bb1
0x00752b21
0x00752b27
0x00752b2c
0x00752b32
0x00752b35
0x00752b35
0x00752b37
0x00752b38
0x00752b4e
0x00752b56
0x00752b5d
0x00752b5d
0x00752b73
0x00752b78
0x00752b7a
0x00752b7a
0x00752b7d
0x00752b7d
0x00752b7f
0x00752b80
0x00752bb8
0x00752bba
0x00752bba
0x00752b1f
0x00752bd3
0x00752bd3
0x00752bdf
0x00752bdf
0x00752bef

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00752ADF
IsDBCSLeadByte.KERNEL32(00000000), ref: 00752AEB
CharNextA.USER32(?), ref: 00752B0B
CharUpperA.USER32 ref: 00752B17
CharPrevA.USER32(?,?), ref: 00752B4E
CharNextA.USER32(?), ref: 00752BCD

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 3c94615da6d56b9ca4e0057bfa1d5cc9954bbac1ee95334aced982589b9028f6
Instruction ID: 6227ffad8fda8a225037375bebc7df90cfdb0c5798ba3e94da29a14a8bcf5797
Opcode Fuzzy Hash: 3c94615da6d56b9ca4e0057bfa1d5cc9954bbac1ee95334aced982589b9028f6
Instruction Fuzzy Hash: DB411074504249AFDB159F348814AFD7BA99F57302F5481A9DCC293202EBBC4E8B8B64

Uniqueness

Uniqueness Score: -1.00%

Function 007528E3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007528E3(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00752770(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t11 =  &_v32; // 0x753926
						_t68 = GetFileVersionInfoSizeA(_v12, _t11);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									_t16 =  &_v32; // 0x753926
									if(GetFileVersionInfoA(_v12,  *_t16, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00752A82(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00752A82(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x007528ec
0x007528ef
0x007528f2
0x007528f4
0x007528f7
0x007528fa
0x007528fc
0x00752902
0x00752a5d
0x00752a5f
0x00752908
0x00752908
0x0075290a
0x0075290d
0x0075291b
0x00752932
0x00000000
0x00000000
0x00752938
0x0075293f
0x00752945
0x0075294a
0x00752a2a
0x00752a2d
0x00752a2f
0x00752a32
0x00752a3c
0x00000000
0x00000000
0x00752950
0x00752959
0x0075295d
0x00752964
0x0075296a
0x0075296f
0x00752979
0x00752987
0x00752a1b
0x00752a1c
0x00752a22
0x00752a47
0x00752a4a
0x00752a4b
0x00752a4e
0x00752a51
0x00752a57
0x00000000
0x00000000
0x00000000
0x00000000
0x007529ad
0x007529ad
0x007529b0
0x007529b8
0x007529be
0x007529c7
0x007529d0
0x007529d2
0x007529d5
0x007529d8
0x007529da
0x007529e7
0x007529f3
0x007529f7
0x007529fa
0x007529fd
0x00752a02
0x00752a05
0x00752a0a
0x00752a14
0x00752a7a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00752a0a
0x00752987
0x0075296f
0x0075295d
0x00000000
0x0075294a
0x0075290d
0x00752a60
0x00752a63
0x00752a67
0x00752a6a
0x00752a6a
0x00752a76

APIs

GlobalFree.KERNEL32(00000000), ref: 00752A6A

Part of subcall function 00752770: CharUpperA.USER32(B49F60CF,00000000,00000000,00000000), ref: 007527A5
Part of subcall function 00752770: CharNextA.USER32(0000054D), ref: 007527B2
Part of subcall function 00752770: CharNextA.USER32(00000000), ref: 007527B9
Part of subcall function 00752770: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00752826
Part of subcall function 00752770: RegQueryValueExA.ADVAPI32(?,00751140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0075284F
Part of subcall function 00752770: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0075286D
Part of subcall function 00752770: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0075289D

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00753926,?,?,?,?,-00000005), ref: 00752953
GlobalLock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00753926,?,?,?,?,-00000005,?), ref: 00752964
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00753926,?,?,?,?,-00000005,?), ref: 00752A1C
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00753926,?,?), ref: 00752A7A

Strings

&9u, xrefs: 00752938, 00752979, 0075293B

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID: &9u
API String ID: 3949799724-3983207241
Opcode ID: 08ef6b1a6e881973969b4f8a8d0ff73dd9b0e4128e84be3373ad908d00a21daa
Instruction ID: 3bec96865e8af26cf1f81577562f8f6e19769aeeb1227b7c1686e1932da6c6ac
Opcode Fuzzy Hash: 08ef6b1a6e881973969b4f8a8d0ff73dd9b0e4128e84be3373ad908d00a21daa
Instruction Fuzzy Hash: E3513031E00219EFDB21CF94C884AEEB7B5FF49702F14812AED15E3252D7B99946CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00753FDB Relevance: 10.6, APIs: 7, Instructions: 96
processsynchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00753FDB(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x758004; // 0xb49f60cf
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00756C80(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544) == 0) {
					 *0x759124 = E00756233();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0);
					_t45 = 0x4c4;
					E00754495(0, 0x4c4, _t39,  &_v524, 0x10, 0);
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528);
				_t44 = _v528;
				_t53 =  *0x758a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x759a2c;
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x759a2c = _t44;
						}
					}
				}
				E00754105(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x759a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00753fdb
0x00753fe6
0x00753fed
0x00753ff4
0x00753ff6
0x00753ff7
0x00753ffc
0x007540f6
0x00754104
0x00754104
0x00754008
0x00754009
0x0075400a
0x0075400b
0x00754027
0x007540b6
0x007540d5
0x007540e4
0x007540ed
0x007540f2
0x007540f2
0x007540f4
0x007540f4
0x00000000
0x007540f4
0x00754035
0x00754048
0x0075404e
0x00754054
0x0075405a
0x0075405c
0x00754063
0x0075406b
0x00754075
0x00754077
0x00754077
0x00754075
0x00754063
0x0075407d
0x00754088
0x00754094
0x007540a4
0x00000000
0x007540ae
0x00000000
0x007540ae

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 0075401F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00754035
GetExitCodeProcess.KERNEL32(?,?), ref: 00754048
CloseHandle.KERNEL32(?), ref: 00754088
CloseHandle.KERNEL32(?), ref: 00754094
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 007540C8
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 007540D5

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 5f4ee751b79760b2132e9bc5734d6b88a010b76a54e45d7bc039e528a243ec64
Instruction ID: cf6f1bda935a508d4ee8350b06aa4588751002a8804cceb22494b2714c1fce74
Opcode Fuzzy Hash: 5f4ee751b79760b2132e9bc5734d6b88a010b76a54e45d7bc039e528a243ec64
Instruction Fuzzy Hash: A031A93154031CBBEB209B25DC4DFEB777CEB94706F2081A9FA09D11A0CAB94D86CB25

Uniqueness

Uniqueness Score: -1.00%

Function 007543AE Relevance: 10.6, APIs: 7, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E007543AE(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x758004; // 0xb49f60cf
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00756C80(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x007543ae
0x007543b6
0x007543bd
0x007543c4
0x007543ca
0x007543cf
0x007543de
0x007543e1
0x007543e9
0x007543fe
0x00754407
0x00754415
0x00754422
0x00754425
0x0075442b
0x00754432
0x00754439
0x0075443e
0x0075443f
0x00754445
0x0075444d
0x00754451
0x00754451
0x00754441
0x00754441
0x00754441
0x00754458
0x0075445f
0x00754462
0x00754468
0x00754470
0x00754474
0x00754474
0x00754464
0x00754464
0x00754464
0x00754494

APIs

GetWindowRect.USER32(?,?), ref: 007543CF
GetWindowRect.USER32(00000000,?), ref: 007543E9
GetDC.USER32(?), ref: 00754401
GetDeviceCaps.GDI32(00000000,00000008), ref: 0075440C
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00754418
ReleaseDC.USER32(?,00000000), ref: 00754425
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00754480

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 773397e6b46ad6e3b1ae902ea0f7cfc80309182b98c7c4b8467a3b6a086e975d
Instruction ID: b8c2a4ce0095d47488dc03576ae8aad2d5c05aa1585ebe364aa3e0cdebb1bb6e
Opcode Fuzzy Hash: 773397e6b46ad6e3b1ae902ea0f7cfc80309182b98c7c4b8467a3b6a086e975d
Instruction Fuzzy Hash: 61316131E00219AFCF14CFB8DD889EEBBB5EB88311F144229F905F3240E6B4AC458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00756246 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00756246(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x758004; // 0xb49f60cf
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E0075173E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x759124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x75a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E0075173E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00756C80(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00756246
0x0075624e
0x00756255
0x0075625b
0x0075625d
0x00756269
0x00756271
0x00756272
0x007562e9
0x007562e9
0x007562f3
0x007562fb
0x00000000
0x00000000
0x00756288
0x0075628c
0x0075630d
0x00756317
0x0075628e
0x0075628e
0x0075628e
0x00756291
0x00756293
0x00756293
0x00756296
0x00756296
0x00756298
0x00756299
0x0075629d
0x0075629f
0x007562a1
0x007562b0
0x007562b6
0x007562bb
0x007562c2
0x007562c2
0x007562c4
0x007562c7
0x00756303
0x00756305
0x007562c9
0x007562c9
0x007562df
0x007562e2
0x007562e7
0x00000000
0x007562e7
0x007562c7
0x00756319
0x00756329
0x00756329
0x00000000

APIs

Part of subcall function 0075173E: _vsnprintf.MSVCRT ref: 00751770

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,0075518A,00000004,00000024,00752F64,?,00000002,00000000), ref: 0075627B
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,0075518A,00000004,00000024,00752F64,?,00000002,00000000), ref: 00756282
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,0075518A,00000004,00000024,00752F64,?,00000002,00000000), ref: 007562C9
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 007562F3
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,0075518A,00000004,00000024,00752F64,?,00000002,00000000), ref: 00756305

Strings

UPDFILE%lu, xrefs: 00756261, 007562D7

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 1dfcccb552ba72f4e92f0c4399d1d68814c9a358755b5c109fa4024546dc3694
Instruction ID: 49c8c6417cf076dec51196acd22d9c4da9b46b93c02fadbd3b21266792c8f76f
Opcode Fuzzy Hash: 1dfcccb552ba72f4e92f0c4399d1d68814c9a358755b5c109fa4024546dc3694
Instruction Fuzzy Hash: C221B475A00219EBDB109F659C499FE7B78EF48716B404229ED01A3240DBBD9D0A87E5

Uniqueness

Uniqueness Score: -1.00%

Function 007567CB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E007567CB(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x758004; // 0xb49f60cf
				_v8 = _t19 ^ _t44;
				_t41 =  *0x7581d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x7581d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x7581d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x751140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E007566A1( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x7581d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E00756C80(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x007567cb
0x007567d6
0x007567dd
0x007567e2
0x007567e8
0x007567ea
0x007567f4
0x007567fd
0x00756809
0x00756810
0x00756822
0x007568e6
0x007568e6
0x00756828
0x0075682a
0x00756831
0x00000000
0x00756882
0x007568a0
0x007568ac
0x007568ae
0x007568b6
0x00000000
0x007568b8
0x007568b8
0x007568c8
0x00000000
0x007568ca
0x007568d0
0x007568d7
0x007568de
0x00000000
0x00000000
0x00000000
0x007568d7
0x007568c8
0x007568b6
0x00756831
0x00756822
0x007568fb

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0075681A
GetSystemMetrics.USER32(0000004A), ref: 00756853
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00756878
RegQueryValueExA.ADVAPI32(?,00751140,00000000,?,?,0000000C), ref: 007568A0
RegCloseKey.ADVAPI32(?), ref: 007568AE

Part of subcall function 007566A1: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,007568C6), ref: 007566E9

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0075686E

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 3e6533892513ce84454ec886d3ed50218ac46ee4e36f67e846d2c5c9960f03a9
Instruction ID: 7724a6f169903c8092d6695f65b68f33b205358ce68cf4e2718e18c877b35c67
Opcode Fuzzy Hash: 3e6533892513ce84454ec886d3ed50218ac46ee4e36f67e846d2c5c9960f03a9
Instruction Fuzzy Hash: 8C318035A00328DFDB208B11CD05BEAB7B9EB41762F4041A9E909A3140DBBCEDC9DF56

Uniqueness

Uniqueness Score: -1.00%

Function 007551A5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007551A5(void* __eflags) {
				void* _t6;
				void* _t28;

				_t1 = E00754669("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E00754669("UPROMPT", _t28, _t29) != 0) {
						if(lstrcmpA(_t28, "<None>") != 0) {
							_t6 = E00754495(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x759124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x759124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E00754495(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x759124 = 0x80070714;
					goto L10;
				}
				E00754495(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x759124 = E00756233();
				goto L10;
			}

0x007551bb
0x007551c7
0x007551cb
0x007551fc
0x00755230
0x0075524b
0x00755253
0x0075525c
0x00755266
0x00755270
0x00000000
0x00755270
0x0075525e
0x00755239
0x00000000
0x0075523b
0x00755233
0x00000000
0x00755233
0x0075520a
0x00755210
0x00755216
0x00000000
0x00755216
0x007551d9
0x007551e3
0x00000000

APIs

Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075467A
Part of subcall function 00754669: SizeofResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00754683
Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075469D
Part of subcall function 00754669: LoadResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A6
Part of subcall function 00754669: LockResource.KERNEL32(00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546AD
Part of subcall function 00754669: memcpy_s.MSVCRT ref: 007546BF
Part of subcall function 00754669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546C9

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00752F40,?,00000002,00000000), ref: 007551C1
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00755210

Part of subcall function 00754495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 007544F4
Part of subcall function 00754495: MessageBoxA.USER32(?,?,00759154,00010010), ref: 00754530

Part of subcall function 00756233: GetLastError.KERNEL32(00755B72), ref: 00756233

Strings

UPROMPT, xrefs: 007551AF, 007551F0
<None>, xrefs: 00755222

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 291754b803be0d19a8f0b3a9e71588e3014c4d2b8eec1a7a867b95742b718a2f
Instruction ID: ea506e497c5c7f09b67763138a0ec649d7da04bb98145651babd059a59c0900a
Opcode Fuzzy Hash: 291754b803be0d19a8f0b3a9e71588e3014c4d2b8eec1a7a867b95742b718a2f
Instruction Fuzzy Hash: 8D1100B1240745FBE7106BB15C59FEB21ADEB89387F508039BF06DA180EAFD8C094629

Uniqueness

Uniqueness Score: -1.00%

Function 00753A2B Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00753A2B(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E00754669(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x758d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E00754669(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x758d4c, "<None>") == 0) {
							LocalFree( *0x758d4c);
							L9:
							 *0x759124 = 0;
							return 1;
						}
						_t9 = E007564C3(_t19, 0x7d1, 0, E007530F0, 0, 0);
						LocalFree( *0x758d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x759124 = 0x800704c7;
						L2:
						return 0;
					}
					E00754495(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x758d4c);
					 *0x759124 = 0x80070714;
					goto L2;
				}
				E00754495(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x759124 = E00756233();
				goto L2;
			}

0x00753a32
0x00753a43
0x00753a49
0x00753a4f
0x00753a56
0x00753a7d
0x00753a86
0x00753ac4
0x00753aff
0x00753b05
0x00753b07
0x00000000
0x00753b0d
0x00753ad3
0x00753ae0
0x00753ae8
0x00000000
0x00000000
0x00753aea
0x00753a73
0x00000000
0x00753a73
0x00753a94
0x00753a9f
0x00753aa5
0x00000000
0x00753aa5
0x00753a64
0x00753a6e
0x00000000

APIs

Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075467A
Part of subcall function 00754669: SizeofResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00754683
Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075469D
Part of subcall function 00754669: LoadResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A6
Part of subcall function 00754669: LockResource.KERNEL32(00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546AD
Part of subcall function 00754669: memcpy_s.MSVCRT ref: 007546BF
Part of subcall function 00754669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546C9

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00752F57,?,00000002,00000000), ref: 00753A49
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00753A9F

Part of subcall function 00754495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 007544F4
Part of subcall function 00754495: MessageBoxA.USER32(?,?,00759154,00010010), ref: 00754530

Part of subcall function 00756233: GetLastError.KERNEL32(00755B72), ref: 00756233

lstrcmpA.KERNEL32(<None>,00000000), ref: 00753ABC
LocalFree.KERNEL32 ref: 00753AFF

Part of subcall function 007564C3: FindResourceA.KERNEL32(?,000007D6,00000005), ref: 007564D6
Part of subcall function 007564C3: LoadResource.KERNEL32(?,00000000,?,?,00752EDF,00000000,00751A00,00000547,0000083E,?,?,?,?,?,?,?), ref: 007564E4
Part of subcall function 007564C3: DialogBoxIndirectParamA.USER32(?,00000000,00000547,00751A00,00000000), ref: 00756503
Part of subcall function 007564C3: FreeResource.KERNEL32(00000000,?,?,00752EDF,00000000,00751A00,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 0075650C

LocalFree.KERNEL32(00000000,007530F0,00000000,00000000), ref: 00753AE0

Strings

LICENSE, xrefs: 00753A32
<None>, xrefs: 00753AB1

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 86c59a7c83d17145eb16ce23f1b9d5d84eb04ac37c8175398c83c738df80eb69
Instruction ID: 2f4c2bdb0b6c4d2e92d73778f10c03e61da018ac98ec2b6b9fd85113e660ecb0
Opcode Fuzzy Hash: 86c59a7c83d17145eb16ce23f1b9d5d84eb04ac37c8175398c83c738df80eb69
Instruction Fuzzy Hash: 6411A470700345FBD7605B329C09ED739B9DBD9743710C02ABE46DA1B0DAFD88088629

Uniqueness

Uniqueness Score: -1.00%

Function 00755880 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00755880(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t1 = _t27 + 1; // 0x7591e5
				_t23 = _t1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t2 = _t27 - _t23 + 0x14; // 0x7591f9
				_t36 = _t2;
				_t20 = LocalAlloc(0x40, _t2);
				if(_t20 != 0) {
					E007516A0(_t20, _t36, _t33);
					E00756534(_t20, _t36, "TMP4351$.TMP");
					_v8 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0);
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33);
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x759124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E00754495(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x759124 = E00756233();
					_t14 = 0;
				}
				return _t14;
			}

0x00755885
0x00755889
0x0075588b
0x0075588d
0x0075588d
0x00755890
0x00755890
0x00755892
0x00755893
0x00755899
0x00755899
0x007558a5
0x007558a9
0x007558d4
0x007558e2
0x00755900
0x00755903
0x00755909
0x0075590f
0x00000000
0x00755911
0x00755912
0x00755919
0x00755922
0x00000000
0x00755928
0x0075592a
0x00755930
0x00755930
0x00755922
0x007558ab
0x007558b9
0x007558be
0x007558c3
0x007558c8
0x007558c8
0x007558ce

APIs

LocalAlloc.KERNEL32(00000040,007591F9,00000001,007591E4,00000000,007591E4,?,007554F0,007591E4,00000001,007591E4,00000000), ref: 0075589F
CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,007591E4,?,007554F0,007591E4,00000001,007591E4,00000000), ref: 007558F9
LocalFree.KERNEL32(00000000,?,007554F0,007591E4,00000001,007591E4,00000000), ref: 00755903
CloseHandle.KERNEL32(00000000,?,007554F0,007591E4,00000001,007591E4,00000000), ref: 00755912
GetFileAttributesA.KERNEL32(007591E4,?,007554F0,007591E4,00000001,007591E4,00000000), ref: 00755919

Strings

TMP4351$.TMP, xrefs: 007558D9

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: TMP4351$.TMP
API String ID: 747627703-2619824408
Opcode ID: d2231fc97e22d93d85c842f79a9acd8aaea4436132fc3e1fd75f40f36fa50cd6
Instruction ID: 33769d24d47b0d3a19fa96307b97096f94550c62ba1f73a4c683492614315532
Opcode Fuzzy Hash: d2231fc97e22d93d85c842f79a9acd8aaea4436132fc3e1fd75f40f36fa50cd6
Instruction Fuzzy Hash: 93112271601710BBD7201F795C0DBDB7E6DEF46762F104224BA0AD31C1DAF8AC0A82A8

Uniqueness

Uniqueness Score: -1.00%

Function 007524E5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E007524E5(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x758004; // 0xb49f60cf
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E00756534( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00756C80(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x007524e5
0x007524f0
0x007524f7
0x007524fc
0x00752509
0x00752513
0x00752522
0x00752531
0x00752546
0x0075254b
0x00752558
0x0075255a
0x0075255a
0x0075254b
0x0075256f

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 0075250B
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00752531
_lopen.KERNEL32(?,00000040), ref: 00752540
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00752551
_lclose.KERNEL32(00000000), ref: 0075255A

Strings

wininit.ini, xrefs: 00752515

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: bd149c5aa7fa7ef27b8ce8e6f54178acaa795b10f5de52aa51eeeba058efd85b
Instruction ID: f9ff116dcaf6eb619499aa94d28247203fb3c3e6936f1e15297179484413d195
Opcode Fuzzy Hash: bd149c5aa7fa7ef27b8ce8e6f54178acaa795b10f5de52aa51eeeba058efd85b
Instruction Fuzzy Hash: F701B531700218BBD7209B659C0CEDF7B7CEB45752F404264FA49D31D0EAF89E498669

Uniqueness

Uniqueness Score: -1.00%

Function 00753440 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00753440(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E007543AE(_t24, _t12);
					SetWindowTextA(_t24, 0x759154);
					SetDlgItemTextA(_t24, 0x838,  *0x759404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x7591dc = 1;
					goto L8;
				}
				return 0;
			}

0x00753449
0x0075344c
0x007534c8
0x007534ce
0x00000000
0x007534d0
0x0075344e
0x00753453
0x0075348a
0x00753490
0x00753497
0x007534a2
0x007534b4
0x007534bb
0x00000000
0x007534bb
0x00753458
0x0075345e
0x00753464
0x00000000
0x00000000
0x0075346c
0x0075347c
0x00753480
0x00000000
0x00753486
0x00753474
0x00000000
0x00000000
0x00753476
0x00000000
0x00753476
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00753480
GetDesktopWindow.USER32 ref: 0075348A
SetWindowTextA.USER32(?,00759154), ref: 007534A2
SetDlgItemTextA.USER32(?,00000838), ref: 007534B4
SetForegroundWindow.USER32(?), ref: 007534BB
EndDialog.USER32(?,00000002), ref: 007534C8

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID:
API String ID: 852535152-0
Opcode ID: 6e7e237b0d9f5cd1a16d632c170a175b354e8b16feb5751af115fb6254dacaf5
Instruction ID: fc6d84942fe0d0a6c7a46c63b562ee67242a24454784751c9e19e9fc5da1a236
Opcode Fuzzy Hash: 6e7e237b0d9f5cd1a16d632c170a175b354e8b16feb5751af115fb6254dacaf5
Instruction Fuzzy Hash: DA018C312806A8ABD7565B649C0C9F93A25EB09783F00C524FE4A965B0CBFC8A45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00751FEC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00751FEC(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x758530 != 0) {
					_t1 =  &_v8; // 0x75534c
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006, _t1);
					if(_t4 == 0) {
						_t2 =  &_v8; // 0x75534c
						RegDeleteValueA( *_t2, 0x758530);
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00751ff9
0x00751ffb
0x00752010
0x00752018
0x0075201f
0x00752022
0x00000000
0x0075202b
0x00752018
0x00752032

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,LSu,?,?,0075534C), ref: 00752010
RegDeleteValueA.ADVAPI32(LSu,00758530,?,?,0075534C), ref: 00752022
RegCloseKey.ADVAPI32(?,?,?,0075534C), ref: 0075202B

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00752006
LSu, xrefs: 00751FFB, 0075201F, 00751FFE

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: LSu$Software\Microsoft\Windows\CurrentVersion\RunOnce
API String ID: 849931509-459681415
Opcode ID: c544c0a18a11d62f6620c5da1057c6412b64f8deed98b194cd01eca16930126e
Instruction ID: b27abf2ede1a0b4b2b8d5f014721e9533ad959bc259d1ff13f38e80fca68d743
Opcode Fuzzy Hash: c544c0a18a11d62f6620c5da1057c6412b64f8deed98b194cd01eca16930126e
Instruction Fuzzy Hash: 44E04F7052031CBBDB208B90ED4AFDE7A69E710786F100164BA09B00E1FBE89A58D60A

Uniqueness

Uniqueness Score: -1.00%

Function 00755276 Relevance: 7.6, APIs: 5, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00755276(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x758004; // 0xb49f60cf
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x7591e0;
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x758a24 == 0 &&  *0x759a30 == 0) {
							SetFileAttributesA( *_t31, 0x80);
							DeleteFileA( *_t31);
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x758a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x758a24 == 0 &&  *0x759a30 == 0) {
					_push(_t22);
					E007517A1( &_v268, 0x104, _t22, 0x7591e4);
					if(( *0x759a34 & 0x00000020) != 0) {
						E00756592( &_v268);
					}
					SetCurrentDirectoryA("..");
					_t22 =  &_v268;
					E00752395( &_v268);
					_t11 =  *0x758a20; // 0x0
				}
				if( *0x759a40 != 1 && _t11 != 0) {
					_t11 = E00751FEC(_t22);
				}
				 *0x758a20 =  *0x758a20 & 0x00000000;
				return E00756C80(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x00755276
0x00755276
0x00755276
0x00755281
0x00755288
0x0075528b
0x0075528c
0x00755294
0x00755296
0x00755297
0x0075529e
0x007552a0
0x007552b2
0x007552ba
0x007552ba
0x007552c2
0x007552c5
0x007552cc
0x007552d2
0x007552d6
0x007552d6
0x007552d7
0x007552dc
0x007552df
0x007552f3
0x00755305
0x00755311
0x00755319
0x00755319
0x00755323
0x00755329
0x0075532f
0x00755334
0x00755334
0x00755341
0x00755347
0x00755347
0x0075534f
0x0075535e

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00000000), ref: 007552B2
DeleteFileA.KERNEL32(?), ref: 007552BA
LocalFree.KERNEL32(?,?,00000000), ref: 007552C5
LocalFree.KERNEL32(?), ref: 007552CC
SetCurrentDirectoryA.KERNEL32(007511FC,?,007591E4), ref: 00755323

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID:
API String ID: 2833751637-0
Opcode ID: 835a83307fddc163a07bd53b4767e9d3f6df561ac7330409937b2752090bdca9
Instruction ID: 46449e43b5ec12ad6ed3c7dee5711d5bbffdb64d7410eaa6360a5e639bba06f7
Opcode Fuzzy Hash: 835a83307fddc163a07bd53b4767e9d3f6df561ac7330409937b2752090bdca9
Instruction Fuzzy Hash: C621CF31520B18DBDB609F20DC19BE837A4BB04347F40C129E98A621A0DFFC5C8CCB59

Uniqueness

Uniqueness Score: -1.00%

Function 00754153 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00754153(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E00754669("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E00754669("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E00754495(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E00754495(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x00754167
0x00754179
0x0075417d
0x007541a1
0x007541bd
0x007541d0
0x00000000
0x007541d1
0x007541bf
0x007541c0
0x007541c2
0x007541c3
0x007541c4
0x007541c9
0x007541cb
0x00000000
0x007541cb
0x007541a3
0x007541a4
0x007541a6
0x007541a7
0x007541a8
0x00000000
0x007541a8
0x00000000

APIs

Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075467A
Part of subcall function 00754669: SizeofResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00754683
Part of subcall function 00754669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0075469D
Part of subcall function 00754669: LoadResource.KERNEL32(00000000,00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A6
Part of subcall function 00754669: LockResource.KERNEL32(00000000,?,00752D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546AD
Part of subcall function 00754669: memcpy_s.MSVCRT ref: 007546BF
Part of subcall function 00754669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546C9

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,007530A5), ref: 00754173
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,007530A5), ref: 007541D1

Part of subcall function 00754495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 007544F4
Part of subcall function 00754495: MessageBoxA.USER32(?,?,00759154,00010010), ref: 00754530

Strings

<None>, xrefs: 007541AF
FINISHMSG, xrefs: 0075415D, 00754195

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: d48d7e3c8d6fa03021f9b85d1da27a31b63fe2c28e720e959717c17773b6991e
Instruction ID: 717bf9ad8bb4c2d34804a25f2287c98f0daf5a81a4865c82fda2a21dea06e2ba
Opcode Fuzzy Hash: d48d7e3c8d6fa03021f9b85d1da27a31b63fe2c28e720e959717c17773b6991e
Instruction Fuzzy Hash: 4001ADE2300618BBE72417665C9AFFB115EDBC479BF108135BF06E6180DAECCC8941B9

Uniqueness

Uniqueness Score: -1.00%

Function 00751A00 Relevance: 7.6, APIs: 5, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00751A00(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x758004; // 0xb49f60cf
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E007543AE(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x759a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00756C80(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00751a00
0x00751a00
0x00751a0b
0x00751a12
0x00751a19
0x00751a1c
0x00751a21
0x00751a4a
0x00751a4e
0x00751a5e
0x00751a6f
0x00751a82
0x00751a8a
0x00000000
0x00751a23
0x00751a26
0x00751a40
0x00751a40
0x00751a28
0x00751a28
0x00751a34
0x00000000
0x00751a36
0x00751a38
0x00751a90
0x00751a92
0x00751a92
0x00751a34
0x00751a26
0x00751a9f

APIs

EndDialog.USER32(?,?), ref: 00751A38
GetDesktopWindow.USER32 ref: 00751A44
LoadStringA.USER32(?,?,00000200), ref: 00751A6F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00751A82
MessageBeep.USER32(000000FF), ref: 00751A8A

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: cc6167e8f59f40a9988f7392f1d228c62e913b45cc0f452c801944d95e9e0d74
Instruction ID: 7c96b889b9fbf149ca0418873277209259d2594c7be6e56ea9cf4ca704e37f7e
Opcode Fuzzy Hash: cc6167e8f59f40a9988f7392f1d228c62e913b45cc0f452c801944d95e9e0d74
Instruction Fuzzy Hash: 01118E31500219AFDB11EB64DE08BEE7BB8EF49302F50C264E91292191DAB89E49DB55

Uniqueness

Uniqueness Score: -1.00%

Function 007536DC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E007536DC(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x758004; // 0xb49f60cf
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x758184 = 1;
						 *0x758180 = 1;
						L13:
						 *0x759a40 = _t119;
						L14:
						__eflags =  *0x758a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00752A82(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00752A82(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x758a38 & 0x00000001;
											if(( *0x758a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push(0x759154);
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E007567CB(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, 0x759154, 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E00756777(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E007528E3(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x759a40 = _t119;
						 *0x758184 = 1;
						 *0x758180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x759a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x758184 = _t135;
							 *0x758180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E00754495(0, _t138);
					L66:
					return E00756C80(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x007536e7
0x007536ee
0x007536fa
0x00753704
0x00753706
0x00753709
0x0075370f
0x00753719
0x0075372b
0x00753733
0x00753734
0x00753734
0x00753737
0x00753799
0x0075379b
0x0075379c
0x007537a1
0x007537a6
0x007537a6
0x007537ad
0x007537ad
0x007537b3
0x00000000
0x00000000
0x007537b9
0x007537bb
0x00000000
0x00000000
0x007537c3
0x007537c9
0x007537d6
0x007537d8
0x007537d8
0x007537d8
0x007537de
0x007537e4
0x007537f3
0x00753805
0x00753819
0x0075381e
0x00753824
0x00753829
0x0075382b
0x007538d9
0x007538d9
0x007538e0
0x007538fa
0x007538ff
0x007538ff
0x00753901
0x0075393b
0x0075393b
0x0075393d
0x00753897
0x00753897
0x0075389e
0x007538a0
0x007538a7
0x007538a9
0x007538af
0x00753963
0x007538b5
0x007538cc
0x007538ce
0x007538ce
0x00753969
0x0075396b
0x00753997
0x0075396d
0x00753970
0x00753979
0x0075397b
0x0075397d
0x0075398d
0x0075398f
0x0075397f
0x0075397f
0x0075397f
0x0075397d
0x0075399d
0x007539a4
0x007539fd
0x007539fd
0x007539ff
0x00753a01
0x00753a07
0x00000000
0x007539a6
0x007539a6
0x007539a8
0x00000000
0x00000000
0x007539aa
0x007539ad
0x00000000
0x00000000
0x007539b1
0x007539b7
0x007539bc
0x007539be
0x007539d1
0x007539d3
0x007539d4
0x007539df
0x007539e5
0x007539e8
0x007539ef
0x007539f2
0x00000000
0x00000000
0x007539f4
0x007539f7
0x007539f7
0x007539f9
0x007539f9
0x00000000
0x007539f7
0x007539ea
0x00000000
0x007539ea
0x007539c1
0x007539c6
0x007539c8
0x00000000
0x00000000
0x00000000
0x007539ca
0x007539a4
0x00753943
0x00753949
0x00000000
0x00000000
0x0075394f
0x00753951
0x00000000
0x00000000
0x00753957
0x00753957
0x00000000
0x00753957
0x00753903
0x00753903
0x00753909
0x0075390d
0x00000000
0x00000000
0x0075391b
0x00753921
0x00753926
0x00753928
0x00000000
0x00000000
0x0075392e
0x00753934
0x00753939
0x00000000
0x00753939
0x00000000
0x007538e0
0x00753831
0x00753833
0x00000000
0x00000000
0x00753839
0x0075383b
0x00753871
0x00753873
0x00000000
0x00000000
0x00753888
0x0075388c
0x0075388c
0x00000000
0x00000000
0x0075388e
0x0075388e
0x00753890
0x00000000
0x00000000
0x00753892
0x00000000
0x00753892
0x0075383d
0x0075383f
0x00753845
0x0075385c
0x00753865
0x00753869
0x00000000
0x00000000
0x00000000
0x0075386f
0x00753847
0x0075384a
0x00753850
0x00753854
0x00000000
0x00000000
0x00753856
0x00000000
0x007538e2
0x007538e2
0x007538e3
0x007538e9
0x007538ef
0x007538ef
0x00000000
0x007538f8
0x00753739
0x0075373c
0x0075374a
0x00753752
0x00753757
0x0075375c
0x0075375f
0x0075378a
0x0075378d
0x00000000
0x00000000
0x00753791
0x00753792
0x00000000
0x00753792
0x00753761
0x00753765
0x00753766
0x0075376d
0x0075376f
0x0075377c
0x0075377c
0x00753782
0x00000000
0x00753782
0x00753771
0x00000000
0x00000000
0x00753773
0x0075377a
0x00000000
0x00000000
0x00000000
0x0075377a
0x0075373e
0x00000000
0x0075371b
0x0075371b
0x00753959
0x00753959
0x0075395a
0x0075395c
0x0075395d
0x00753a0c
0x00753a0c
0x00753a10
0x00753a15
0x00753a2a
0x00753a2a

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00753711
MessageBeep.USER32(00000000), ref: 007539B1
MessageBoxA.USER32(00000000,00000000,00759154,00000030), ref: 007539DF

Strings

3, xrefs: 00753773

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3
API String ID: 2519184315-1842515611
Opcode ID: 51742b2619beaa9289580a6098b5d3acf9778acf6b1dff6641332fd89bc61ce4
Instruction ID: be9928e501f9bfd97c791bafac774f9cafdefae3be7be19ebf842ff5d3c0c96a
Opcode Fuzzy Hash: 51742b2619beaa9289580a6098b5d3acf9778acf6b1dff6641332fd89bc61ce4
Instruction Fuzzy Hash: F49108B1E012149BEB748B14CC817EA77B0EB85386F1444A9DC49EB161DBFC9E89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00756443 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00756443(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x758004; // 0xb49f60cf
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E007517A1( &_v268, 0x104, __ecx, 0x7591e4);
				_t26 = "advpack.dll";
				E00756534( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00756C80(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00756443
0x00756443
0x0075644e
0x00756455
0x00756459
0x0075646b
0x00756470
0x00756481
0x0075648d
0x00756496
0x007564b0
0x0075649c
0x007564a7
0x007564a7
0x007564c2

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,007591E4,?,00000000), ref: 0075648D
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,007591E4,?,00000000), ref: 007564A7
LoadLibraryA.KERNEL32(advpack.dll,?,007591E4,?,00000000), ref: 007564B0

Strings

advpack.dll, xrefs: 00756470, 0075647B, 007564AF

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: advpack.dll
API String ID: 438848745-3255089409
Opcode ID: 7217e2b4f89a443ecde3b4cbb5ac4b69f4fc0cd40e45c305be3aadc9f028e877
Instruction ID: 4f406a982cc3fe7fab9cbc76137f29e23c078458675d4524725fdc9ed70f5821
Opcode Fuzzy Hash: 7217e2b4f89a443ecde3b4cbb5ac4b69f4fc0cd40e45c305be3aadc9f028e877
Instruction Fuzzy Hash: C5F0D630600208ABDB50DB64DC49BEE7778DB54713FD04264F985931D0DFF89E8D8611

Uniqueness

Uniqueness Score: -1.00%

Function 00753670 Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00753670(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0075367c
0x0075367f
0x00753681
0x0075368f
0x00753697
0x00000000
0x00000000
0x007536aa
0x00000000
0x007536ac
0x007536ac
0x007536b0
0x007536bb
0x007536b2
0x007536b4
0x007536b4
0x007536ca
0x007536d0
0x007536d6
0x00000000
0x00000000
0x007536d6
0x00000000
0x007536aa
0x007536db

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0075368F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 007536A2
DispatchMessageA.USER32(?), ref: 007536BB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 007536CA

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 5f90e20ccb7b45fb38b94a1c61d3c6126c89dffb7905ac948b7a0d2fe946153c
Instruction ID: 9c2404bce5fc48d20c74ed891b951e5873a56a7d912fe30d08f4e3dbae3e7b3f
Opcode Fuzzy Hash: 5f90e20ccb7b45fb38b94a1c61d3c6126c89dffb7905ac948b7a0d2fe946153c
Instruction Fuzzy Hash: AA01DB72900219B7DF3047A65C48EDF7ABCEBC5B52F04022CFE11E2194D5E8CA45C674

Uniqueness

Uniqueness Score: -1.00%

Function 007564C3 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E007564C3(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x759a3c;
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E00754495(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x007564cb
0x007564d6
0x007564e0
0x00756517
0x00756523
0x00756528
0x007564e2
0x007564ea
0x007564ee
0x00000000
0x007564f0
0x007564f3
0x007564f8
0x007564f5
0x007564f5
0x007564f5
0x0075650a
0x0075650c
0x00756515
0x00000000
0x00000000
0x00756515
0x007564ee
0x00756531

APIs

FindResourceA.KERNEL32(?,000007D6,00000005), ref: 007564D6
LoadResource.KERNEL32(?,00000000,?,?,00752EDF,00000000,00751A00,00000547,0000083E,?,?,?,?,?,?,?), ref: 007564E4
DialogBoxIndirectParamA.USER32(?,00000000,00000547,00751A00,00000000), ref: 00756503
FreeResource.KERNEL32(00000000,?,?,00752EDF,00000000,00751A00,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 0075650C

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 551a56c647d886cd21501006b959e208444e621c96afc76b6d45602e9275f322
Instruction ID: 131defb1f24cb36f7d1ba849e7c1e3349693d437c9519504558b4f3f3ca87b47
Opcode Fuzzy Hash: 551a56c647d886cd21501006b959e208444e621c96afc76b6d45602e9275f322
Instruction Fuzzy Hash: 630126B210020ABBDB101F689C48DEB7A6DEF85366F008134FE11A3190EBF9CC1186B5

Uniqueness

Uniqueness Score: -1.00%

Function 00756592 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00756592(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x00756592
0x00756597
0x00756599
0x0075659c
0x0075659e
0x0075659e
0x007565a0
0x007565a1
0x007565b2
0x007565bb
0x007565c2
0x007565c6
0x00000000
0x00000000
0x007565b8
0x007565cd
0x007565cf
0x007565e5
0x007565e5
0x007565e7
0x007565eb
0x007565ba
0x007565ba
0x00000000
0x007565ba
0x007565ee
0x007565f1
0x007565f1
0x007565cb
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00752B2C), ref: 007565AC
CharPrevA.USER32(?,00000000), ref: 007565BC
CharPrevA.USER32(?,00000000), ref: 007565D3
CharNextA.USER32(00000000), ref: 007565DF

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: fda73ce311a36b9cc3ce0cf4ca1b5c7c39f875a5aed6848e61e5f4986ba61a26
Instruction ID: 1a4a6a7c21a68491537a3aae1d2933458de8bdca6345c9a79e7459a66c5b2b3d
Opcode Fuzzy Hash: fda73ce311a36b9cc3ce0cf4ca1b5c7c39f875a5aed6848e61e5f4986ba61a26
Instruction Fuzzy Hash: 56F0D6710045506FE7321A284C889FA7FAC8B87256B5942BFE99183014E6DD0D5AC661

Uniqueness

Uniqueness Score: -1.00%

Function 00756950 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00756950() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x7581f8 = E00756C1A();
				__set_app_type(E00756F68(2));
				 *0x7588a4 =  *0x7588a4 | 0xffffffff;
				 *0x7588a8 =  *0x7588a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x758528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x75851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00756FB0();
				if( *0x758000 == 0) {
					__setusermatherr(E00756FB0);
				}
				E0075719D(_t6);
				return 0;
			}

0x00756957
0x00756962
0x00756968
0x0075696f
0x00756978
0x0075697e
0x00756984
0x00756986
0x0075698c
0x00756992
0x00756994
0x007569a0
0x007569a7
0x007569ad
0x007569ae
0x007569b5

APIs

Part of subcall function 00756F68: GetModuleHandleW.KERNEL32(00000000), ref: 00756F6F

__set_app_type.MSVCRT ref: 00756962
__p__fmode.MSVCRT ref: 00756978
__p__commode.MSVCRT ref: 00756986
__setusermatherr.MSVCRT ref: 007569A7

Memory Dump Source

Source File: 00000001.00000002.30648231024.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000001.00000002.30648204879.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648279909.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.30648303646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_750000_wextract.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: c4ee6d6d7b2e240104d6157c01c975db22a1a799d161b2bec1536b9b0df4ca05
Instruction ID: dcff7cc1b254804440c84fdcf4e7f56d4636643addc692fce1cc64f9059e6c5e
Opcode Fuzzy Hash: c4ee6d6d7b2e240104d6157c01c975db22a1a799d161b2bec1536b9b0df4ca05
Instruction Fuzzy Hash: B3F0D470404301DFCB586B30BD0F5883BA0FB44323B508619E8A29A2F1DFFE9449CA2A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wextract.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: wextract.exePID: 7456, Parent PID: 4812

General

File Activities

File Opened

File Read

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Windows Analysis Report
wextract.exe

Function 00752CA1 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 182
synchronizationCOMMON

Function 00752BF2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Function 00754495 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159
memorywindowCOMMON

Function 00756A00 Relevance: 12.1, APIs: 8, Instructions: 144
sleepCOMMON

Function 00752033 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 184
registrylibrarymemoryCOMMON

Function 00753B8E Relevance: 37.1, APIs: 11, Strings: 10, Instructions: 308
libraryloaderCOMMONCrypto

Function 00751B04 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 290
memoryCOMMON

Function 00755C50 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 421
COMMONCrypto

Function 00755933 Relevance: 19.7, APIs: 13, Instructions: 211
windowCOMMON

Function 00751F9B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93
shutdownCOMMON

Function 00755423 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
COMMON

Function 0075180E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70
librarymemoryloaderCOMMON

Function 00752395 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Function 00757105 Relevance: 7.6, APIs: 5, Instructions: 50
timethreadCOMMON

Function 00756C90 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Function 00756EE0 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00756FC0 Relevance: 1.3, Strings: 1, Instructions: 34
COMMON

Function 0075555A Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 247
memorystringCOMMON

Function 00754204 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 131
libraryloaderCOMMON